7

I just discovered a virus in my computer that uses a .js file to attack. I opened the file in notepad to check out the code, but it is completely encrypted. I can see some data that makes sense (such as bhynivmao.length!=4), but the majority of the file is filled with gibberish.

There is also an autorun.inf and even though I can see some of the shell \open\command, I am not able to figure out the rest of the gibberish that is present.

Looks like both the autorun and the .js file are obfuscated the same way. Can someone please help me to get back the readable code? I am really curious to know how this thing works.

Improve this question
4
  • 2
    These hackers.. getting smarter and smarter. Commented May 7, 2013 at 10:41
  • 1
    Try posting the .js in pastebin and giving us the link. Commented May 7, 2013 at 10:41
  • share the js file so some of us can check it out Commented May 7, 2013 at 11:52
  • Thanks for the response. Here is the pastebin link to the autorun.inf file pastebin.ca/2376210 also the link for the gc2c9c.js file called by the autorun pastebin.ca/2376212 and a third file(icece.js) i found on the computer. The other 2 were found in the USB stick. pastebin.ca/2376213 Please take a look at it.. Commented May 8, 2013 at 5:18

2 Answers 2

Reset to default
6

Try using something like a JS beautifier:

http://jsbeautifier.org/

It will still keep the old variable names, but will definitely make the code more readable.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks. I will also try using JS beautifier and see what happens.
Wow.. It looks more readable now(Though i still haven't figured out what the code does). Looks like both icece.js and gc2c9c.js contain the same code. Here is the pastebin link for the beautified code. pastebin.ca/2376219
4

You might also consider using http://jsnice.org, which uses statistical analysis of code to identify variable names. It complements http://jsbeautifier.org well by altering variable names but not structure.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.