Possible virus in JavaScript attachment?

Tue Mar 9 14:01:31 GMT 2004

At 13:59 09/03/2004, you wrote:
>I have seen at least 100 or so over the last couple weeks...
>
>Thought it was just marketing crap , but now that you mentioned it... there
>was some weird coding in it....

How about I have a go at blocking all script tags?

>Rob Charles
>TheHostMasters
>Montreal, Canada
>514-846-0006
>Rob at TheHostMasters.com
>http://www.TheHostMasters.com
>
>
>
>----- Original Message -----
>From: "Olivier Diserens" <olivier.diserens at FASTNET.CH>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Monday, March 08, 2004 4:42 PM
>Subject: Re: Possible virus in JavaScript attachment?
>
>
> > Hi,
> >
> > I already saw this a couple of times.
> > This is a way to inject some javascript code in a page without actually
> > writting the script, but instead giving the ascii characters code..
> > thus bypassing the dangerous contents check.
> > The script will itself do the translation and get back the bad script.
> >
> > I was thinking of a check around the fromCharCode() function. Denying
> > it will block this kind of stuff. I can't see another fromCharCode-like
> > function that would be usefull to prevent, but I'm not a javascript
> > expert.
> >
> > document.write may also be a little bit risky, no ?
> >
> > other ideas ?
> >
> > best regards
> > Olivier Diserens
> >
> >
> >
> > Le 8 mars 04, à 22:30, Jim Holland a écrit :
> >
> > > I have come across a number of suspicious messages with subject line
> > > "hi", body text "This message has an attach", and the attachment
> > > "superscripted.html", which contains the following type of scripting:
> > >
> > > <script language="JavaScript">
> > > difficulties = new Array(115,
> > > 180,145,215,7,246,108,140,123,22,242,
> > > . . .
> > > 231,65,65,159,150,180,80,101,27,27,
> > > 218);
> > > bribed = new Array(79,
> > > 220,229,186,107,200,97,134,71,116,157,
> > > . . .
> > > 80,73,78,111,124,5,90,139,104,129
> > > );
> > > Shelton = 1142;
> > > rupee = 231;
> > > var obelisk = "";
> > > for(Winslow = 0; Winslow < Shelton; Winslow++)
> > >   obelisk = obelisk + String.fromCharCode(difficulties[Winslow] ^
> > >  bribed[Winslow % rupee]);
> > > document.write(obelisk);
> > > </script>
> > >
> > > These are not being blocked by MailScanner/ClamAV.  I don't know any
> > > JavaScript, but the above looks distinctly suspect.  Does anyone know
> > > what
> > > it is all about/whether it is potentially harmful?  Does this indicate
> > > a
> > > possible exploit that should be blocked?
> > >
> > > We automatically quarantine any html attachments that contain
> > > scripting,
> > > but this is just done by testing using a simple grep and has nothing
> > > to do
> > > with MailScanner.  Are we just being paranoid?  I would prefer to have
> > > this done by MailScanner for consistency.
> > >
> > > Regards
> > >
> > > Jim Holland
> > > System Administrator
> > > MANGO - Zimbabwe's non-profit e-mail service
> >

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654