Re: udp and dst port 1026

[Thomas Preissler <tomjohn () gmx de>]

Hello Bill,

* Bill schrieb am 02.12.2003:

> Hi all,
>
> Using a sacrificial PC, I surfed over to the web site mentioned in Cedric's 
> packet dump, www.popadstop.com. The web page uses Javascript to obfuscate 
> its contents, but invites users to download and install a free tool that 
> allegedly blocks pop-up spam <g>. I suspect that the user who downloads the 
> tool thereby obtains a Trojan that causes their system to begin sending 
> such invitations to others. I spent a few minutes trying to unobfuscate the 
> web page, but didn't yet entirely succeed in doing so.

I decrypted it a little bit, these are the unscape-chars:

s='';
for (i=0;i<dddss.length;i++){
a=l.indexOf(dddss.charAt(i));
if (a==1) a=9;
if (a==2) a=10;
if (a==3) a=13;
if (a==4) a=34;
if (a<=31 & a>=14){     
off=s.length-(l.indexOf(dddss.charAt(++i))-36+90*(l.indexOf(dddss.charAt(++i))-35))-1;
lp=off+a-14+4;
s=s+s.substring(off,lp);}
else { if (a>=41) a=a-1; s=s+l.charAt(a);}};document.write(s);

I downloaded the index.html and replaced the "eval()" with
"prompt()". Then I copied the shown Java-Script code.

Hm, then I inserted that code instead of the "eval()". I got the
really decrypted code, but how can I show it properly? Using
"prompt()" is not a solution, that's too much code...

By the way: The real code works with "write()" to write the
HTML-code on the page...


Greets,
Tom

---------------------------------------------------------------------------
----------------------------------------------------------------------------