Author Topic: Suspicious code undefinedxundefinedxundefinedxundefined - promotional adware!  (Read 919 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33376
  • malware fighter
Detected Potential Corporate Privacy Violation....

Where we stumbled onto it: Results from scanning URL: htxp://bukutamu-zies-name.googlecode.com/files/bukutamu-zies-name.js
Number of sources found: 9
Number of sinks found: 2
GET -/files/bukutamu-zies-name.js HTTP/1.1
Host: -bukutamu-zies-name.googlecode.com
Magic: HTML document text\012 exported SGML document text
Size: 1588
Md5: dd2d6d01c8cebacbc39b6abd0352db63
  United States
AS15169 Google Inc. 64.233.161.82
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Quote
suspicious: maxruntime exceeded 10 seconds (incomplete) found JavaScript
     error: undefined variable history
     error: undefined function history[_0x96d5[33]]
     error: undefined variable _0x96d5
     info: [var pu] URL=-www.topcpm.com/redirect.php
     info: [var newurl] URL=-www.topcpm.com/redirect.php
     info: [decodingLevel=1] found JavaScript

Quote
: [meta refresh] URL=-www.youradexchange.com/ad/display.php?r=374772
     info: [decodingLevel=0] found JavaScript
     info: [windowlocation] URL=-www.youradexchange.com/ad/display.php?r=374772
     info: [var location] URL=-www.youradexchange.com/ad/display.php?r=374772
     info: [var newurl] URL=-www.youradexchange.com/ad/display.php?r=374772
undefined variable str
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
[embed] -cdnovh.widgeo.net/message/messagebig.swf
     info: [iframe] -cdnovh.widgeo.net/hitparade.php?pagexiti=message
     info: [decodingLevel=0] found JavaScript
     error: undefined variable _0x9f08x2
     info: DecodedGenericCLSID detected D27CDB6E-AE6D-11cf-96B8-444553540000
     info: [element] URL=-www.topcpm.com/tcm.js
     info: [var pu] URL=-www.topcpm.com/tcm.js
     info: [var u] URL=-www.topcpm.com/u.js
     info: [var newurl] URL=-www.topcpm.com/u.js
     info: [decodingLevel=1] found JavaScript
     error: line:9: SyntaxError: XML tag name mismatch (expected embed):
          error: line:9: wf" quality="high" wmode="transparent" bgcolor="000000" width="800" height="50" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="
 -http:/www.macromedia.com/go/getflashplayer"></OBJECT>
          error: line:9: ...^
and
Quote
info: [img] -logv33.xiti.com/hit.xiti?s=281802&p=
     info: [decodingLevel=0] found JavaScript
     error: undefined variable Xr
     info: [var Xi] URL=-cdnovh.widgeo.net/
     info: [var newurl] URL=-cdnovh.widgeo.net/
     info: [img] -cdnovh.widgeo.net/

Is this obfuscated code analyzed here being blocked or not longer an online threat?

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: July 10, 2017, 06:33:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!