Can anyone ID or decode this javascript? (Feb 17 / 2014)

Giganews Newsgroups
Subject: Can anyone ID or decode this javascript? (Feb 17 / 2014)
Posted by:  Virus Guy (Viru…@Guy. com)
Date: Mon, 17 Feb 2014

The following link was contained in a spam email.  It probably tries to
trigger a browser exploit of some sort, so handle this with care:

hxxp://202.29.80.23/~info/sensors.php

The server responds with this:

============
<html><body><script type="text/hello">ykzjr1="\x30";
lufrv2="\x68\x74\x74\x70\x3A\x2F\x2F\x6E\x75\x72\x73\x69\x6E\x67\x70\x68\x61\x72\x6D\x2E\x63\x6F\x6D";
setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x6C\x75\x66\x72\x76\x32\x3B",ykzjr1);
</script></body></html>
=============

Just in case the above would have executed for some readers, I replaced
"javascript" with "hello" on the first line.  The above would have given
this news server a "line too long" error, so I broke the line after the
";" in various locations (if it matters).

What does that script decode to, or try to do?

Is there an on-line javascript decoder that would have processed the
above and given some sort of report or decoded result?

VT URL scan gives 2 / 53 in terms of detection as a malicious site
(based on IP / domain of URL and not on contents or files returned?)

VT scan on "sensors.php" returns 2 / 50:

Avast  JS:Redirector-BOX [Trj]
Ikarus  JS.Redirector

Another URL from another recent spam:

hxxp://snipsandclips4kids.com/restate.php

Replies