? Need help interpreting this suspicious HTML code

Discussion in 'HTML' started by Alec S., Sep 9, 2004.

  1. Alec S.

    Alec S. Guest

    Hi,

    I saw an HTML post today on a newsgroup I frequent that looked
    suspicious. I checked the message and found what looked to be rather
    dubious HTML code. I can't quite figure out what it does because I cannot
    find any information about what the equal sign and hex number parts, or the
    email address are for/do.

    This is the formatted HTML body of the message:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <TITLE id=3DridTitle>=BF=D5=B0=D7</TITLE>
    <BASE=20 href=3D"file://C:\Program Files\Common Files\Microsoft =
    Shared\Stationery\">
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dgb2312">
    <STYLE>
    BODY {
    MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px; COLOR: #000000; =
    FONT-FAMILY: =CB=CE=CC=E5, =BA=DA=CC=E5
    }
    P.msoNormal {
    MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
    FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    }
    LI.msoNormal {
    MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
    FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    }
    </STYLE>

    <META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
    </HEAD>
    <BODY id=3DridBody bgColor=3D#ffffff=20
    background=3Dcid:005201c4962e$2aa86ec0$>
    <DIV>hi,</DIV>
    <DIV>&nbsp;&nbsp;&nbsp; i want to make friends with you~~~~~~~~~</DIV>
    <DIV>&nbsp;</DIV>
    <P>&nbsp;</P>
    </BODY>
    </HTML>


    Any ideas?


    --
    Alec S.
    alec <@> synetech <.> cjb <.> net
     
    Alec S., Sep 9, 2004
    #1
    1. Advertising

  2. Alec S.

    Dave Brown Guest

    Looks like its got MS Bloat code in there. I dont think it can do
    anything dangerous, it just looks like its a webpage from word or some
    similar MS product with links to local based styles.

    Alec S. wrote:

    > Hi,
    >
    > I saw an HTML post today on a newsgroup I frequent that looked
    > suspicious. I checked the message and found what looked to be rather
    > dubious HTML code. I can't quite figure out what it does because I cannot
    > find any information about what the equal sign and hex number parts, or the
    > email address are for/do.
    >
    > This is the formatted HTML body of the message:
    >
    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    > <HTML>
    > <HEAD>
    > <TITLE id=3DridTitle>=BF=D5=B0=D7</TITLE>
    > <BASE=20 href=3D"file://C:\Program Files\Common Files\Microsoft =
    > Shared\Stationery\">
    > <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dgb2312">
    > <STYLE>
    > BODY {
    > MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px; COLOR: #000000; =
    > FONT-FAMILY: =CB=CE=CC=E5, =BA=DA=CC=E5
    > }
    > P.msoNormal {
    > MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
    > FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    > }
    > LI.msoNormal {
    > MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px; COLOR: #ffffcc; =
    > FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    > }
    > </STYLE>
    >
    > <META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR>
    > </HEAD>
    > <BODY id=3DridBody bgColor=3D#ffffff=20
    > background=3Dcid:005201c4962e$2aa86ec0$>
    > <DIV>hi,</DIV>
    > <DIV>&nbsp;&nbsp;&nbsp; i want to make friends with you~~~~~~~~~</DIV>
    > <DIV>&nbsp;</DIV>
    > <P>&nbsp;</P>
    > </BODY>
    > </HTML>
    >
    >
    > Any ideas?
    >
    >
    > --
    > Alec S.
    > alec <@> synetech <.> cjb <.> net
    >
    >
    >
     
    Dave Brown, Sep 9, 2004
    #2
    1. Advertising

  3. Alec S.

    Els Guest

    Dave Brown wrote:

    > Looks like its got MS Bloat code in there. I dont think it
    > can do anything dangerous, it just looks like its a webpage
    > from word or some similar MS product with links to local
    > based styles.


    Doesn't the path C:\Program Files\Common Files\Microsoft
    Shared\Stationary\ ring a bell then?

    Looks like an MS OE html message that was formatted using MS
    Word and of which the source code has been sent using Quoted
    Printable format (or what's that called?) and then pasted into
    a Usenet posting.

    Sort of anyway <g>


    > Alec S. wrote:
    >
    >> Hi,
    >>
    >> I saw an HTML post today on a newsgroup I frequent
    >> that looked
    >> suspicious. I checked the message and found what looked
    >> to be rather dubious HTML code. I can't quite figure out
    >> what it does because I cannot find any information about
    >> what the equal sign and hex number parts, or the email
    >> address are for/do.
    >>
    >> This is the formatted HTML body of the message:
    >>
    >> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
    >> Transitional//EN"> <HTML>
    >> <HEAD>
    >> <TITLE id=3DridTitle>=BF=D5=B0=D7</TITLE>
    >> <BASE=20 href=3D"file://C:\Program Files\Common
    >> Files\Microsoft =
    >> Shared\Stationery\">
    >> <META http-equiv=3DContent-Type content=3D"text/html;
    >> charset=3Dgb2312"> <STYLE>
    >> BODY {
    >> MARGIN-TOP: 25px; FONT-SIZE: 10pt; MARGIN-LEFT: 25px;
    >> COLOR: #000000; =
    >> FONT-FAMILY: =CB=CE=CC=E5, =BA=DA=CC=E5
    >> }
    >> P.msoNormal {
    >> MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px;
    >> COLOR: #ffffcc; =
    >> FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    >> }
    >> LI.msoNormal {
    >> MARGIN-TOP: 0px; FONT-SIZE: 10pt; MARGIN-LEFT: 0px;
    >> COLOR: #ffffcc; =
    >> FONT-FAMILY: =BA=DA=CC=E5, "=CB=CE=CC=E5"
    >> }
    >> </STYLE>
    >>
    >> <META content=3D"MSHTML 6.00.2800.1458"
    >> name=3DGENERATOR>
    >> </HEAD>
    >> <BODY id=3DridBody bgColor=3D#ffffff=20
    >> background=3Dcid:005201c4962e$2aa86ec0$
    >> .cn>
    >> <DIV>hi,</DIV>
    >> <DIV>&nbsp;&nbsp;&nbsp; i want to make friends with
    >> you~~~~~~~~~</DIV> <DIV>&nbsp;</DIV>
    >> <P>&nbsp;</P>
    >> </BODY>
    >> </HTML>
    >>
    >>
    >> Any ideas?
    >>
    >>
    >> --
    >> Alec S.
    >> alec <@> synetech <.> cjb <.> net
    >>
    >>
    >>

    >




    --
    Els
    http://locusmeus.com/
    Sonhos vem. Sonhos vão. O resto é imperfeito.
    - Renato Russo -
     
    Els, Sep 9, 2004
    #3
  4. Alec S.

    Alec S. Guest

    What about what looks like an email address in the body background. I
    guessed that when you render the page you end up sending a message to that
    address with the default email account and in this way, this person can
    harvest addresses from newsgroups simply by having people look at the page.

    And what's with the equal signs and hex numbers? I can't find any
    reference to them in HTML.



    --
    Alec S.
    alec <@> synetech <.> cjb <.> net


    "Els" <> wrote in message
    news:Xns955FC9B718414Els@130.133.1.4...
    > Dave Brown wrote:
    >
    > > Looks like its got MS Bloat code in there. I dont think it
    > > can do anything dangerous, it just looks like its a webpage
    > > from word or some similar MS product with links to local
    > > based styles.

    >
    > Doesn't the path C:\Program Files\Common Files\Microsoft
    > Shared\Stationary\ ring a bell then?
    >
    > Looks like an MS OE html message that was formatted using MS
    > Word and of which the source code has been sent using Quoted
    > Printable format (or what's that called?) and then pasted into
    > a Usenet posting.
    >
    > Sort of anyway <g>
    >
    >


    > Looks like its got MS Bloat code in there. I dont think it can do
    > anything dangerous, it just looks like its a webpage from word or some
    > similar MS product with links to local based styles.
    >
     
    Alec S., Sep 10, 2004
    #4
  5. Alec S.

    Els Guest

    Alec S. wrote:

    > "Els" <> wrote in message
    > news:Xns955FC9B718414Els@130.133.1.4...
    >> Dave Brown wrote:
    >>
    >> > Looks like its got MS Bloat code in there. I dont think
    >> > it can do anything dangerous, it just looks like its a
    >> > webpage from word or some similar MS product with links
    >> > to local based styles.

    >>
    >> Doesn't the path C:\Program Files\Common Files\Microsoft
    >> Shared\Stationary\ ring a bell then?
    >>
    >> Looks like an MS OE html message that was formatted using
    >> MS Word and of which the source code has been sent using
    >> Quoted Printable format (or what's that called?) and then
    >> pasted into a Usenet posting.
    >>
    >> Sort of anyway <g>
    >>

    > What about what looks like an email address in the body
    > background.


    That's a cid reference, which I don't know anything about
    other than that they are used to get an image into an html
    email.

    > I guessed that when you render the page
    > you end up sending a message to that address with the
    > default email account and in this way, this person can
    > harvest addresses from newsgroups simply by having people
    > look at the page.


    I don't think adding an emailaddress to a body element would
    send an email anywhere.

    > And what's with the equal signs and hex numbers? I
    > can't find any reference to them in HTML.


    Some of those equal signs are done by Outlook Express when you
    send a message in the wrong format. I think that would be the
    Quoted Printable format or something like that.

    The ones in for example font-family:... I don't know. The
    whole message seems seriously f-d up. But maybe it isn't.

    --
    Els http://locusmeus.com/
    Sonhos vem. Sonhos vão. O resto é imperfeito.
    - Renato Russo -
    Now playing: Outfield - Your Love
     
    Els, Sep 10, 2004
    #5
  6. Alec S.

    Alec S. Guest

    You can understand that when someone posts a message to a large
    newsgroup with the subject ":)" and body "i want to be your friend", it
    sounds an awful lot like a virus. I've replaced all hex codes with their
    UNICODE characters and it makes even less sense. Plus, there's a style for
    list items when there are none. Maybe this was a test or something.



    --
    Alec S.
    alec <@> synetech <.> cjb <.> net


    "Els" <> wrote in message
    news:Xns9560D79082F12Els@130.133.1.4...
    >
    > Some of those equal signs are done by Outlook Express when you
    > send a message in the wrong format. I think that would be the
    > Quoted Printable format or something like that.
    >
    > The ones in for example font-family:... I don't know. The
    > whole message seems seriously f-d up. But maybe it isn't.
    >
    > --
    > Els http://locusmeus.com/
    > Sonhos vem. Sonhos vão. O resto é imperfeito.
    > - Renato Russo -
     
    Alec S., Sep 11, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark

    suspicious RAM problems - mvo

    Mark, Jul 30, 2003, in forum: C Programming
    Replies:
    2
    Views:
    374
    goose
    Jul 31, 2003
  2. phil

    Suspicious header

    phil, Mar 4, 2005, in forum: Python
    Replies:
    0
    Views:
    285
  3. Guest
    Replies:
    0
    Views:
    282
    Guest
    Jul 15, 2005
  4. Replies:
    0
    Views:
    468
  5. Erik Veenstra
    Replies:
    7
    Views:
    131
    Erik Veenstra
    Jan 25, 2006
Loading...

Share This Page