...

View Full Version : Does this code contain a trojan?



Jaan
05-26-2012, 11:31 AM
Hi Friends,
I am posting a code which is part of a file called png.js (which is part of many themes and also of the one I had coded for me by a developer)

The developer says there is no problem (false positive) but when I run the theme under virustotal.com's online scanning platform, it shows a virus in this file.

Would like to check with you folks before paying the developer.






/**
* DD_belatedPNG: Adds IE6 support: PNG images for CSS background-image and HTML <IMG/>.
* Author: Drew Diller
* Email: drew.diller@gmail.com
* URL: http://www.dillerdesign.com/experiment/DD_belatedPNG/
* Version: 0.0.7a
* Licensed under the MIT License: http://dillerdesign.com/experiment/DD_belatedPNG/#license
*
* Example usage:
* DD_belatedPNG.fix('.png_bg'); // argument is a CSS selector
* DD_belatedPNG.fixPng( someNode ); // argument is an HTMLDomElement
**/

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('2 E={J:\'E\',Z:{},1E:7(){4(x.1l&&!x.1l[6.J]){x.1l.23(6.J,\'24:25-26-27:3\')}4(1F.11){1F.11(\'28\',7(){E=29})}},1G:7(){2 a=x.1m(\'8\');x.1H.1b.1n(a,x.1H.1b.1b);2 b=a.1o;b.1c(6.J+\'\\\\:*\',\'{12:2a(#1I#2b)}\');b.1c(6.J+\'\\\\:9\',\'Q:1p;\');b.1c(\'1J.\'+6.J+\'1K \',\'12:y; 1q:y; Q:1p; z-2c:-1; 1d:-1r; 1L:1M;\');6.1o=b},1N:7(){2 a=13.2d;4(13.1e.K(\'2e\')!=-1||13.1e.K(\'1q\')!=-1){E.1f(a)}4(13.1e==\'8.1s\'){2 b=(a.F.1s==\'y\')?\'y\':\'2f\';G(2 v M a.3){a.3[v].9.8.1s=b}}4(13.1e.K(\'14\')!=-1){E.1t(a)}},1t:7(a){4(a.F.14.K(\'2g\')!=-1){2 b=a.F.14;b=1u(b.2h(b.1v(\'=\')+1,b.1v(\')\')),10)/2i;a.3.N.9.8.14=a.F.14;a.3.C.I.2j=b}},15:7(a){2k(7(){E.1f(a)},1)},2l:7(a){2 b=a.1O(\',\');G(2 i=0;i<b.2m;i++){6.1o.1c(b[i],\'12:2n(E.1P(6))\')}},1f:7(a){a.S.1Q=\'\';6.1R(a);6.16(a);6.1t(a);4(a.O){6.1S(a)}},1T:7(b){2 c=6;2 d={2o:\'16\',2p:\'16\'};4(b.17==\'A\'){2 e={2q:\'15\',2r:\'15\',2s:\'15\',2t:\'15\'};G(2 a M e){d[a]=e[a]}}G(2 h M d){b.11(\'1w\'+h,7(){c[d[h]](b)})}b.11(\'2u\',6.1N)},1x:7(a){a.8.2v=1;4(a.F.Q==\'2w\'){a.8.Q=\'2x\'}},1S:7(a){2 b={\'2y\':P,\'2z\':P,\'2A\':P};G(2 s M b){a.3.N.9.8[s]=a.F[s]}},1R:7(a){4(!a.F){1g}U{2 b=a.F}G(2 v M a.3){a.3[v].9.8.1U=b.1U}a.S.18=\'\';a.S.19=\'\';2 c=(b.18==\'1V\');2 d=P;4(b.19!=\'y\'||a.O){4(!a.O){a.D=b.19;a.D=a.D.2B(5,a.D.1v(\'")\')-5)}U{a.D=a.1h}2 e=6;4(!e.Z[a.D]){2 f=x.1m(\'1J\');e.Z[a.D]=f;f.2C=e.J+\'1K\';f.S.1Q=\'12:y; Q:1p; 1y:-1r; 1d:-1r; 1q:y;\';f.11(\'2D\',7(){6.1i=6.2E;6.1j=6.2F;e.16(a)});f.1h=a.D;f.1W(\'1i\');f.1W(\'1j\');x.1X.1n(f,x .1X.1b)}a.3.C.I.1h=a.D;d=V}a.3.C.I.1w=!d;a.3.C.I.N=\'y\';a.3.N.9.8.18=b.18;a.S.19=\'y\';a.S.18=\'1V\ '},16:7(e){2 f=e.F;2 g={\'W\':e.2G+1,\'H\':e.2H+1,\'w\':6.Z[e.D].1i,\'h\':6.Z[e.D].1j,\'L\':e.2I,\'T\':e.2J,\'1k\':e.2K,\'1z\':e.2L};2 i=(g.L+g.1k==1)?1:0;2 j=7(a,l,t,w,h,o){a.2M=w+\',\'+h;a.2N=o+\',\'+o;a.2O=\'2P,1Y\'+w+\',1Y\'+w+\',\'+h+\'2Q,\'+h+\' 2R\';a.8.1i=w+\'u\';a.8.1j=h+\'u\';a.8.1y=l+\'u\';a.8.1d=t+\'u\'};j(e.3.N.9,(g.L+(e.O?0:g.1k)),(g.T+ (e.O?0:g.1z)),(g.W-1),(g.H-1),0);j(e.3.C.9,(g.L+g.1k),(g.T+g.1z),(g.W),(g.H),1);2 k={\'X\':0,\'Y\':0};2 m=7(a,b){2 c=P;2S(b){1a\'1y\':1a\'1d\':k[a]=0;1A;1a\'2T\':k[a]=.5;1A;1a\'2U\':1a\'2V\':k[a]=1;1A;1I:4(b.K(\'%\')!=-1){k[a]=1u(b)*.2W}U{c=V}}2 d=(a==\'X\');k[a]=2X.2Y(c?((g[d?\'W\':\'H\']*k[a])-(g[d?\'w\':\'h\']*k[a])):1u(b));4(k[a]==0){k[a]++}};G(2 b M k){m(b,f[\'2Z\'+b])}e.3.C.I.Q=(k.X/g.W)+\',\'+(k.Y/g.H);2 n=f.30;2 p={\'T\':1,\'R\':g.W+i,\'B\':g.H,\'L\':1+i};2 q={\'X\':{\'1B\':\'L\',\'1C\':\'R\',\'d\':\'W\'},\'Y\':{\'1B\':\'T\',\'1C\':\'B\',\'d\':\'H\'}};4(n! =\'1D\'){2 c={\'T\':(k.Y),\'R\':(k.X+g.w),\'B\':(k.Y+g.h),\'L\':(k.X)};4(n.K(\'1D-\')!=-1){2 v=n.1O(\'1D-\')[1].31();c[q[v].1B]=1;c[q[v].1C]=g[q[v].d]}4(c.B>g.H){c.B=g.H}e.3.C.9.8.1Z=\'20(\'+c.T+\'u \'+(c.R+i)+\'u \'+c.B+\'u \'+(c.L+i)+\'u)\'}U{e.3.C.9.8.1Z=\'20(\'+p.T+\'u \'+p.R+\'u \'+p.B+\'u \'+p.L+\'u)\'}},1P:7(a){a.8.12=\'y\';4(a.17==\'32\'||a.17==\'33\'||a.17==\'34\'){1g}a.O=V;4(a.17==\' 35\'){4(a.1h.21().K(/\\.22$/)!=-1){a.O=P;a.8.1L=\'1M\'}U{1g}}U 4(a.F.19.21().K(\'.22\')==-1){1g}2 b=E;a.3={N:{},C:{}};2 c={9:{},I:{}};G(2 r M a.3){G(2 e M c){2 d=b.J+\':\'+e;a.3[r][e]=x.1m(d)}a.3[r].9.36=V;a.3[r].9.37(a.3[r].I);a.38.1n(a.3[r].9,a)}a.3.C.9.39=\'y\';a.3.C.I.3a=\'3b\';a.3.N.I.1w=V;b.1T(a);b.1x(a);b.1x(a.3c);b.1f(a)}};3d{x.3e("3f",V,P)}3g(r){}E.1E();E.1G();',62,203,'||var|vml|if||this|function|style|shape|||||||||||||||||||||px| ||document|none||||image|vmlBg|DD_belatedPNG|currentStyle|for||fill|ns|search||in|color|isImg|true|p osition||runtimeStyle||else|false||||imgSize||attachEvent|behavior|event|filter|handlePseudoHover|vm lOffsets|nodeName|backgroundColor|backgroundImage|case|firstChild|addRule|top|propertyName|applyVML| return|src|width|height|bLW|namespaces|createElement|insertBefore|styleSheet|absolute|border|10000px |display|vmlOpacity|parseInt|lastIndexOf|on|giveLayout|left|bTW|break|b1|b2|repeat|createVmlNameSpac e|window|createVmlStyleSheet|documentElement|default|img|_sizeFinder|visibility|hidden|readPropertyC hange|split|fixPng|cssText|vmlFill|copyImageBorders|attachHandlers|zIndex|transparent|removeAttribut e|body|0l|clip|rect|toLowerCase|png|add|urn|schemas|microsoft|com|onbeforeunload|null|url|VML|index| srcElement|background|block|lpha|substring|100|opacity|setTimeout|fix|length|expression|resize|move| mouseleave|mouseenter|focus|blur|onpropertychange|zoom|static|relative|borderStyle|borderWidth|borde rColor|substr|className|onload|offsetWidth|offsetHeight|clientWidth|clientHeight|offsetLeft|offsetTo p|clientLeft|clientTop|coordsize|coordorigin|path|m0|l0|xe|switch|center|right|bottom|01|Math|ceil|b ackgroundPosition|backgroundRepeat|toUpperCase|BODY|TD|TR|IMG|stroked|appendChild|parentNode|fillcol or|type|tile|offsetParent|try|execCommand|BackgroundImageCache|catch'.split('|'),0,{}))


/* ADD YOUR CLASSES HERE e.g. #footer .rss, .cuteicon, .etc */

DD_belatedPNG.fix('#header-image, #searchform, .submit, .footinfo, .header-button-orange, .header-button-black, .header-button-red, .header-button-blue, .header-button-green, .popup-button-green, .popup-button-orange, .popup-button-blue, .squeeze-submit-orange, .squeeze-submit-blue, .squeeze-submit-green, .sidebar-button-blue, .sidebar-button-green, .sidebar-button-orange, img');

/* string argument can be any CSS selector */
/* change it to what suits you! */





Thanks in advance for any opinions/corrections

Jaan
05-26-2012, 12:46 PM
After posting here, I ran the following snippet in google and landed on the link provided below.

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}


I am posting the link here,because it could be useful to members.


http://redleg-redleg.blogspot.in/2011/11/malicious-software-hosted-on-nlai.html

Since I am not an expert, I have decided to remove the file png.js from the theme and see if the theme works. if so, I am going to manage without this file.

As for the developer, he was modifying on a existing theme, so perhaps it is not his mistake. I will check all that at my end, but mean while , here is what I propose to do.

If someone has views on whether there anything else in the .js file, which should be retained, I would be most obliged to know.

Thanks all

low tech
05-26-2012, 02:37 PM
Hi


The developer says there is no problem (false positive) but when I run the theme under virustotal.com's online scanning platform, it shows a virus in this file.

Would like to check with you folks before paying the developer.

I unpacked the eval part and ran it through virustotal.com and it came up clean


here is the code (only the eval part) in case anybody wishes to give an opinion on it.
I DO NOT guarantee this code is 100% in tact and original since being unpacked.

I believe the developer.


The eval part: (ignore the poor formatting -- code too long for me really)

var DD_belatedPNG={
ns:'DD_belatedPNG',
imgSize:{},
createVmlNameSpace:function(){
if(document.namespaces&&!document.namespaces[this.ns]){
document.namespaces.add(this.ns,'urn:schemas-microsoft-com:vml')
}
if(window.attachEvent){window.attachEvent('onbeforeunload',function(){
DD_belatedPNG=null})
}
},
createVmlStyleSheet:function(){
var a=document.createElement('style');
document.documentElement.firstChild.insertBefore(a,document.documentElement.firstChild.firstChild);
var b=a.styleSheet;b.addRule(this.ns+'\\:*','{behavior:url(#default#VML)}');
b.addRule(this.ns+'\\:shape','position:absolute;');
b.addRule('img.'+this.ns+'_sizeFinder','behavior:none; border:none; position:absolute; z-index:-1; top:-10000px; visibility:hidden;');
this.styleSheet=b
},
readPropertyChange:function(){
var a=event.srcElement;
if(event.propertyName.search('background')!=-1||event.propertyName.search('border')!=-1){
DD_belatedPNG.applyVML(a)
}
if(event.propertyName=='style.display'){
var b=(a.currentStyle.display=='none')?'none':'block';
for(var v in a.vml){a.vml[v].shape.style.display=b}
}
if(event.propertyName.search('filter')!=-1){
DD_belatedPNG.vmlOpacity(a)
}
},
vmlOpacity:function(a){
if(a.currentStyle.filter.search('lpha')!=-1){
var b=a.currentStyle.filter;
b=parseInt(b.substring(b.lastIndexOf('=')+1,b.lastIndexOf(')')),10)/100;
a.vml.color.shape.style.filter=a.currentStyle.filter;
a.vml.image.fill.opacity=b
}
},

handlePseudoHover:function(a){
setTimeout(function(){
DD_belatedPNG.applyVML(a)},1)
},

fix:function(a){
var b=a.split(',');
for(var i=0;i<b.length;i++){this.styleSheet.addRule(b[i],'behavior:expression(DD_belatedPNG.fixPng(this))')
}
},

applyVML:function(a){
a.runtimeStyle.cssText='';
this.vmlFill(a);
this.vmlOffsets(a);
this.vmlOpacity(a);
if(a.isImg){
this.copyImageBorders(a)
}
},
attachHandlers:function(b){
var c=this;
var d={resize:'vmlOffsets',move:'vmlOffsets'};
if(b.nodeName=='A'){
var e={mouseleave:'handlePseudoHover',mouseenter:'handlePseudoHover',focus:'handlePseudoHover',blur:'han dlePseudoHover'};
for(var a in e){
d[a]=e[a]
}
}
for(var h in d){
b.attachEvent('on'+h,function(){c[d[h]](b)})
}
b.attachEvent('onpropertychange',this.readPropertyChange)
},
giveLayout:function(a){a.style.zoom=1;if(a.currentStyle.position=='static'){a.style.position='relati ve'}
},
copyImageBorders:function(a){var b={'borderStyle':true,'borderWidth':true,'borderColor':true};
for(var s in b){
a.vml.color.shape.style[s]=a.currentStyle[s]
}
},

vmlFill:function(a){
if(!a.currentStyle){return}
else{var b=a.currentStyle}
for(var v in a.vml){
a.vml[v].shape.style.zIndex=b.zIndex
}
a.runtimeStyle.backgroundColor='';
a.runtimeStyle.backgroundImage='';
var c=(b.backgroundColor=='transparent');
var d=true;

if(b.backgroundImage!='none'||a.isImg){
if(!a.isImg){
a.vmlBg=b.backgroundImage;
a.vmlBg=a.vmlBg.substr(5,a.vmlBg.lastIndexOf('")')-5)
}else{a.vmlBg=a.src}
var e=this;
if(!e.imgSize[a.vmlBg]){
var f=document.createElement('img');
e.imgSize[a.vmlBg]=f;
f.className=e.ns+'_sizeFinder';
f.runtimeStyle.cssText='behavior:none;position:absolute;left:-10000px;top:-10000px;border:none';
f.attachEvent('onload',function(){
this.width=this.offsetWidth;
this.height=this.offsetHeight;
e.vmlOffsets(a)});
f.src=a.vmlBg;
f.removeAttribute('width');
f.removeAttribute('height');
document.body.insertBefore(f,document.body.firstChild)
}
a.vml.image.fill.src=a.vmlBg;
d=false
}

a.vml.image.fill.on=!d;a.vml.image.fill.color='none';
a.vml.color.shape.style.backgroundColor=b.backgroundColor;
a.runtimeStyle.backgroundImage='none';
a.runtimeStyle.backgroundColor='transparent';
},

vmlOffsets:function(e){
var f=e.currentStyle;
var g={
'W':e.clientWidth+1,
'H':e.clientHeight+1,
'w':this.imgSize[e.vmlBg].width,
'h':this.imgSize[e.vmlBg].height,
'L':e.offsetLeft,
'T':e.offsetTop,
'bLW':e.clientLeft,
'bTW':e.clientTop
};

var i=(g.L+g.bLW==1)?1:0;
var j=function(a,l,t,w,h,o){
a.coordsize=w+','+h;
a.coordorigin=o+','+o;
a.path='m0,0l'+w+',0l'+w+','+h+'l0,'+h+' xe';
a.style.width=w+'px';
a.style.height=h+'px';
a.style.left=l+'px';
a.style.top=t+'px'
};
j(e.vml.color.shape,(g.L+(e.isImg?0:g.bLW)),(g.T+(e.isImg?0:g.bTW)),(g.W-1),(g.H-1),0);
j(e.vml.image.shape,(g.L+g.bLW),(g.T+g.bTW),(g.W),(g.H),1);
var k={'X':0,'Y':0};
var m=function(a,b){
var c=true;

switch(b){
case'left':case'top':k[a]=0;
break;
case'center':k[a]=.5;
break;
case'right':case'bottom':k[a]=1;
break;
default:if(b.search('%')!=-1){
k[a]=parseInt(b)*.01}else{c=false}
}

var d=(a=='X');
k[a]=Math.ceil(c?((g[d?'W':'H']*k[a])-(g[d?'w':'h']*k[a])):parseInt(b));
if(k[a]==0){k[a]++}
};
for(var b in k){m(b,f['backgroundPosition'+b])}
e.vml.image.fill.position=(k.X/g.W)+','+(k.Y/g.H);
var n=f.backgroundRepeat;
var p={'T':1,'R':g.W+i,'B':g.H,'L':1+i};
var q={'X':{'b1':'L','b2':'R','d':'W'},'Y':{'b1':'T','b2':'B','d':'H'}};
if(n!='repeat'){var c={'T':(k.Y),'R':(k.X+g.w),'B':(k.Y+g.h),'L':(k.X)};
if(n.search('repeat-')!=-1){var v=n.split('repeat-')[1].toUpperCase();
c[q[v].b1]=1;
c[q[v].b2]=g[q[v].d]}if(c.B>g.H){c.B=g.H}
e.vml.image.shape.style.clip='rect('+c.T+'px '+(c.R+i)+'px '+c.B+'px '+(c.L+i)+'px)'}else{
e.vml.image.shape.style.clip='rect('+p.T+'px '+p.R+'px '+p.B+'px '+p.L+'px)'}
},

fixPng:function(a){
a.style.behavior='none';
if(a.nodeName=='BODY'||a.nodeName=='TD'||a.nodeName=='TR'){return}
a.isImg=false;
if(a.nodeName=='IMG'){
if(a.src.toLowerCase().search(/\.png$/)!=-1){
a.isImg=true;a.style.visibility='hidden'}else{return}
}else if(a.currentStyle.backgroundImage.toLowerCase().search('.png')==-1){return}var b=DD_belatedPNG;

a.vml={color:{},image:{}};
var c={shape:{},fill:{}};
for(var r in a.vml){
for(var e in c){
var d=b.ns+':'+e;
a.vml[r][e]=document.createElement(d)
}
a.vml[r].shape.stroked=false;
a.vml[r].shape.appendChild(a.vml[r].fill);
a.parentNode.insertBefore(a.vml[r].shape,a)
}
a.vml.image.shape.fillcolor='none';
a.vml.image.fill.type='tile';
a.vml.color.fill.on=false;b.attachHandlers(a);
b.giveLayout(a);
b.giveLayout(a.offsetParent);
b.applyVML(a)}};
try{document.execCommand("BackgroundImageCache",false,true)
}
catch(r){}DD_belatedPNG.createVmlNameSpace();
DD_belatedPNG.createVmlStyleSheet();

Philip M
05-27-2012, 11:06 AM
http://www.red-root.com/code/decompressing-packed-javascript-files/

These days any advantage of packing the file is probably minimal. I agree with low tech - there is no malware in that code. But anti-virus programs may well flag it just to be safe! Many WordPress sites on shared hosts have been compromised with an encoded javascript malware (using Dean Edwards packer).

Jaan
05-29-2012, 10:07 AM
Thanks low tech, Phillip M. I truly appreciate the effort made. Your assistance has helped clear the air between the developer and me. Many Many thanks again.

Good thing I posted the query here. Thanks again.

low tech
05-29-2012, 10:11 AM
Hi Jaan


Thanks low tech, Phillip M. I truly appreciate the effort made. Your assistance has helped clear the air between the developer and me

Nice to hear you cleared the air :thumbsup:


LT

felgall
05-29-2012, 08:35 PM
These days any advantage of packing the file is probably minimal.

jQuery no longer offer a packed version because with the compression modern web browsers now support having the file compressed automatically by the server and decompressed by the browser means that the script arrives almost as fast as the packed version would and the packed version then adds significantly to the delay by having to unpack itself.

It isn't a minimal advantage any more - it is a significant disadvantage to use packed.

Old Pedant
05-29-2012, 09:26 PM
But I also have to wonder what the point is in using that script. As the comments say, it is for fixing PNG support in MSIE 6 browsers. There are *SO* many other things that MSIE 6 doesn't support--and there are surely so VERY VERY FEW people (if any?) still using MSIE 6 that one has to wonder why you would bother with this.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum