Looks like it

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #21,038

by scoenye

12/11/01 3:54:05 PM

Looks like it

The bottom half builds

windowopen("[link|http://_135_blanks_@"|http://_135_blanks_@"] + ???_1,"","width=800, height=600, menubar=???_2, resizable=0, scrollbars=1, status=0, titlebar=0, toolbar=0, left=100, top=100" + ???_3);

which matches the discussion on SpamCop.

The real URL is decoded by the top half, but the seed value is missing.

Wondering if deobfuscating this was a violation of the DMCA? ;-)

Post #21,041

by drewk

12/11/01 4:00:09 PM

That's what I figured

But on this public terminal, even if I had some tools I could deobfuscate it with, I don't know enough about windows trojan programming to ensure I didn't trigger the damn thing just by trying to read it.

Thanks for clearing it up (somewhat). I was wondering if I should report them to their ISP for it, but hell, no harm no foul, right? (Translates as: I don't feel like spending the next three weeks trying to explain to level 1 support that this thing was a nastygram.)

We have to fight the terrorists as if there were no rules and preserve our open society as if there were no terrorists. -- [link|http://www.nytimes.com/2001/04/05/opinion/BIO-FRIEDMAN.html|Thomas Friedman]

What is someone trying to SPAM me with? - (drewk) - (6) - Dec. 10, 2001, 01:48:46 PM EST

Try running it through a deobsfucator... - (Another Scott) - (3) - Dec. 10, 2001, 01:57:55 PM EST

More info. - (Another Scott) - (2) - Dec. 10, 2001, 11:06:01 PM EST

Looks like it - (scoenye) - (1) - Dec. 11, 2001, 03:54:05 PM EST

That's what I figured - (drewk) - Dec. 11, 2001, 04:00:09 PM EST

I am not sure - (nking) - (1) - Dec. 10, 2001, 10:39:51 PM EST

It's code of some kind - (Ric Locke) - Dec. 10, 2001, 11:27:01 PM EST

iwethey.org

You hijacked the conversation. You get to land it.
34 ms