A little simpler than the usual. The usual has a URL which goes to one site in IE and another in Netscape (due to differences in whether they unescape before or after parsing the hostname). The starting page used to test the URL you used (which was an obfuscated URL - the Netscape one had some number of "%" signs in it and the starting page used JavaScript to check for that or else would direct you away). Since this uses a simpler URL, it does not test that. The starting page consists of two hundred blank lines. A line of two hundred tabs followed by some HTML code (and the start of some JavaScript code - as the programmer uses: "[script} [!--" to hide it from other browsers and as "[!--" is also a JavaScript comment line, he has to break the code here and put in a new line). The rest of the page (very short). What does it do? This page has an onerror function (IiIlI1l1l1II1i1) and an onload function: onLoad="javascript: if (llIllIil1I1l1lI()) l1Iili1liIiiiIiIl(Ii11Il1IIliIIi(), l1l1ilIiIl1I(), lll1l1illil(), II1i1l1lIII111ll1IlI(),ll1i11ili1IIl(), lIililIili1I111li1iI(), lIil1111i11(), IlIli1liIiIli1Iii());" Where are those functions? Well, the page loads two modules. "loadscr.js" and loamlib.js" Loadlib.js has the functions. "loadlib.js" consists of two hundred blank lines followed Followed by a line of two hundred tabs. Follwed by a single line of JavaScript, 25K in length. For example, we can find that the onerror function has the definition: function IiIlI1l1l1II1i1(lI1liII1I1iiII1, lI1I1ii1lilIl1Il1l, lll1I1liili111Ii1l) { return true; } (it just returns true to block the normal on_error processing) How abut the test code (llIllIil1I1l1lI()) in the onload function? - well it is defined as: function llIllIil1I1l1lI(Iill1ll1I11I1Iill1) { window.onerror = IiIlI1l1l1II1i1; if (!liii1ll1IIiIi) return false; var II1IiIiII1iI =I1IilIlilIi1i1I1i1[IlIl111il1I1lIiiiI1i()]; if (II1IiIiII1iI == null || II1IiIiII1iI== "") { II1IiIiII1iI = I1IilIlilIi1i1I1i1[l1lIllilliIIIl1iIi1()];} if (II1IiIiII1iI != null && II1IiIiII1iI != "") {lIlIliI1111ilIiil1l(IlIl111il1I1lIiiiI1i(), II1IiIiII1iI); } else {I1IilIlilIi1i1I1i1[IlIl111il1I1lIiiiI1i()] = li1iIIliIili11ii(IlIl111il1I1lIiiiI1i()); } if (Iill1ll1I11I1Iill1 != null) InitForm(Iill1ll1I11I1Iill1); return true; } What are these functions, such as IlIl111il1I1lIiiiI1i()? THOSE are encrypted strings. They are in libscr.js. So, what is IlIl111il1I1lIiiiI1i()? It is in libscr.js (again, 200 blank lines, etc.) and is defined as: { return lIIIiliiili11l('ïÌ|I¦IÏ¡!¡')} What is lIIIiliiili11l? Well, that is in loadscr.js as well, it decrypts its argument to give a string (i.e. IlIl111il1I1lIiiiI1i() is a function which returns an encrypted string). In this case IlIl111il1I1lIiiiI1i() returns the string "Email". ================================================== Messy. Not hard, just messy. The test function is used on further pages (it is a routine that can do a lot, but is unused here). Let me describe basically how his site works. He is on a public host (earthlink) so has no server side processing. Everything is done with client side processing. When you go to a page from one of his pages, the URL will include a search_string/data_string such as: http://this_site/my_page.htm?this_is_the_data He has packaged JavaScript routines (used on each page) which check if there is data and create an array from that. It then works on the array. For example, he has an order form. To reach it you go from his page which sets a variable of something line "ADD_ITEM_PRICE=... ADD_ITEM_DESC=...". That is in the URL to go to the order form (http://site.com/page.htm?ADD_ITEM_PRICE=...&ADD_ITEM_DESC=...) The JavaScript sees the data and puts it into the array. Seeing an ADD_ITEM section, the (general code which are on all the pages except this starting one - see below for the names of the larger JavaScript modules), the code will modify the array and add the price to a subtotal element of the array, add the description to a list of descriptions for items in your shopping cart, etc. Of course, since this site is just for one item, this shopping cart stuff is pretty much a waste. So ... the array is created from the data in the URL, it then updates itself (based on that data), it also adds stuff to itself indicating your browser, etc. It ALSO, IF THIS IS ON A PAGE WITH A FORM, UPDATES THE FORM'S VARIABLES FROM THE ARRAY VALUES. Then you fill in the rest of the order form (name, address, etc.). JavaScript is used to verify the data before it is submitted. It is then sent out using an abused formmailer script and you are sent to a page which says "thanks" and leads you to the page from which you can download the programme (without a key to use it - that is supposed to come to you in email). In this case, this testing function attempts to work on the array, BUT, as you just came to this page, there is nothing to do. After the test, we have: javascript: if (llIllIil1I1l1lI()) l1Iili1liIiiiIiIl( Ii11Il1IIliIIi(), l1l1ilIiIl1I(), lll1l1illil(), II1i1l1lIII111ll1IlI(), ll1i11ili1IIl(), lIililIili1I111li1iI(), lIil1111i11(), IlIli1liIiIli1Iii()) After the test (which does nothing) we have a function of eight arguments. Each returns a string which is a JavaScript URL. The function examines your browser and depending on your browser will run the JavaScript URL. Those URLs are JavaScript code to do something. What? It redirects you page (main window) to an innocent site which will download a lot to your computer. If you just do a (packet) capture or examine your cache to find the spammer's stuff you will have to dig through all the other stuff. It attempts to hide this main window (it uses the JavaScript code: "window.moveTo(2500, 2500);" - most versions of JavaScript do NOT allow a site to close or hide windows or move them off screen like this). It opens a new window and loads in the spammer's site there. (Yep ... this is just a redirecting page and we have yet to reach the spammer's actual page!) The eighth function just runs the first function (they are the same). The third and fifth just run the second function (they are the same). The fourth, sixth and seventh all do the same thing. So, there are only three different possibilities (the browser is gotten into one of eight classes, such as "OPERA" which uses the sixth function while "WEBTV" is in the fourth group and uses the fourth function and InernetExplore in versions before 4 (ie. 3 or earlier) are in the seventh group (and use the seventh function). As the fourth, sixth and seventh functions are the same, all these browsers get the same result. Here is the short version: (In all of these, you will not find the URLs listed in the loadlib.js file. They are all created from functions which return strings and which have the encrypted strings in loadscr.js) UNSUPPORTED BROWSERS (opera, webtv, early versions) (as in the example above) MAIN WINDOW: Redirected to the innocent "http://www.excite.com" Attempts to hide it by moving it off screen. POP-UP: Opened to "http://(175_spaces)@home.earthlink.net/~f60a/sorry.htm" (which tells you to update your browser) NETSCAPE: PRELOADS GRAPHICS: The graphics are at "http://home.earthlink.net/~ad61/" ("http://home.earthlink.net/~ad61/paymeth_echeck.gif" for example) MAIN WINDOW: Redirected to "http://home.netscape.com" (this will load lots of ads and stuff from their partners, such as ads.aol.com, etc.) POP-UP: The spammer's page is at "http://(175_spaces)@home.earthlink.net/~f60a/main.htm" IE: PRELOADS GRAPHICS: The graphics are at "http://home.earthlink.net/~ad61/" ("http://home.earthlink.net/~ad61/paymeth_echeck.gif" for example) MAIN WINDOW: Redirected to "http://www.msn.com" POP-UP: The spammer's page is at "http://(175_spaces)@home.earthlink.net/~f60a/main.htm" Images preloaded from: http://home.earthlink.net/~ad61/ (e.g. http://home.earthlink.net/~ad61/paymeth_echeck.gif) Then are all there ... The next message will discuss what happens once we actually reach the spammer's page!