Normally, a WPL file is associated with a Windows Player List, but we find that they are often used to hide malicious JavaScript code, as well. If this is why you are here, then you are probably looking for some help decoding the script.
If you open your WPL file with Notepad, you’ll find that there are two arrays in it. The code may not specifically say “array”, but its basic structure gives it away — a var line of code containing a value surrounded by square brackets. As shown below, one of the arrays will contain five values separated by commas. The values represent HEX characters, so each value will range from 1 to 255. This array will be our “KeyArray”.
var jumbledCharacters = [218,144,4,215,211]
The other array is very similar to the one described above, but contains a lot more values. That string of characters is the coded URL that the hacker is using to download more viruses. We will call it our “CodeArray” value.
URL Decryption Tool
Next Steps
Use this information to update your firewall. If you need an IP address, use nslookup <hostName> from DOS or PowerShell. Use the Decoded URL as your <hostName>.
Leave A Reply