2.04 KB, text/plain
In order for this report to be useful we need to have enough information to reproduce the issue. What site were you browsing that did this? What anti-virus software do you have? When was the last time you updated Windows with security updates? What plugins and extensions and their versions do you have installed? You can find plugins by typing about:plugins in the url bar and you can find the extensions installed in the Tools Extensions menu.
SANS has an article on what appears to be a variant on this, perhaps an earlier version since the replace(/\s/g,'') in this version appears to get around the IE vs Firefox differences noted in the article. http://isc.sans.org/diary.php?storyid=1519
I should mention that the page that loads the fake spamcop site "abusecenter.org" in an iframe also loads an image with parameters set by the first obfuscated code. <img src=http://e1.extreme-dm.com/s10.g?login=itother&jv=y&j=y&srw=1400&srb=32&l=http%3A//somesite.tld> even though you pass in information about things like whether Java is enabled ("jv=y") it doesn't seem to affect the content of the abusecenter.org site and I'm not seeing where the malware is coming from.
(In reply to comment #1) What site were you browsing that did this? It's explained before. What anti-virus software do you have? eWido When was the last time you updated Windows with security updates? every day What plugins and extensions and their versions do you have installed? You can find plugins by typing about:plugins in the url bar and you can find the extensions installed in the Tools Extensions menu. Plugings: npnul32.dll NPSWF32.dll NPOFFICE.DLL (11.0.5510) npdrmv2.dll npdsplay.dll npwmsdrm.dll.
> What site were you browsing that did this? It's explained before. js.gbeb.cc doesn't appear to contain bus timetables so it can't be the site you were browsing. Since the decrypted code doesn't appear to do anything bad (though it's very suspicious for how little it appears to do) there may be some key parameters passed in from the containing page that don't appear directly in the script you linked. > Plugings: npnul32.dll NPSWF32.dll What version of Flash?
What version of Windows Media Player are you running, do you have the Microsoft update to fix MS06-006? I saw another site with identical initial exploit format, with a different EXlogin and EXrsrv that eventually downloaded an attack using that flaw. But I never found that code in this case from this particular server when I tried to follow the trail so maybe this is using a different exploit.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.