Results 1 to 6 of 6

Thread: What does this Javascript do?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    What does this Javascript do?

    We have received a couple of emails in html format that contain an attachment called standstill.htm. When they are opened in notepad they mean absolutely nothing to me except for the fact that it creates two arrays called "agitated" and "smacks" that appear to contain what will eventually be code and the last little bit that is a writefile command. It's bloody suspicious to someone who knows nothing about javascript.....

    Any clues would be appreciated. Fortunately, these are being stopped by the spam filter.

    Code:
    <script language="JavaScript">
    agitated = new Array(109,
    222,195,73,225,124,94,154,181,236,192,
    216,60,164,198,162,253,2,206,34,221,
    147,47,169,158,80,162,206,214,47,213,
    172,84,100,181,186,96,168,15,128,87,
    210,230,113,66,218,216,122,194,251,165,
    220,169,38,83,26,246,177,8,59,226,
    132,252,93,101,2,31,129,42,109,127,
    52,103,45,0,17,42,54,238,7,241,
    73,11,112,146,216,97,175,216,209,110,
    148,42,58,74,182,150,191,49,102,13,
    21,154,212,93,198,114,254,208,143,91,
    234,65,238,34,29,250,122,151,221,187,
    111,10,62,119,84,103,154,163,8,58,
    174,49,171,190,119,41,125,93,95,248,
    56,35,92,53,150,29,251,82,5,180,
    55,87,217,122,24,65,162,94,63,222,
    250,115,42,142,77,222,95,133,11,96,
    236,202,61,210,152,78,239,109,50,191,
    184,182,240,140,119,180,172,193,167,68,
    153,104,148,159,36,224,138,76,252,209,
    151,34,207,172,65,44,184,171,26,213,
    68,222,14,139,251,104,77,159,204,103,
    205,162,169,215,178,63,12,76,188,241,
    15,35,249,206,180,82,115,89,22,203,
    124,58,76,96,122,96,8,21,99,120,
    181,84,227,84,89,25,183,142,106,237,
    222,222,44,222,22,55,89,240,133,162,
    39,126,2,77,132,199,94,128,40,185,
    145,206,3,173,6,233,43,16,179,113,
    140,141,182,50,90,99,37,5,55,156,
    254,92,85,139,108,237,226,40,86,62,
    27,18,162,115,45,10,127,218,78,185,
    26,82,176,50,26,131,61,4,65,190,
    75,98,158,185,96,115,154,12,212,21,
    157,26,103,249,194,62,218,211,10,238,
    45,62,191,229,235,192,204,42,246,175,
    135,171,4,136,53,210,195,123,159,201,
    11,177,139,220,44,153,230,13,116,229,
    186,96,168,15,145,73,134,253,121,67,
    199,137,96,213,178,247,142,242,125,84,
    87,174,176,24,41,225,222,243,93,118,
    25,27,128,99,97,124,61,102,34,10,
    19,117,53,231,12,174,76,5,59,217,
    218,100,175,208,144,59,201,13,36,11,
    240,129,233,54,45,73,95,192,133,17,
    156,123,233,199,132,87,161,12,225,103,
    7,239,113,222,194,241,42,75,124,111,
    69,116,143,166,65,25,195,104,182,167,
    120,108,105,64,80,161,52,40,71,44,
    201,75,177,18,2,172,44,29,145,117,
    14,26,171,20,105,137,201,39,50,195,
    69,218,22,203,78,109,243,215,53,211,
    197,25,175,114,113,174,181,161,206,130,
    121,243,166,207,225,21,213,55,192,208,
    43,180,141,78,165,195,154,61,204,175,
    31,113,242,240,25,202,86,151,6,130,
    235,50,70,149,198,39,205,163,232,196,
    178,62,71,15,179,252,80,45,186,155,
    163,103,33,65,89,131,36,100,49,110,
    117,44,29,66,8,80,183,1,236,65,
    71,103,207,209,62,162,209,138,43,220,
    79,37,84,239,134,161,121,35,72,22,
    135,216,76,201,32,176,129,148,8,167,
    12,169,43,17,242,98,140,140,253,113,
    85,110,122,11,116,201,233,105,7,156,
    35,165,186,118,43,48,19,93,229,114,
    57,77,39,219,5,188,9,6,179,122,
    86,145,104,27,66,228,92,61,197,226,
    127,97,138,77,223,20,199,13,96,241,
    138,61,211,216,84,226,46,55,191,227,
    236,128,216,45,253,228,193,175,2,194,
    44,211,130,43,176,198,95,246,136,136,
    121,142,224,3,34,162,166,83,158,90,
    157,14,206,252,110,70,199,137,96,213,
    178,247,142,242,125,84,87,174,176,24,
    41,225,222,243,93,118,25,27,128,99,
    97,124,61,102,34,10,19,117,53,231,
    12,174,76,5,59,220,157,50,184,230,
    206,102,130,18,99,29,186,209,180,56,
    54,73,7,129,141,11,158,109,226,217,
    149,10,246,93,228,53,74,144,24,223,
    137,244,57,31,127,39,9,102,218,185,
    66,67,212,55,237,252,103,126,121,1,
    91,160,110,63,64,36,129,72,184,25,
    92,160,47,20,145,115,9,90,186,84,
    52,213,185,125,102,194,67,156,65,209,
    49,62,172,139,54,223,209,6,179,126,
    58,253,238,174,220,206,38,167,233,192,
    181,18,215,110,210,221,52,183,142,16,
    248,137,193,62,211,189,86,121,251,224,
    67,193,92,157,70,130,234,115,85,149,
    199,108,142,172,229,155,188,125,18,24,
    134,175,78,98,242,195,253,26,47,74,
    21,150,115,15,25,108,102,62,81,113,
    15,102,251,86,161,26,72,100,131,191,
    9,188,201,192,127,144,90,122,69,149,
    251,234,39,122,13,94,220,192,23,163,
    69,224,149,132,87,169,65,238,53,17,
    251,47,193,136,237,42,79,54,122,69,
    44,143,166,24,80,193,121,182,187,117,
    110,97,67,88,235,121,36,69,110,138,
    66,187,13,29,175,36,86,212,125,67,
    81,162,92,119,222,185,126,106,137,71,
    203,94,153,6,127,190,155,92,188,139,
    77,224,37,115,242,230,252,203,217,55,
    167,233,152,227,70,212,38,158,207,97,
    168,141,74,239,214,154,101,204,175,70,
    56,240,225,25,214,91,149,14,129,227,
    120,11,153,196,101,142,170,226,219,173,
    61,79,68,246,244,29,99,244,133,244,
    10,63,17,30,130,111,60,47,127,40,
    112,83,83,117,100,134,98,189,9,3,
    125,203,140,14,138,133,209,61,195,17,
    115,69,149,251,234,120,44,89,15,159,
    142);
    smacks = new Array(81,
    182,183,36,141,66,83,144,137,142,175,
    188,69,154,203,168,193,102,167,84,253,
    242,67,192,249,62,159,236,181,74,187,
    216,49,22,151,132,109,162,51,240,105,
    238,143,28,37,250,171,8,161,198,135,
    180,221,82,35,32,217,158,127,76,149,
    170,155,56,17,118,119,228,77,2,19,
    80,73,78,111,124,5,90,139,104,129,
    38,103,20,189,178,3,128,185,254,95,
    172,117,10,123,152,241,214,87,68,45,
    98,243,176,41,174,79,220,229,186,107,
    200,97,134,71,116,157,18,227,224,153,
    94,63,12,85,106,91,248,209,54,55,
    164,13,194,211,16,9,14,47,60,197,
    26,75,40,65,230,39,212,125,114,195,
    64,121,190,31,108,53,202,59,88,177,
    150,23,4,237,34,179,112,233,110,15,
    156,165);
    deduced = 1142;
    autocorrelation = 173;
    var roundness = "";
    for(potentiometers = 0; potentiometers < deduced; potentiometers++)
      roundness = roundness + String.fromCharCode(agitated[potentiometers] ^ smacks[potentiometers % autocorrelation]);
    document.write(roundness);
    </script>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    All those arrays seem to have numeric ascii, then the loop assigns those into string "roundness", then "document.write(roundness);" will print it out. Is it some way to hide something malicious, by giving it the runaround like that?

  3. #3
    I went ahead and ran it, looks like it generates HTML to display what I'm attaching. It's just a runaround to display spam without being picked up. Obviously failed.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Soda:

    It appears that "roundness" starts as an empty string variable that is filled with the contents of the two arrays with a function?, (potentiometers), run against them..... or something like that. The string is written to file once it has been filled
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Thanks for running it.... I didn;t have time to mess up a machine to find out what silly prank it might be.....

    These spammers are beginning to piss me off royally....

    Thanks again
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6

    Thumbs up

    No Problem.

    I was able to "decrypt" the .js...

    Attacthed is the pages HTML so you can see it's at least not malicious on your server, tiger. Unless you call a waste of space malicious.

    BTW:
    document.write(roundness); doesn't write to any file, it just sticks output in the browser window. In order to spit it into that txt file attached I had to make activeX stuff happen, and there wasn't any in the Jscript.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •