David H. Lipman wrote:
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | G. Morgan wrote:
> |
> | I got a blob of obfuscated javascript. While analyzing it, I
> | accidentally closed the program and lost it all. Going back three more
> | times did not give me the obfuscated javascript anymore.
> |
> | The obfuscation looked very similar to some I have seen before that had
> | eventually led to a Fake-AV trojan.
>
> Yeah. I ran it again at that JS is playing Hide & Seek. I think it is
> recording IPs and checking User-Agent. I ran it again under sandBox and
> although no malware and successful explotation occurred (the box is full
> of exploitable software from IE6, to Adobe Reader 9 to Sun Java v5
> update X) but I did capture the following screen.
>
> http://multi-av.thespykiller.co.uk/dump0.jpeg
>
> It "IS" associated with Black Hole Exploit kit sites.
>
> http://blog.dynamoo.com/2011/12/malw...from-your.html
> http://urlquery.net/report.php?id=10700
>
Do you know what this line does?

<script type="text/javascript"> jQuery(document).ready( function() {
jQuery("a.confirm").click( function() { if ( confirm( 'Are you sure?' )
) return true; else return false; }); });</script>