It uses a simple obsfucation of subtrating 3 from the ascii value and printing that character so ?kepoA = <html> Rich -----Original Message----- From: VULN-DEV List [mailto:VULN-DEVat_private]On Behalf Of Nicolas Villatte Sent: Friday, April 20, 2001 2:29 AM To: VULN-DEVat_private Subject: strange script in HTML format mail. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I received a blank e-mail with a javascript inserted in the HTML, using Outlook 2000. I wonder what this code represents and how to decode and understand it. Here follows the source code : <html> <head> <title>HardCore</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body bgcolor="#FFFFFF"> <script> function Merlin( s ) { var sRet=""; for(j=0; j< s.length; j++ ){ var n= s.charCodeAt(j); if (n>=8364) {n = 128;} sRet += String.fromCharCode( n - 3 ); } return( sRet ); } var sJsCmds ="" + "?kwpoA?khdgA?wlwohAXqwlwohg#Grfxphqw?2wlwohA?phwd#kwws0htxly@%Frqwhqw 0W|sh%#frqwhqw@%wh{w2kwpo>#fkduvhw@lvr0;;8<04%A?2khdgA?erg|#ejfroru@%& IIIIII%A?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA### ###?gly#doljq@%FHQWHU%A########?irqw#idfh@%duldo%#vl}h@%05%#froru@%eod fn%Akdugfruhvh{#grhv#qrw#vhqg#xqvrolflwhg#########hpdlov1#Rqo|#shrsoh# wkdw#kdyh#h{suhvvhg#wkhlu#zloo#wr#uhfhlyh#Kdugfruhvh{#########Pdlo#vkd oo#eh#vhqw#rxu#hpdlo#qhzvohwwhuv1#Lq#dq|#fdvh#ri#glyhujhqfh#iurp###### ###wklv#srolf|/#sohdvh#ohw#xv#nqrz#e|#dwwdfklqj#wklv#phvvdjh1?2irqwA## ####?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@ %FHQWHU%A##?wuA####?wgA######?gly#doljq@%FHQWHU%A########?eA?irqw#idfh @%Duldo%#vl}h@%8%#froru@%&;333;3%AKDUGFRUH#VH[#ZHHNO|?2irqwA?2eA###### ?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@3#zlgwk@6:3#fhoosdgglqj@4# fhoovsdflqj@3#doljq@fhqwhuA##?wuA#####?wg#ejfroru@%EODFN%#zlgwk@433(A# ######?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#fhoovsdflqj@3A########? wuA###########?wg#ejfroru@%&ffffii%#doljq@OHIW#ydoljq@WRS#zlgwk@433(A# ############?s#doljq@%fhqwhu%A###############?fhqwhuA################? irqw#idfh@duldo#vl}h@5A#?eAolyh#ihhgv#iurp#zhefdpv#dw#krph?2eA1####### ##########Kdugfruhvh{#lv#wkh#eljjhvw#hurwlf#zhefdp#frppxqlw|#lq#wkh#zr uog$#################Fxp#vhh#jluov#iurp#doo#ryhu#wkh#zruog1#?eAPDNH#|R XU#GUHDPV#EHFRPH#################UHDOLW|11111#OLYH$?2eA#hyhu|#gd|#zh#k dyh#qhz#vhqghuv#rqolqh#111fxp#################lqwr#wkh#zruog#ri#?eAOLY H#HURWLF$$$$?euA################?2eA?2irqwA###############?2fhqwhuA### #########?s#doljq@%FHQWHU%A?euA##############?irqw#vl}h@%7%#idfh@%Yhug dqd/#Duldo/#Khoyhwlfd/#vdqv0vhuli%A?eA572:###############IUHH#VH[#VKRZ $?2eA?2irqwA?euA############?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#f hoovsdflqj@3A##############?wuA#################?wg#doljq@%fhqwhu%A?lp j#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn491msj%#zlgwk@:;#khljkw@89#dow @%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@du ldo#vl}h@05AWhhqv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu%A?l pj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn481msj%#zlgwk@:;#khljkw@89#do w@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@d uldo#vl}h@05AFxpvkrwv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu %A?lpj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn4<1msj%#zlgwk@:;#khljkw@8 9#dow@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#id fh@duldo#vl}h@05AEljErrev?2dA00A?2dA?2wgA##############?2wuA########## ##?2wdeohA############?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A### ###########?wuA################?wgA##################?irupA########### #########?lqsxw#w|sh@%EXWWRQ%#ydoxh@%Folfn#khuh#wr#dffhvv#rxu#vlwh%#rq folfn@%zlqgrz1rshq+*kwws=22zzz1orolwdo1frp2vwhdowk2*/#*Vdpsoh*/#*wrroe du@qr/orfdwlrq@qr/gluhfwrulhv@qr/vwdwxv@qr/phqxedu@qr/vfurooeduv@|hv/u hvl}deoh@qr/frs|klvwru|@qr/ixoovfuhhq*,%#qdph@%EXWWRQ%A############### ###?2irupA################?2wgA##############?2wuA############?2wdeohA ############?gly#doljq@%FHQWHU%A##############?euA##############?2glyA ##########?2wgA########?2wuA######?2wdeohA####?2wgA##?2wuA?2wdeohA?wde oh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA######?gly#dolj q@%FHQWHU%A########?irqw#idfh@%Duldo%#vl}h@%5%A?irqw#froru@%eodfn%AWkh #Kdugfruhvh{#Qhzvohwwhu#########lv#vhqw#wr#vxevfulehuv#rqfh#d#zhhn1#Wr #xqvxevfuleh#iurp#wkh#Kdugfruhvh{#########Qhzvohwwhu/)qevs>?euA####### #vlpso|#uhso|#?2irqwAzlwk#uhpryh#lq#wkh#phvvdjh?irqw#froru@%eodfn%#vl} h@05#idfh@%duldo/#duldo%A1?2irqwA?2irqwA#######?2glyA####?2wgA##?2wuA? 2wdeohA?sA)qevs>?2sA?2erg|A?2kwpoA" + ""; var s= Merlin( sJsCmds); document.write (s); </script> </body> </html> Nicolas Villatte ______________________________________________________ IT Manager Creative Web SPRL Rue Kessels straat, 38 1030 Brussels Office Phone: +32 2 2450110 Office Fax: +32 2 2161628 Mobile Phone : +32 477 588136 Internet Mail: mailto:nicolas.villatteat_private Visit us on the web: http://www.creativeweb.be ______________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBOt/JFYiKIkRfAqJVEQIFywCgkXUJt3zeq5a3gUI3il//5y0ZUpAAoMKq 9Qw9Fdl3cul95H+blsqzhOFs =v8in -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 11:18:04 PDT