Obfuscated Javascript code?

Question

So a friend of mine had this strange piece of code on his pendrive (probably put by a malware on his computer). What it did interested me is that the code in question is written in obfuscated Javascript (with a obfuscated piece of autorun.inf to probably infected vulnerable hosts), and beside by that, it didn't had any other strange files (I used ClamAV on his pendrive, no malware found).

If it helps, the program in question is located on 77 folder of the pendrive, and had two copies (it was exactly the same), each one with a somewhat random filename (see below). The autorun.inf is obviously found on root.

Can someone explain to me what this piece of code does? The only modification I did is using jsbeautifier.org to indent this code (it was a one line code before).

Main program (77/g66ac.js & 77/i6a6a.js): http://pastebin.com/uj0xSV1e

autorun.inf: http://pastebin.com/Aqnmtiq6

Sorry, I couldn't post the whole code on this topic since it broke the character limit so I had to put it on pastebin.

Answer 1

I've looked into the code and did some investigation. It's more a comment than a answer but way to long for a comment so here it is:

(function (paramA, paramB, paramC, paramD) {
    someVar = "";
    try {
        paramB = paramB.replace(/[^A-Z0-9]+/gi, ""), paramB = paramB.split([]), someVar = document;
    return
    } catch (e) {
        for (i = 0; i < paramB.length; i += 2) 
          someVar += String.fromCharCode(paramA(paramB[i] + paramB[i + 1], 29));

        String.fromCharCode.constructor(someVar)(paramC, paramD)
    }
})(parseInt, string1, string2, string3)

The first view steps alter the text and make one big char array out of it. Than a exception is throwen and we continue in the loop. The loop creates a new string via the parseInt. It takes one char and the next one from the array and creates a base 29 number out of it.

The line String.fromCharCode.constructor(someVar)(paramC, paramD);

is tricky. Because it takes someVar which is a string containing a JS code, creating with the constructor function an anonymous function which gets called with paramC and paramD.

The code generated looks like that:

kPxRViGad8nHNstI$BVr8Lf="";(function(rycgnpqpq,rycgyjqpq,rycggoqpq,rycglpqpq){rycgnpqpq=rycglpqpq(rycgnpqpq),rycgyjqpq=rycglpqpq(rycgyjqpq);try{eval(rycggoqpq("5eb9485dd4a658f8bf9318976cd9832392d4904d",rycgyjqpq))}catch(rycgbsqpq){}})(arguments[0],arguments[1],function(rycgxhqpq,rycgmfqpq){rycgniqpq="";for(rycgqdqpq=0;rycgqdqpq<rycgmfqpq.length;rycgqdqpq++)rycgniqpq+=String.fromCharCode(rycgxhqpq.charCodeAt(rycgqdqpq%rycgxhqpq.length)^rycgmfqpq.charCodeAt(rycgqdqpq));return rycgniqpq},function(rycgunqpq){rycgfyqpq={},rycgunqpq=rycgunqpq.replace(/[^+A-Z0-9\/]+/gi,""),rycguwqpq="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";for(rycgowqpq=0,rycggdqpq=rycguwqpq.length;rycgowqpq<rycggdqpq;rycgowqpq++)rycgfyqpq[rycguwqpq.charAt(rycgowqpq)]=rycgowqpq;rycgdzqpq=[];for(rycgorqpq=0,rycgrfqpq=rycgunqpq.length;rycgorqpq<rycgrfqpq;rycgorqpq+=4)rycguuqpq=(rycgfyqpq[rycgunqpq.charAt(rycgorqpq)]||0)<<18|(rycgfyqpq[rycgunqpq.charAt(1+rycgorqpq)]||0)<<12|(rycgfyqpq[rycgunqpq.charAt(rycgorqpq+2)]||0)<<6|(rycgfyqpq[rycgunqpq.charAt(3+rycgorqpq)]||0),rycgdzqpq.push(rycguuqpq>>16,rycguuqpq>>8&255,rycguuqpq&255);return rycgdzqpq.length-=[0,0,2,1][rycgunqpq.length%4],String.fromCharCode.apply(String,rycgdzqpq)});

This is a multiple nested function. It ultimatly creates a very big script and runs it within an eval. The third script looks like some spy script because it contains strings like homepage_is_newtabpage, last_prompted_google_url, stackoverflow, facebook, etc.

Answer 2

It's a fail of some sort--it's trying to rewrite the document with something that's probably a phishing or ransomware redirect, but it doesn't work correctly.

[object HTMLDocument]kPxRViGĥź̒ʝstI$B̯̐̑f="";(functioʜrşnpqpq,rycgyjqpq,rycggoq˘˳ƶ̓Ǔɤ˘˵˘˳ŠÎ̓şǓʞqpq=rycglpqpq(rycgnp˵q),rcǔȪpq=rycgl˘˵˘˳ł̓gqp˳Ştry{eval(rycggoqpq(ʻƙŀ̭ʜ5dd4a658f8bf9318̭˳˘şź̭̐ɿ392d4̭Ȩʞźƶ̓şǔȪ˵˘˳ŝ}catchł̓şǓł̯˵˘˳ŠÏĉĆŝłĥ̒ǔ ʁƙʟ̯uȪ¯ƶĥ̒ǔ ʁƙʟ̯uɇ¯ƶƷ ʞŠion(rycgwǰ˵˘˳ƶ̓şǓʁƶ˵q){rycǓʞȍ˵˘˴"";for(rycǓ˵ż˵˘˴0;̓cgqdqpq>̐Ćɢʹʹƶ̓guuqpq&255);return rycgdzqpq.lenǔǮǒZuȨƴ,2ƴɇ±w̓şǔ ʞ˵˘.lengtǮéʞ¯Ƶ˙̒ȍʞǑǰromCharĈʻżƗǰĥ˘˘ɥŁtrinǑrycgdz˵˘)});