So, I know some coding (HTML, CSS, PHP, web stuff...), but I don't know this language to know what it does. Got it in an email from a random source labeled as a ".doc" file, but I knew better and opened it up in Dreamweaver and saw this line of code. Can Sup Forums tell me what it does? I see a few websites listed, but not sure what it all means. Will dump this chick for enlightening answers.
pastebin /ktG1kXpF
Other urls found in this thread:
jsbeautifier.org
pastebin
asciitable.com
twitter.com
what line?
jsbeautifier.org
Put it in here to read it easier.
Chances are, the sites listed are compromised and are used to store the malicious file which will pull you into a botnet. "&i=TXMEdZIuYNxt5kzgaYuffbw8ZWppJUkf_XOVKW_3njDdZH9iJqaMtk535IUCbeJJaoLU49w06blfvnAudzBhBhZesSyYPGkXavk" is probably the unique identifier. See this shit all the time.
I mean, just any of it. I don't know the language, so I don't know what the file's intents or why it was sent to me.
I recently moved and changed my address and forwarded my mail, and being Christmas and all, I was expecting a few packages. So when USPS sent me this email, I looked at it and got curious. It wasn't from a USPS domain and I didn't know why they attached a ZIP file containing this script in it. So, I got curious and opened it up in an editor.
pastebin Jw85P1Yn
>kXp
he posted it on paste bin go look ya fuckhead
This is HTML and Javascript.
I dunno, it looks kinda fishy. Never heard of those sites in the array.
And it returns "http/" in a function, probably trying to scam or something.
That's what I was thinking, but sometimes ya gotta bottle feed 'em.
I know, I did it myself. I was just letting you know.
The zip is probably bound with a virus and crypted, which then executes this piece of JScript.
JScript.
lol
>The zip is probably bound with a virus and crypted, which then executes this piece of JScript.
So just the fact I opened the ZIP, I probably have a virus now?
>new ActiveXObject(...)
That's the dangerous part. Ignore everything before it; that's all just building the url strings. The ActiveXObject is what's actually going to load and execute the malicious code on your local machine. This code isn't necessarily harmful; it's just that it calls harmful code that stored on what are probably compromised servers.
I'd be interested in seeing the response to the GET request it's sending, but I'm too lazy to actually do it.
Possibly. If it's crypted using a semi or fully private crypter, virus protectors aren't going to protect you. What you should do in situations like this, if you want to open the file, use a program like Sandboxie. Either that or open it in a virtual machine. Some way or another, that unique identifier will be sent back to the CNC so your machine will be listed, and they will be able to remotely execute tasks on your computer. Just format, honestly.
Callback to the CNC.
Will post more if you do.
its a script that will force your system to load them sitess into your dns and im quite sure without pulling up a site it probably calls to a download of a file most likely xml and in turn will infect your shit and most likely add you to a bot net set up for something like ddos attacking websites and shit very boring and very easy to deal with even if you had opened it and ill bet you ten to one those sites are foreign most likely chinese or russian ;)
Trust me, it wont be anything worth seeing.
return htt() + x + cou() + sut() + rox() + boe();
That is what forms the string. Just follow the chain. the "x" is the array of sites, and the for-loop sends the get request to each of them.
You're a special kind of stupid, aren't you.
Yes, those site are foreign, I looked them up myself.
Also, I have a shitty virus scanning program anyways. What would you suggest I use for at least better than average protection? Free and/or paid services.
face? need to make sure it's worth the effort.
...
+ timestamp
the best anti-virus out there is less effective than good practice. if you just make good decisions, something like avast should be fine
eh, not the greatest, but fuck it. lemme see what i can find
Like I said, use sandboxie or run in a virtual machine, these usually cant be detected by virus protectors. I followed the chain just out of curiosity, here is what the string comes out to be. Obviously, no one go here.
pastebin com/9ChyE9Wj
Lmfao I got these from an user posting here long time ago. No idea how old it is.
go there immediately and click yes to everything
copy that
I generally don't open or run stupid shit or download random files. But I had opened the zip before I had looked at the sending address and realized that it wasn't actually from USPS, so that's when I got curious.
Haha.
Oh, it's telling me to delete my /system32 folder, it'll make my computer run faster, right? Lol
A few more here. Thanks for all your help. Lol I'd love to send them something in response and get them to fry their shit.
[~] -> rm -r C:\\windows\\system32
rm: cannot remove 'C:\windows\system32': No such file or directory
pls halp
np. sandboxie next time nigga. consider formatting.
Lol it was sent to my work email, while I was at work. I plan on leaving this shithole anyways, so I'll reformat when I do. Thanks, my neighbah.
And that, my friends, is the first time Sup Forums has officially helped me with anything. Generally I lurk or troll a thread here and there, but I am actually surprised here. Awesome job, Sup Forums.
I... I love you. Group hug?
pastebin /Gz95k5Ti
god I love it when OP isn't a fag...
anyway, here's the paste of the script it tries to run based on the address provided by . It's a complete mess to read, but I'm sure there's a reason for that. Someone who's super bored could probably pick it apart, but I don't think I've got it in me today.
pastebin com/TtyW5K3N
damn, a minute and a half too slow
Usually the same shit. More than likely it's a shitty ripoff of Zeus of Citadel.
Or*
so, if OP or anyone's interested, I'm still playing with it. It's a string builder that builds a script, and I'm guessing executes it. Once I pretty it up a bit more, I'll link the paste to it.
if nobody cares, i'll probably keep playing with it, but I won't bother with pasting any of it.
Man, not only is this one of my first posts after lurking on this site for years off and on (I usually browse for like, a few days and then forget about it fro a few months, come back and browse, rinse, wash, repeat. This is the longest string of browsing I've been on (almost every day for a month), and the site appears to be getting shittier, but hell... why not?), but I'm deemed as
> isn't a fag
Makes a (technically, still) newfag feel good.
Yeah, I am interested. I've been meaning to get into java, but I just don't have the time, drive, or purpose too among everything else I have to do.
Java != javascript != JScript
jussayin. Also, Java is gay. Fuck OOP, JIT and java in general.
so, I've got it cleaned up and readable. As soon as I finished it (just in my text editor), Windows Defender started screaming about it. going to have to burn down this VM when I'm done just to be safe.
pastebin com/MTQBqtq1
>try{ws.Run(fn+n+".exe",1,0);}catch(er){};
Time to format.
>pastebin com/MTQBqtq1
Yeah, mine has been screaming at me left and right when I try to open some of these links haha
also, just to talk out loud a bit, the way they were fooling the anti-virus programs is by using the stringbuilder to store the script, and then replacing the character 'a' with the 61... number that I can't remember now.
So, it looks like it's downloading another script, storing it on your computer as an executable and then running the program it just downloaded.
I'm assuming what it downloads is not going to be human readable at all; might could pick it apart with a decompiler, but I don't have a good one.
>for(var n=1;n
can confirm, unreadable. The URL that it goes to is for a .png file that's actually an executable. I'll paste link if anyone's willing to decompile.