Hi Nicolas, It's just an obfuscated HTML porn page. No sinister code lurking in it. If you wish to see the source (without executing it) add the following lines to the html below, between the <body> and the <script> tags: <form action="" name="myform" id="myform"> <textarea cols="80" rows="50" name="mytext"></textarea> </form> and then replace the "document.write (s);" line at the bottom with: document.myform.mytext.value=s; When you view this page it will write the unobfuscated html source code into the text area we defined above. Cut and paste this source from the text box to your favourite HTML editor and 'pretty-print' it (e.g. run it through CodeSweeper) to make it more ledgible if you have problems reading the badly-formatted source. If you get javascript errors, make sure that the very large obfuscated string below is all on a single line, or re-quote it appropriately. Regards, Morgan > -----Original Message----- > From: Nicolas Villatte [mailto:Nicolas.Villatteat_private] > Sent: Friday, April 20, 2001 08:29 > To: VULN-DEVat_private > Subject: strange script in HTML format mail. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I received a blank e-mail with a javascript inserted in the HTML, > using Outlook 2000. > I wonder what this code represents and how to decode and understand > it. > > Here follows the source code : > > <html> > <head> > <title>HardCore</title> > <meta http-equiv="Content-Type" content="text/html; > charset=iso-8859-1"> > </head> > > <body bgcolor="#FFFFFF"> > <script> > function Merlin( s ) { var sRet=""; for(j=0; j< s.length; j++ ){ var > n= s.charCodeAt(j); if (n>=8364) {n = 128;} sRet += > String.fromCharCode( n - 3 ); } return( sRet ); } > var sJsCmds ="" + > "?kwpoA?khdgA?wlwohAXqwlwohg#Grfxphqw?2wlwohA?phwd#kwws0htxly@%Frqwhqw > 0W|sh%#frqwhqw@%wh{w2kwpo>#fkduvhw@lvr0;;8<04%A?2khdgA?erg|#ejfroru@%& > IIIIII%A?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA### > ###?gly#doljq@%FHQWHU%A########?irqw#idfh@%duldo%#vl}h@%05%#froru@%eod > fn%Akdugfruhvh{#grhv#qrw#vhqg#xqvrolflwhg#########hpdlov1#Rqo|#shrsoh# > wkdw#kdyh#h{suhvvhg#wkhlu#zloo#wr#uhfhlyh#Kdugfruhvh{#########Pdlo#vkd > oo#eh#vhqw#rxu#hpdlo#qhzvohwwhuv1#Lq#dq|#fdvh#ri#glyhujhqfh#iurp###### > ###wklv#srolf|/#sohdvh#ohw#xv#nqrz#e|#dwwdfklqj#wklv#phvvdjh1?2irqwA## > ####?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@ > %FHQWHU%A##?wuA####?wgA######?gly#doljq@%FHQWHU%A########?eA?irqw#idfh > @%Duldo%#vl}h@%8%#froru@%&;333;3%AKDUGFRUH#VH[#ZHHNO|?2irqwA?2eA###### > ?2glyA####?2wgA##?2wuA?2wdeohA?wdeoh#erughu@3#zlgwk@6:3#fhoosdgglqj@4# > fhoovsdflqj@3#doljq@fhqwhuA##?wuA#####?wg#ejfroru@%EODFN%#zlgwk@433(A# > ######?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#fhoovsdflqj@3A########? > wuA###########?wg#ejfroru@%&ffffii%#doljq@OHIW#ydoljq@WRS#zlgwk@433(A# > ############?s#doljq@%fhqwhu%A###############?fhqwhuA################? > irqw#idfh@duldo#vl}h@5A#?eAolyh#ihhgv#iurp#zhefdpv#dw#krph?2eA1####### > ##########Kdugfruhvh{#lv#wkh#eljjhvw#hurwlf#zhefdp#frppxqlw|#lq#wkh#zr > uog$#################Fxp#vhh#jluov#iurp#doo#ryhu#wkh#zruog1#?eAPDNH#|R > XU#GUHDPV#EHFRPH#################UHDOLW|11111#OLYH$?2eA#hyhu|#gd|#zh#k > dyh#qhz#vhqghuv#rqolqh#111fxp#################lqwr#wkh#zruog#ri#?eAOLY > H#HURWLF$$$$?euA################?2eA?2irqwA###############?2fhqwhuA### > #########?s#doljq@%FHQWHU%A?euA##############?irqw#vl}h@%7%#idfh@%Yhug > dqd/#Duldo/#Khoyhwlfd/#vdqv0vhuli%A?eA572:###############IUHH#VH[#VKRZ > $?2eA?2irqwA?euA############?wdeoh#erughu@3#zlgwk@433(#fhoosdgglqj@8#f > hoovsdflqj@3A##############?wuA#################?wg#doljq@%fhqwhu%A?lp > j#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn491msj%#zlgwk@:;#khljkw@89#dow > @%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@du > ldo#vl}h@05AWhhqv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu%A?l > pj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn481msj%#zlgwk@:;#khljkw@89#do > w@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#idfh@d > uldo#vl}h@05AFxpvkrwv?2dA00A?2dA?2wgA################?wg#doljq@%fhqwhu > %A?lpj#vuf@%kwws=22zzz1orolwdo1frp2lpdjhv2ivn4<1msj%#zlgwk@:;#khljkw@8 > 9#dow@%%#erughu@%4%A?d#kuhi@%kwws=22zzz1ylvlw0{1qhw2%A?$00?euA?irqw#id > fh@duldo#vl}h@05AEljErrev?2dA00A?2dA?2wgA##############?2wuA########## > ##?2wdeohA############?wdeoh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A### > ###########?wuA################?wgA##################?irupA########### > #########?lqsxw#w|sh@%EXWWRQ%#ydoxh@%Folfn#khuh#wr#dffhvv#rxu#vlwh%#rq > folfn@%zlqgrz1rshq+*kwws=22zzz1orolwdo1frp2vwhdowk2*/#*Vdpsoh*/#*wrroe > du@qr/orfdwlrq@qr/gluhfwrulhv@qr/vwdwxv@qr/phqxedu@qr/vfurooeduv@|hv/u > hvl}deoh@qr/frs|klvwru|@qr/ixoovfuhhq*,%#qdph@%EXWWRQ%A############### > ###?2irupA################?2wgA##############?2wuA############?2wdeohA > ############?gly#doljq@%FHQWHU%A##############?euA##############?2glyA > ##########?2wgA########?2wuA######?2wdeohA####?2wgA##?2wuA?2wdeohA?wde > oh#erughu@%3%#zlgwk@%:8(%#doljq@%FHQWHU%A##?wuA####?wgA######?gly#dolj > q@%FHQWHU%A########?irqw#idfh@%Duldo%#vl}h@%5%A?irqw#froru@%eodfn%AWkh > #Kdugfruhvh{#Qhzvohwwhu#########lv#vhqw#wr#vxevfulehuv#rqfh#d#zhhn1#Wr > #xqvxevfuleh#iurp#wkh#Kdugfruhvh{#########Qhzvohwwhu/)qevs>?euA####### > #vlpso|#uhso|#?2irqwAzlwk#uhpryh#lq#wkh#phvvdjh?irqw#froru@%eodfn%#vl} > h@05#idfh@%duldo/#duldo%A1?2irqwA?2irqwA#######?2glyA####?2wgA##?2wuA? > 2wdeohA?sA)qevs>?2sA?2erg|A?2kwpoA" + > ""; > var s= Merlin( sJsCmds); > document.write (s); > </script> > </body> > </html> > > > Nicolas Villatte > ______________________________________________________ > IT Manager > > Creative Web SPRL > Rue Kessels straat, 38 > 1030 Brussels > > Office Phone: +32 2 2450110 > Office Fax: +32 2 2161628 > Mobile Phone : +32 477 588136 > > Internet Mail: mailto:nicolas.villatteat_private > Visit us on the web: http://www.creativeweb.be > ______________________________________________________ > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.3 > > iQA/AwUBOt/JFYiKIkRfAqJVEQIFywCgkXUJt3zeq5a3gUI3il//5y0ZUpAAoMKq > 9Qw9Fdl3cul95H+blsqzhOFs > =v8in > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Sat Apr 21 2001 - 19:08:21 PDT