Can anyone ID or decode this javascript? (Feb 17 / 2014)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The following link was contained in a spam email.  It probably tries to
trigger a browser exploit of some sort, so handle this with care:

hxxp://202.29.80.23/~info/sensors.php

The server responds with this:

============
<html><body><script type="text/hello">ykzjr1="\x30";
lufrv2="\x68\x74\x74\x70\x3A\x2F\x2F\x6E\x75\x72\x73\x69\x6E\x67\x70\x68\x61\x72\x6D\x2E\x63\x6F\x6D";
setTimeout("\x77\x69\x6E\x64\x6F\x77\x2E\x74\x6F\x70\x2E\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x3D\x6C\x75\x66\x72\x76\x32\x3B",ykzjr1);
</script></body></html>
=============

Just in case the above would have executed for some readers, I replaced
"javascript" with "hello" on the first line.  The above would have given
this news server a "line too long" error, so I broke the line after the
";" in various locations (if it matters).

What does that script decode to, or try to do?

Is there an on-line javascript decoder that would have processed the
above and given some sort of report or decoded result?

VT URL scan gives 2 / 53 in terms of detection as a malicious site
(based on IP / domain of URL and not on contents or files returned?)

VT scan on "sensors.php" returns 2 / 50:

Avast   JS:Redirector-BOX [Trj]
Ikarus  JS.Redirector

Another URL from another recent spam:

hxxp://snipsandclips4kids.com/restate.php

Re: Can anyone ID or decode this javascript? (Feb 17 / 2014)

Virus Guy wrote:
  
Quoted text here. Click to load it

I posted that before I noticed the full output of jsunpack.jeek.org:

============

//eval window.top.location.href=lufrv2;
 /*** called setTimeout with window.top.location.href=lufrv2;, 0 */
  //jsunpack.url var lufrv2 = http://nursingpharm. com
  //jsunpack.url var newurl = http://nursingpharm. com  

So nothing exciting, apparently...

Re: Can anyone ID or decode this javascript? (Feb 17 / 2014)

On Mon, 17 Feb 2014 10:41:03 -0500, Virus Guy wrote:

Quoted text here. Click to load it

Made Avast on this machine squawk. Can't open either your OP or FTR's  
response to it.



--  
None are so hopelessly enslaved, as those who falsely believe they  
are free. The truth has been kept from the depth of their minds by  
masters who rule them with lies.  
-Johann von Goethe  

Re: Can anyone ID or decode this javascript? (Feb 17 / 2014)

Virus Guy formulated on Monday :
Quoted text here. Click to load it

Redirection.



Can anyone ID or decode this javascript? (Feb 17 / 2014)

+ User FidoNet address: 1:3634/12.71
On Sun, 16 Feb 2014, Virus Guy wrote to All:


 VG> avast!: Message body was removed because it contained a virus.  

distributing viruses are we? ;)  looks like the gateway stripped it to protect
those of us on this side of it :)

 VG> ___ NewsGate v1.0 gamma 2
 VG>  - Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)  

)\/(ark

One of the great tragedies of life is the murder of a beautiful theory by a
gang of brutal facts. --Benjamin Franklin
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


Site Timeline