How to decrypt a javascript file

Question

I just discovered a virus in my computer that uses a .js file to attack. I opened the file in notepad to check out the code, but it is completely encrypted. I can see some data that makes sense (such as bhynivmao.length!=4), but the majority of the file is filled with gibberish.

There is also an autorun.inf and even though I can see some of the shell \open\command, I am not able to figure out the rest of the gibberish that is present.

Looks like both the autorun and the .js file are obfuscated the same way. Can someone please help me to get back the readable code? I am really curious to know how this thing works.

Thanks for the response. Here is the pastebin link to the autorun.inf file http://pastebin.ca/2376210 also the link for the gc2c9c.js file called by the autorun http://pastebin.ca/2376212 and a third file(icece.js) i found on the computer. The other 2 were found in the USB stick. http://pastebin.ca/2376213 Please take a look at it.. — Flipsyde, May 08 '13 at 05:18

score 6 · Answer 1 · answered May 07 '13 at 10:42

6

Try using something like a JS beautifier:

http://jsbeautifier.org/

It will still keep the old variable names, but will definitely make the code more readable.

answered May 07 '13 at 10:42

MMM

7,221
2
24
42

Thanks. I will also try using JS beautifier and see what happens. – Flipsyde May 08 '13 at 05:19
Wow.. It looks more readable now(Though i still haven't figured out what the code does). Looks like both icece.js and gc2c9c.js contain the same code. Here is the pastebin link for the beautified code. http://pastebin.ca/2376219 – Flipsyde May 08 '13 at 05:26

score 4 · Answer 2 · answered Nov 23 '17 at 01:16

4

You might also consider using http://jsnice.org, which uses statistical analysis of code to identify variable names. It complements http://jsbeautifier.org well by altering variable names but not structure.

answered Nov 23 '17 at 01:16

Alexander Craggs

7,874
4
24
46

How to decrypt a javascript file

2 Answers2