Is this a javascript virus?

[sailor]

I got an email with an attachment. The attached file had an HTML extension. I opened it with notepad and this is the entire contents:

<script language=“JavaScript”>
conserved = new Array(160,
205,14,70,228,31,122,101,91,57,171,
131,195,54,114,144,190,40,8,105,221,
245,212,201,88,172,162,251,162,172,168,
210,222,237,174,127,152,59,137,200,227,
74,69,173,109,80,29,173,67,134,229,
157,108,95,53,184,169,130,192,77,115,
197,71,172,55,69,82,142,58,132,58,
232,149,35,174,76,2,118,186,198,178,
233,197,179,12,60,218,137);
blue = new Array(156,
165,122,43,136,33,70,7,52,93,210,
163,160,89,30,255,204,21,42,27,184,
145,246,247,100,205,130,147,208,201,206,
239,252,133,218,11,232,1,166,231,148,
61,50,131,0,57,126,223,44,245,138,
251,24,113,86,215,196,173,226,115,48,
169,46,207,92,101,58,235,72,225,6,
199,244,29,146,99,96,25,222,191,140,
213,234,219,120,81,182,183,36,141,66,
83,144,137,142,175,188,69,154,203,168,
193,102,167,84,253,242,67,192,249,62,
159,236,181,74,187,216,49,22,151,132,
109,162,51,240,105,238,143,28,37,250,
171,8,161,198,135,180,221,82,35,32,
217,158,127,76,149,170,155,56,17,118
);
plummet = 88;
Satan = 151;
var introspections = “”;
for(ablest = 0; ablest < plummet; ablest++)
introspections = introspections + String.fromCharCode(conserved[ablest] ^ blue[ablest % Satan]);
document.write(introspections);
</script>

I’m pretty sure it’s nothing good but I’d like to know more. What does this script do?

[DoubleJ]

What I can tell you is that it’s taking each of the first 88 items from the two arrays and running an XOR on them. Modding ablest by Satan is irrelevant since ablest will always be < Satan; the expression is the same as just plain ablest.

Now, it’s been a while since I did this by hand, but I’m pretty sure the first one is:
160 ^ 156 = 10100000 ^ 10011100 = 00111100 = 60. The character code 60 gives us a less-than symbol, which is how you start an HTML tag. That tells me it’s probably going to try executing code.
Second: 205 ^ 165 = 11001101 ^ 10100101 = 01101000 = 104; char(104) = “h”.

Hm. That makes it look like it’s creating a header, not a script. Maybe it’s just going to write up a page with a short message and the author wanted to hide the source from you. It’s probably still a good idea to not let it run, though, until you figure out what all the characters are. I could figure it out for you, but I have actual work to do

[DoubleJ]

Well, I was wrong again. Here’s what I got when I dumped the results into a textarea:

<html><body color="red"><a href="http://www.microsoft.com/">Click here</a></body></html>

Why someone would go through all that trouble to obfuscate a link to Microsoft is beyond me. Was there anything to the attachment body other than that script?

Sad thing is, since the link is a link, it won’t even get the red text coloring the author apparently wanted.

[sailor]

hehe, you beat me by a few minutes. I took the trouble of doing the XOR with Excel in a roundabout way as I did not find the XOR function there and arrived at the same result as you did except that I noticed the two arrays are of different length. The first one is 88 and XORed with the second yields what you said but the length of the second one is 151 so I am wondering what the second part will yield. I tried XOR with the first part again and several other combinations (000, 255, etc) but nothing meaningful comes out.

The text I posted was the entire attachment. There was nothing more. What would it do with the second part of the second array? XOR it with something?

[DoubleJ]

Nope, it won’t do anything. This part:

plummet = 88;
for(ablest = 0; ablest < plummet; ablest++)

means that only the first 88 terms (indexes 0-87) will be used. The other terms in blue won’t get used at all.