Java / JS Detective Story

Warning: while writing a post, the site remains infected. Yes, it can infect your Windows through a hole in Java (Possible) .

Last night, looking at the website of the company Svyaznoy , I found there a warning from Google about the danger of infection, naturally I rejected it and it was useful to look at the source (Do not do this!)
At first glance, there was nothing dangerous there. I had to dig deeper and I found something interesting!


The threat was hidden in jQuery (jquery.min.js), at the very end of the file the following code was neatly inserted (I do not advise you to execute it, iframe there !!):
')

(Code: pastebin.com/DSPzeDqd )

Cutting (by removing some characters from the beginning of the variable “txt”) we will already get the non-working code from which we find out what was hidden there.

He is the “trojan” that Google saw. IFrame leads us to a site with definitely Russian roots - " bul0va. *** " (Whatever you swore at me, you'd better not go there! There are trojans!)

After a little analysis of the source of this site we managed to find out that there is also a java file . Without becoming parse JavaScript code, I went in search of Java decompiler.
The first thing I found was this application - http://java.decompiler.free.fr/ .
It worked. I got the source of this jar file with quite interesting "against too smart" chips.


(Main class code: http://pastebin.ru/317047 )

Unfortunately, I could not understand what and how he does.
I suggest you finish the small quest and understand how it infects the end-user machine.