IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Open Forum / Try running it through a deobsfucator...
Post #20,917
by Another Scott
12/10/01 1:57:55 PM
Reply
New Try running it through a deobsfucator...
Like the one [link|http://www.swishweb.com/decrypt/ord2char_samp.php|here] maybe.

It seems to be obsfuscated HTML with lots of window.open things. I don't see any virus-like stuff (File stuff), but I'm not an expert.

I'd guess it just pops up a bunch of stupid ads, but you can never tell....

HTH.

Cheers,
Scott.
Post #20,964
by Another Scott
12/10/01 11:06:01 PM
Reply
New More info.
Note the last line of the script:

urlgrey()

The preceeding "code" defines urlgrey (assuming the initial part of the message was lost somewhere along the way). The last line runs it.

[link|http://www.cereus7.com/UGHome.html|Urlgrey Tea] is a Basic-like language for applets. Probably not what this is...

[link|http://news.spamcop.net/pipermail/spamcop-list/2001-October/022988.html|This] post to SpamCop.net discusses a similar obsfuscated script. Perhaps it's even from the same outfit.

HTH.

Cheers,
Scott.
Post #21,038
by scoenye
12/11/01 3:54:05 PM
Reply
New Looks like it
The bottom half builds

windowopen("[link|http://_135_blanks_@"|http://_135_blanks_@"] + ???_1,"","width=800, height=600, menubar=???_2, resizable=0, scrollbars=1, status=0, titlebar=0, toolbar=0, left=100, top=100" + ???_3);

which matches the discussion on SpamCop.

The real URL is decoded by the top half, but the seed value is missing.

Wondering if deobfuscating this was a violation of the DMCA? ;-)
Post #21,041
by drewk
Picture of drewk
12/11/01 4:00:09 PM
Reply
New That's what I figured
But on this public terminal, even if I had some tools I could deobfuscate it with, I don't know enough about windows trojan programming to ensure I didn't trigger the damn thing just by trying to read it.

Thanks for clearing it up (somewhat). I was wondering if I should report them to their ISP for it, but hell, no harm no foul, right? (Translates as: I don't feel like spending the next three weeks trying to explain to level 1 support that this thing was a nastygram.)
We have to fight the terrorists as if there were no rules and preserve our open society as if there were no terrorists. -- [link|http://www.nytimes.com/2001/04/05/opinion/BIO-FRIEDMAN.html|Thomas Friedman]
     What is someone trying to SPAM me with? - (drewk) - (6) - Dec. 10, 2001, 01:48:46 PM EST
         Try running it through a deobsfucator... - (Another Scott) - (3) - Dec. 10, 2001, 01:57:55 PM EST
             More info. - (Another Scott) - (2) - Dec. 10, 2001, 11:06:01 PM EST
                 Looks like it - (scoenye) - (1) - Dec. 11, 2001, 03:54:05 PM EST
                     That's what I figured - (drewk) - Dec. 11, 2001, 04:00:09 PM EST
         I am not sure - (nking) - (1) - Dec. 10, 2001, 10:39:51 PM EST
             It's code of some kind - (Ric Locke) - Dec. 10, 2001, 11:27:01 PM EST

That'll be $8.50, Mac.
36 ms