[Description]
This is a java script trojan. Basically it just open a connection to a webpage for adults.
Below I will present some technical details that are usually encountered in most javascript trojans.
The code of this trojan looks something like this: (only a part will be shown)
< language="javascript">
document .write(unescape ('%3C%73%63%72%69...'));dF('%264Dtdsjqu%2631...')< /script >
N.B.:
This code is usually added in adult web-sites and is set to be triggered by a certain action.
The unescape function replace all characters encoded with the %xx hexadecimal form by their ASCII character.
So, when that script is executed, the real code will be like this:
< language="javascript">
function dF(s)
{
var s1= unescape (s.substr(0,s.length-1));
....
}
After that it is a call to this function. The parameter is actually a code that opens a specific window.
So, the dF function decrypts the %264Dtdsjqu%2631... to
http://egno{blocked}.com/questbook/in.cgi?...&HTTP_REFERER=file...NAME_OF_THE_FILE.html...
[Clean]
In order to clean the computer, you just need to delete the html file that is having this script in it.
No comments:
Post a Comment