|
Home > Archive > Email Abuse and Spam > February 2004 > Javascript decode help. ""maladies.html" "andy" <inverter
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Javascript decode help. ""maladies.html" "andy" <inverter
|
|
| R. Asby Dragon 2004-02-28, 5:35 pm |
| Got this in a spam; there's no way in hell I'd open it.
I'm no JavaNaut; I attempted my best guess on disabling it .
Remove all " ****defanging****, " lines to get it back .
<script language=3D"JavaScript">
****defanging****,
auscultates =3D new Array(235,
****defanging****,
140,249,175,63,14,164,36,243,30,42,
****defanging****,
126,178,118,236,12,251,144,116,228,67,
****defanging****,
1,117,183,216,226,232,200,184,29,63,
****defanging****,
194,210,86,175,124,94,154,181,218,238,
****defanging****,
254,9,223,235,255,136,34,243,28,192,
****defanging****,
199,115,240,217,124,208,190,241,15,233,
****defanging****,
229,1,54,212,193,33,238,99,177,45,
****defanging****,
170,198,82,98,199,155,40,226,131,203,
****defanging****,
248,142,2,98,99,144,208,56,113,165,
****defanging****,
148,150,50,45,34,37,218,64,221,248,
****defanging****,
249,166,83,115,230,98,156,12,36,116,
****defanging****,
214,122,223,11,205,200,84,223,36,64,
****defanging****,
74,140,252,177,247,130,175,12,33,140,
****defanging****,
152,11,250,53,36,190,238,239,198,210,
****defanging****,
35,251,168,220,174,20,137,55,146,159,
****defanging****,
108,161,214,15,168,179,133,123,149,191,
****defanging****,
88,112,181,186,81,141,103,180,87,227,
****defanging****,
133,32,10,174,249,54,172,204,187,224,
****defanging****,
143,108,46,42,229,202,59,114,152,160,
****defanging****,
167,113,92,49,87,183,31,148,249,143,
****defanging****,
138,7,68,217,20,224,115,18,77,156,
****defanging****,
102,134,103,174,154,123,243,0,20,118,
****defanging****,
172,145,239,186,135,244,25,126,135,128,
****defanging****,
123,189,112,125,250,249,233,141,158,123,
****defanging****,
166,228,252,133,88,170,94,193,166,7,
****defanging****,
254,244,52,163,165,248,13,155,139,99,
****defanging****,
85,170,166,5,214,71,128,83,193,160,
****defanging****,
107,82,141,133,111,192,175,233,210,188,
****defanging****,
49,87,79,171,176,28,35,248,133,250,
****defanging****,
23,32,65,40,212,126,249,163,196,132,
****defanging****,
81,14,149,1,155,24,91,55,225,116,
****defanging****,
206,82,149,202,16,152,95,52,75,224,
****defanging****,
178,134,233,190,159,70,92,188,139,109,
****defanging****,
192,5,115,195,219,205,146,158,45,238,
****defanging****,
191,216,251,73,136,35,138,133,109,167,
****defanging****,
152,87,241,138,212,41,207,183,67,56,
****defanging****,
244,235,0,141,82,223,88,217,208,44,
****defanging****,
17,212,193,120,198,228,185,136,242,6,
****defanging****,
103,30,212,148,67,24,209,148,150,50,
****defanging****,
45,63,58,163,109,132,150,238,223,81,
****defanging****,
88,221,90,191,102,74,21,156,63,150,
****defanging****,
40,160,149,116,252,5,1,122,170,208,
****defanging****,
254,251,137,180,21,126,215,152,21,186,
****defanging****,
29,99,165,167,233,198,218,103,164,247,
****defanging****,
135,149,34,153,89,247,206,108,148,171,
****defanging****,
0,146,230,137,30,233,230,60,28,171,
****defanging****,
208,41,156,62,250,85,143,175,116,87,
****defanging****,
159,205,53,131,174,243,192,173,104,12,
****defanging****,
15,174,233,8,98,242,203,242,86,119,
****defanging****,
23,20,144,34,165,234,206,141,30,31,
****defanging****,
205,70,168,115,12,84,143,45,153,40,
****defanging****,
183,156,109,173,2,9,125,227,140,185,
****defanging****,
237,216,239,77,115,136,139,109,192,5,
****defanging****,
115,195,219,205,146,158,45,238,191,216,
****defanging****,
251,73,136,35,138,133,109,167,152,87,
****defanging****,
241,138,212,41,207,183,67,56,244,235,
****defanging****,
0,141,82,223,88,217,208,44,19,212,
****defanging****,
204,97,199,228,167,214,178,32,71,69,
****defanging****,
171,163,93,124,183,148,167,23,112,72,
****defanging****,
75,203,25,147,250,160,232,79,100,237,
****defanging****,
16,194,86,89,91,203,32,147,99,161,
****defanging****,
201,63,250,23,20,105,228,144,163,162,
****defanging****,
157,172,86,54,215,222,74,235,35,48,
****defanging****,
228,230,252,129,223,42,247,228,204,169,
****defanging****,
1,136,61,147,150,38,184,215,78,247,
****defanging****,
156,138,43,210,188,12,37,162,188,95,
****defanging****,
150,6,210,87,210,198,81,98,218,248,
****defanging****,
90,226,251,165,220,169,38,83,26,246,
****defanging****,
177,8,59,226,132,252,89,120,24,17,
****defanging****,
133,46,163,171,223,204,16,95,196,1,
****defanging****,
174,115,84,13,180,120,214,40,160,157,
****defanging****,
123,176,67,2,118,172,219,233,167,215,
****defanging****,
249,72,115,136,139,11,236,124,111,191,
****defanging****,
221,202,145,177,79,166,228,252,147,88,
****defanging****,
170,94,193,221,23,129,187,114,218,210,
****defanging****,
137,40,201,230,13,116,229,186,81,192,
****defanging****,
65,206,85,140,253,34,25,152,217,54,
****defanging****,
157,164,245,138,208,88,31,65,249,246,
****defanging****,
13,41,243,151,185,80,101,2,7,222,
****defanging****,
98,248,179,218,149,93,87,200,71,161,
****defanging****,
58,4,89,159,39,147,40,164,155,112,
****defanging****,
189,7,8,126,241,208,163,188,132,191,
****defanging****,
29,41,152,199,76,253,96,109,172,224,
****defanging****,
227,200,156,54,232,168,149,227,14,211,
****defanging****,
32,141,200,108,239,142,73,232,194,210,
****defanging****,
43,210,182,87,119,244,240,2,208,29,
****defanging****,
147,6,131,160,125,10,149,153,38,198,
****defanging****,
175,225,150,253,48,76,82,189,251,13,
****defanging****,
113,183,154,185,6,45,89,22,218,113,
****defanging****,
248,160,196,148,77,61,163,18,224,30,
****defanging****,
42,126,178,118,236,12,251,219,85,198,
****defanging****,
46,44,39);
****defanging****,
furlough =3D new Array(215,
****defanging****,
196,173,226,115,48,169,46,207,92,101,
****defanging****,
58,235,72,225,6,199,244,29,146,99,
****defanging****,
96,25,222,191,140,213,234,219,120,81,
****defanging****,
182,183,36,141,66,83,144,137,142,175,
****defanging****,
188,69,154,203,168,193,102,167,84,253,
****defanging****,
242,67,192,249,62,159,236,181,74,187,
****defanging****,
216,49,22,151,132,109,162,51,240,105,
****defanging****,
238,143,28,37,250,171,8,161,198,135,
****defanging****,
180,221,82,35,32,217,158,127,76,149,
****defanging****,
170,155,56,17,118,119,228,77);
****defanging****,
sparingly =3D 914;
****defanging****,
lush =3D 99;
****defanging****,
var reviling =3D "";
****defanging****,
for(anvil =3D 0; anvil < sparingly; anvil++)
****defanging****,
reviling =3D reviling + String.fromCharCode(auscultates[anvil] ^ =
****defanging****,
furlough[anvil % lush]);
****defanging****,
document.write(reviling);
****defanging****,
</script>
****defanging****,
Headers below..
Received: from 64.235.212.119 [64.235.212.119] by kendra.com
(SMTPD32-8.05) id ABCE14750168; Fri, 27 Feb 2004 12:42:54 -0800
Received: from unknown (HELO GGBDBAGB) (192.168.150.88)
by 64.235.212.119 with SMTP; 27 Feb 2004 13:36:48 -0800
Message-ID: <00b201c3fd79$bbcab500$a38a50d5@GGBDBAGB>
From: "andy" <inverters@ccim.net>
To: "***********" <**********************>
Subject: are you interested in this
Date: Fri, 27 Feb 2004 13:36:18 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00AF_01C3FD7C.C0526000"
X-Priority: 3
X-Declude-Sender: inverters@ccim.net [64.235.212.119]
X-Declude-Spoolname: Dabce1475016876c4.SMD
X-Declude-Weight: 8
X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT,
CATCHALLMAILS
X-Note: This E-mail was sent from (timeout) ([64.235.212.119]).
X-Declude-Date: 02/27/2004 21:36:18 [53]
X-RCPT-TO: <******************>
Status: U
X-UIDL: 908347417
This is a multi-part message in MIME format.
------=_NextPart_000_00AF_01C3FD7C.C0526000
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_00B0_01C3FD7C.C0526000"
------=_NextPart_001_00B0_01C3FD7C.C0526000
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
this is plain text part
------=_NextPart_001_00B0_01C3FD7C.C0526000
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Dutf-8">
<STYLE></STYLE>
</HEAD>
<BODY><B>This message</B> has an attach</BODY></HTML>
------=_NextPart_001_00B0_01C3FD7C.C0526000--
------=_NextPart_000_00AF_01C3FD7C.C0526000
Content-Type: text/html;
name="maladies.html"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="maladies.html"
| |
|
| The approach I use to decode these JavaScripts is to replace every occurrance
of
document.write
with
alert
It's a quick-and-dirty way to "see" the decoded output. Not very sophisticated,
but it works.
--
Rude T-shirts for a rude age: http://www.villaintees.com
Art, literature, shareware, polyamory, kink, and more:
http://www.xeromag.com/franklin.html
| |
| Bob Milutinovic 2004-02-28, 6:34 pm |
| "R. Asby Dragon" <ube_never@yahoo.com> wrote in message
news:c1r2rg03g7@enews1.newsguy.com...
> Got this in a spam; there's no way in hell I'd open it.
> <a lot of javascript deleted>
Nothing unusual about it, just a spammer trying to make it more
difficult to report the spamvertised site.
I've seen quite a few of these in recent times, with the variable names
appearing to have been picked out of a dictionary (or otherwise chosen
arbitrarily by the spammer).
The result of that script is that it writes the following HTML to your
browser, which is then rendered as if the HTML was included verbatim in the
message.
<HTML>
<BODY>
<div align="center">
<TABLE WIDTH=500 BORDER=0 CELLPADDING=0 CELLSPACING=0>
<TR>
<TD COLSPAN=2>
<IMG SRC="http://www.gainfactor.com/a/17_01.gif"></TD>
</TR>
<TR>
<TD>
<IMG SRC="http://www.gainfactor.com/a/17_02.jpg""></TD>
<TD>
<IMG SRC="http://www.gainfactor.com/a/17_03.gif"></TD>
</TR>
<TR>
<TD>
<IMG SRC="http://www.gainfactor.com/a/17_04.jpg"></TD>
<TD>
<IMG SRC="http://www.gainfactor.com/a/17_05.gif"></TD>
</TR>
<TR>
<TD>
<a href="http://www.gainfactor.com/dhg/index.php?aid=358245"><IMG
SRC="http://www.gainfactor.com/a/17_06.gif" border="0"></a></TD>
<TD>
<a href="http://www.gainfactor.com/dhg/index.php?aid=358245"><IMG
SRC="http://www.gainfactor.com/a/17_07.gif" border="0"></a></TD>
</TR>
</TABLE><br><br><br><br><br><br>
<a href="http://www.gainfactor.com/dhg/o/index.php"><img
src="http://www.gainfactor.com/a/o2.gif" border="0"></a></div>
</BODY>
</HTML>
--
Bob Milutinovic
Cognicom - "Australia's Web Presence Specialists"
http://www.cognicom.tk/
telephone (0417) 45-77-66
facsimile (02) 4727-1898
***** The return mail address is fake *****
To contact me use np0312 at cognicom dot tk
| |
| David Bolt 2004-02-28, 8:34 pm |
| On Sat, 28 Feb 2004, Tacit <tacitr@aol.com> wrote:-
>The approach I use to decode these JavaScripts is to replace every occurrance
>of
>
>document.write
>
>with
>
>alert
>
>It's a quick-and-dirty way to "see" the decoded output. Not very sophisticated,
>but it works.
Another way is to alter the document.write to write the decrypted text
to a text area, e.g. using the Javascript posted by the OP:
document.write('<textarea rows="20" cols="72">'+reviling+'</textarea>');
Regards,
David Bolt
--
Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/
AMD 1800 1Gb WinXP | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0
AMD 1300 512Mb SuSE 9.0 | A3010 4Mb RiscOS 3.11 | A4000 4Mb RiscOS 3.11
Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62
| |
|
| >Another way is to alter the document.write to write the decrypted text
>to a text area, e.g. using the Javascript posted by the OP:
>
>document.write('<textarea rows="20" cols="72">'+reviling+'</textarea>');
Much more elegant than my solution; thanks!
--
Rude T-shirts for a rude age: http://www.villaintees.com
Art, literature, shareware, polyamory, kink, and more:
http://www.xeromag.com/franklin.html
| |
| David Bolt 2004-02-28, 10:34 pm |
| On Sun, 29 Feb 2004, Tacit <tacitr@aol.com> wrote:-
>
>Much more elegant than my solution; thanks!
I can't claim credit for this idea. I saved a post by Isofarro[0] almost
2 years ago showing a similar method.
[0]
<URL:http://groups.google.com/groups? se...@
4ax.com>
<URL:http://tinyurl.com/292ps>
Regards,
David Bolt
--
Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/
AMD 1800 1Gb WinXP | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0
AMD 1300 512Mb SuSE 9.0 | A3010 4Mb RiscOS 3.11 | A4000 4Mb RiscOS 3.11
Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62
| |
| Spamless 2004-02-29, 1:34 am |
| In article <20040228174956.12186.00000541@mb-m02.aol.com>, Tacit wrote:
> The approach I use to decode these JavaScripts is to replace every occurrance
> of
>
> document.write
>
> with
>
> alert
But first, convert it "real" javascript (it is quoted printable)
by removing the quoted printable. First, for the few lines ending
with "=", remove the "=" and join the line to the line following it.
Then change the "=3D"s to "=" (there doesn't appear to be any
other quoted printable stuff in it).
|
|
|
|
|