tags:

views:

168

answers:

4
+5  Q: 

Was just sent a JS virus. How do I safely display the output?

I just received a virus that looks something like this

<script type='text/javascript'>
<!--
var s="=nfub!iuuq.frvjw>#sfgsfti#!------REST OF PAYLOAD REMOVED-----?";
m=""; 
for (i=0; i<s.length; i++) 
{   
if(s.charCodeAt(i) == 28)
{     
m+= '&';
}
 else if 
(s.charCodeAt(i) == 23) 
{     m+= '!';} 
else 
{     
 m+=String.fromCharCode(s.charCodeAt(i)-1); 
}}
document.write(m);//-->
</script>

I'm not a JS expert but I would like to decrypt the contents of that string. Can you tell me the best way to alter document.write to see what it's doing?

+1  A: 

Since m is a String, you can just replace document.write() by alert(). Jsfiddle demo.

It seem to be creating a meta refresh header, probably with intent to inject it in the head of the current HTML page in order to redirect to a different (malicious?) page.

BalusC  2010-09-21 13:34:22
That is what I thought, but just wanted to be sure. I don't want to get infected...
MakerOfThings7  2010-09-21 13:34:54
+4  A: 

Just create a <textarea id="foo"></textarea>, and write

document.getElementsById('foo').value = m;

Alternatively, you could encode < and & to &lt; and &amp; and keep the document.write.

FYI, the payload starts with 

<meta http-equiv="refresh"

so looks like it just redirects the user into the a malicious site.

KennyTM  2010-09-21 13:34:44
@Maker: What do you mean?
KennyTM  2010-09-21 13:37:57
@KennyTM - sorry I deleted my n00b question-in-comments. It makes sense now
MakerOfThings7  2010-09-21 13:42:10
Yes, the alert did say it was redirecting me to a malicious website. Thanks!
MakerOfThings7  2010-09-21 13:50:50
Alert? Kenny wasn't at all suggesting to use an alert.
BalusC  2010-09-21 13:57:08
@BalusC: Pretty sure he means that when his computer executed the code, his browser's malware detection kicked in and warned him that he was going to a dangerous site.
Chuck  2010-09-21 16:53:42
@chuck @BaluscActually I used an alert as the solution, and then tried the DIV code too. I'll try every bit of stack-homework if it means I learn something
MakerOfThings7  2010-09-21 19:03:20
+1  A: 

Don't run it your browser, instead try running it in FireBug for example (except document.write(m) line - just use FireBug to see contents of m variable).

Most of these embed an iframe into your site

Mchl  2010-09-21 13:35:15
+1  A: 

Use Malzilla to decode the URL. http://malzilla.sourceforge.net/

Nathan  2010-09-21 16:35:30
+1 Seems like a neat, usefull and complicated at the same time. I got it to work on a site I trust. Not sure what all the buttons do though or when I need em.
MakerOfThings7  2010-09-22 00:11:46

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript