From: Dan Kohn (dan@teledesic.com)
Date: Sun Feb 13 2000 - 07:08:07 PST
I got the following email, which seems very likely to be a virus (or are
these described as worms?). Note that the Javascript routine first decodes
encrypted code and then runs it. It's hard to see why else that would be
done except to obfuscate a virus.
Thankfully, IE 5.0's buggy Javascript interpreter failed to execute
correctly and gave me the option to run Script Debugger, from which I copied
the code.
I'd be interested if anyone would decode the instruction set and/or message.
The content of the message:
<HTML>
<HEAD>
<TITLE></TITLE>
<META HTTP-EQUIV="Expires" CONTENT="Tue, 16 Jan 1990 21:29:02 GMT">
</HEAD>
<BODY BGCOLOR="#FF3030" TEXT="#000000" ALINK="#00FF30" VLINK="#FF3030"
LINK="#0000FF">
<SCRIPT LANGUAGE="JavaScript"><!--
function Decode() {
d("4CSDMFB JUHOAUOQ=0LU9UCSDMFB034!--\nPAHSBMGH OQBuFFZQDCMGH(){\nUFFHUIQ=
HU9MOUBGD.UFFhUIQ;\nUFF9QDCMGH = HU9MOUBGD.UFFZQDCMGH;\nIULGD9QD =
UFF9QDCMGH.
CATCBDMHO(\", #);\nMP ( (UFFHUIQ == 0hQBCSUFQ0) && ( IULGD9QD 3= > ) )
DQBADH
#;\nMP ( (UFFHUIQ == 0iMSDGCGPB mHBQDHQB q7FJGDQD0) && (IULGD9QD 3= <) )
DQBADH #;\nDQBADH \";\n}\nPAHSBMGH SJMSK() {\nMP (Q9QHB.TABBGH==])
{\nUJQDB('bNQ DMONB IGACQ TABBGH NUC TQQH RMCUTJQR.')\n}\n}\nRGSAIQHB.
GHIGACQRG8H = SJMSK\n//--34/CSDMFB34nbij34nqur34/nqur34tgrW
tosgjgd=01pp>\">\"0 b");
d("qXb=01\"\"\"\"\"\"0 ujmhk=01\"\"pp>\"0 Zjmhk=01pp>\">\"0
jmhk=01\"\"\"\"pp034TD34pghb34t3cMSK 8NGDQC 8NG RG UH6BNMHO BNUB BNQ6 SUH
FAB
MHCMRQ GD TMOOQD!!4TD3bNMC MC GAD IGCB tM5UDDQ UHR q7BDQIQ cngskmho CMBQ!!
nQDQ BNQ4TD3OMDJC SUH JGGK CG 6GAHO UHR MHHGSQHB AHBMJ 6GA CQQ BNQI RGMHO
UH6BNMHO4td3UHR UH6GHQ MH CMONB 8MBN UJJ CGDB CGDBC GP CBDUHOQ GTLQSBC ACQR
BG
PMJJ BNQMD 4TD3NGJQC. bNQ6 LACB JG9Q OQBBMHO BNQMD UCCQC PASKQR UHR PMJJQR
8MBN4TD3BNUB 8UDI PJG8 GP sai. CMSK 8NGDQC MC 8NUB UJJ BNQCQ nGDH6
WGAHO4TD3t");
d("MBSNQC UDQ, CG SJMSK UHR CQQ MP BNQ6 SUH CUBMCP6 6GAD BUCBQC.4TD3dQIQITQD
UH6BNMHO OGQC CG FDQFUDQ 6GADCQJP PGD UH Q7FQDMQHSQ JMKQ HG4TD3GBNQD. 4u
ndqp=0NBBF://888.BMSBGSK.FFJ@><wwyy]\"vy/?>y<zz03sJMSK NQDQ UHR CQQ BNQCQ
CMSK
8NGDQC4/u34/t34/pghb34/tgrW34/nbij3");
return 0;}
//--></SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
ky="";function d(msg){ky=ky+codeIt(key,msg);}var key =
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
function codeIt (mC, eS) {var wTG, mcH = mC.length / 2, nS = "", dv;for
(var
x = 0; x < eS.length; x++) {wTG = mC.indexOf(eS.charAt(x));if (wTG > mcH)
{dv
= wTG - mcH;nS = nS + mC.charAt(33 - dv);}else {if
(key.indexOf(eS.charAt(x))
< 0) {nS = nS + eS.charAt(x)}else {dv = mcH - wTG;nS = nS + mC.charAt(33 +
dv);
}}}return nS;}
//--></SCRIPT><SCRIPT LANGUAGE="JavaScript"><!--
Decode();document.write(ky);//-->
The headers [Note that blue_eyes@teledesic.com is not a valid address]:
Received: from SMTP (mgate-01.teledesic.com [10.100.10.14]) by
mgate-01.teledesic.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2448.0)
id 1MHVSZT1; Sun, 13 Feb 2000 03:33:05 -0800
Received: from tdxnet1.teledesic.com ([216.190.22.35]) by 10.100.10.14
(Norton AntiVirus for Internet Email Gateways 1.0) ;
Sun, 13 Feb 2000 11:33:05 0000 (GMT)
Received: from mail.ac.net (ip237.miami16.fl.pub-ip.psi.net [38.37.31.237])
by tdxnet1.teledesic.com (Build 98 8.9.3/NT-8.9.3) with SMTP id
DAA10940
for <DAN@TELEDESIC.COM>; Sun, 13 Feb 2000 03:30:36 -0800
From: annieh@oysiw.grabasite.com
X-Mailer: zoom mail 3.r
Message-Id: <rghoklowwrxqdhna.fgbhmypptxhwnnxwmpsy@mail.ac.net>
Date: Thu, 17 Feb 2000 08:39:03 -0500
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7BIT
To: blue_eyes@TELEDESIC.COM
Subject: my system crashed
-qtexrt
- dan
-- Daniel Kohn <mailto:dan@dankohn.com> tel:+1-425-602-6222 fax:+1-425-602-6223 http://www.dankohn.com
This archive was generated by hypermail 2b29 : Sun Feb 13 2000 - 07:20:13 PST