Possible virus in JavaScript attachment?
Olivier Diserens
olivier.diserens at FASTNET.CH
Mon Mar 8 21:42:00 GMT 2004
Hi,
I already saw this a couple of times.
This is a way to inject some javascript code in a page without actually
writting the script, but instead giving the ascii characters code..
thus bypassing the dangerous contents check.
The script will itself do the translation and get back the bad script.
I was thinking of a check around the fromCharCode() function. Denying
it will block this kind of stuff. I can't see another fromCharCode-like
function that would be usefull to prevent, but I'm not a javascript
expert.
document.write may also be a little bit risky, no ?
other ideas ?
best regards
Olivier Diserens
Le 8 mars 04, à 22:30, Jim Holland a écrit :
> I have come across a number of suspicious messages with subject line
> "hi", body text "This message has an attach", and the attachment
> "superscripted.html", which contains the following type of scripting:
>
> <script language="JavaScript">
> difficulties = new Array(115,
> 180,145,215,7,246,108,140,123,22,242,
> . . .
> 231,65,65,159,150,180,80,101,27,27,
> 218);
> bribed = new Array(79,
> 220,229,186,107,200,97,134,71,116,157,
> . . .
> 80,73,78,111,124,5,90,139,104,129
> );
> Shelton = 1142;
> rupee = 231;
> var obelisk = "";
> for(Winslow = 0; Winslow < Shelton; Winslow++)
> obelisk = obelisk + String.fromCharCode(difficulties[Winslow] ^
> bribed[Winslow % rupee]);
> document.write(obelisk);
> </script>
>
> These are not being blocked by MailScanner/ClamAV. I don't know any
> JavaScript, but the above looks distinctly suspect. Does anyone know
> what
> it is all about/whether it is potentially harmful? Does this indicate
> a
> possible exploit that should be blocked?
>
> We automatically quarantine any html attachments that contain
> scripting,
> but this is just done by testing using a simple grep and has nothing
> to do
> with MailScanner. Are we just being paranoid? I would prefer to have
> this done by MailScanner for consistency.
>
> Regards
>
> Jim Holland
> System Administrator
> MANGO - Zimbabwe's non-profit e-mail service
More information about the MailScanner
mailing list