A little simpler than the usual.

The usual has a URL which goes to one site in IE and another in Netscape
(due to differences in whether they unescape before or after parsing the
hostname). The starting page used to test the URL you used (which was
an obfuscated URL - the Netscape one had some number of "%" signs in it
and the starting page used JavaScript to check for that or else would
direct you away).

Since this uses a simpler URL, it does not test that.

The starting page consists of two hundred blank lines.
A line of two hundred tabs followed by some HTML code
(and the start of some JavaScript code - as the programmer
uses: "[script} [!--" to hide it from other browsers and
as "[!--" is also a JavaScript comment line, he has to
break the code here and put in a new line).

The rest of the page (very short).

What does it do?

This page has an onerror function (IiIlI1l1l1II1i1)
and an onload function:

 onLoad="javascript: if (llIllIil1I1l1lI()) 
  l1Iili1liIiiiIiIl(Ii11Il1IIliIIi(), l1l1ilIiIl1I(), lll1l1illil(), 
                    II1i1l1lIII111ll1IlI(),ll1i11ili1IIl(),
                    lIililIili1I111li1iI(), lIil1111i11(), 
                    IlIli1liIiIli1Iii());"

Where are those functions? Well, the page loads two modules.

"loadscr.js" and loamlib.js"

Loadlib.js has the functions.

"loadlib.js" consists of two hundred blank lines followed
Followed by a line of two hundred tabs.
Follwed by a single line of JavaScript, 25K in length.

For example, we can find that the onerror function has the
definition:

 function IiIlI1l1l1II1i1(lI1liII1I1iiII1, lI1I1ii1lilIl1Il1l,
                          lll1I1liili111Ii1l) { return true; }

(it just returns true to block the normal on_error processing)

How abut the test code (llIllIil1I1l1lI()) in the onload function?
- well it is defined as:

 function llIllIil1I1l1lI(Iill1ll1I11I1Iill1) { 
  window.onerror = IiIlI1l1l1II1i1; 
  if (!liii1ll1IIiIi) return false; 
  var II1IiIiII1iI =I1IilIlilIi1i1I1i1[IlIl111il1I1lIiiiI1i()]; 
  if (II1IiIiII1iI == null || II1IiIiII1iI== "") 
   { II1IiIiII1iI = I1IilIlilIi1i1I1i1[l1lIllilliIIIl1iIi1()];} 
  if (II1IiIiII1iI != null && II1IiIiII1iI != "") 
   {lIlIliI1111ilIiil1l(IlIl111il1I1lIiiiI1i(), II1IiIiII1iI); } 
   else {I1IilIlilIi1i1I1i1[IlIl111il1I1lIiiiI1i()] = 
         li1iIIliIili11ii(IlIl111il1I1lIiiiI1i()); }
  if (Iill1ll1I11I1Iill1 != null) InitForm(Iill1ll1I11I1Iill1); 
  return true; }
 
What are these functions, such as IlIl111il1I1lIiiiI1i()?
THOSE are encrypted strings. They are in libscr.js.
 
So, what is IlIl111il1I1lIiiiI1i()?
It is in libscr.js (again, 200 blank lines, etc.) and
is defined as:

  { return lIIIiliiili11l('|IIϡ!')}

What is lIIIiliiili11l? Well, that is in loadscr.js as well,
it decrypts its argument to give a string (i.e. IlIl111il1I1lIiiiI1i()
is a function which returns an encrypted string). In this case
IlIl111il1I1lIiiiI1i() returns the string "Email".
==================================================

Messy. Not hard, just messy.

The test function is used on further pages (it is a routine that can
do a lot, but is unused here). Let me describe basically how his
site works.

He is on a public host (earthlink) so has no server side processing.
Everything is done with client side processing.

When you go to a page from one of his pages, the URL will include
a search_string/data_string such as:
 http://this_site/my_page.htm?this_is_the_data

He has packaged JavaScript routines (used on each page) which check if there
is data and create an array from that. It then works on the array.

For example, he has an order form. To reach it you go from his page
which sets a variable of something line "ADD_ITEM_PRICE=...
ADD_ITEM_DESC=...". That is in the URL to go to the order form
(http://site.com/page.htm?ADD_ITEM_PRICE=...&ADD_ITEM_DESC=...)
The JavaScript sees the data and puts it into the array.

Seeing an ADD_ITEM section, the (general code which are on all the
pages except this starting one - see below for the names of the
larger JavaScript modules), the code will modify the array
and add the price to a subtotal element of the array, add the
description to a list of descriptions for items in your shopping cart,
etc. Of course, since this site is just for one item, this shopping
cart stuff is pretty much a waste.

So ... the array is created from the data in the URL, it then updates
itself (based on that data), it also adds stuff to itself indicating
your browser, etc. It ALSO, IF THIS IS ON A PAGE WITH A FORM, UPDATES
THE FORM'S VARIABLES FROM THE ARRAY VALUES. Then you fill in the
rest of the order form (name, address, etc.). JavaScript is used
to verify the data before it is submitted. It is then sent out using
an abused formmailer script and you are sent to a page which says
"thanks" and leads you to the page from which you can download the
programme (without a key to use it - that is supposed to come to
you in email).

In this case, this testing function attempts to work on the array,
BUT, as you just came to this page, there is nothing to do.

After the test, we have:

 javascript: if (llIllIil1I1l1lI()) 
   l1Iili1liIiiiIiIl(
    Ii11Il1IIliIIi(), 
    l1l1ilIiIl1I(), 
    lll1l1illil(),
    II1i1l1lIII111ll1IlI(),
    ll1i11ili1IIl(),         
    lIililIili1I111li1iI(),
    lIil1111i11(), 
    IlIli1liIiIli1Iii())

After the test (which does nothing) we have a function of eight
arguments. Each returns a string which is a JavaScript URL.
The function examines your browser and depending on your browser
will run the JavaScript URL. Those URLs are JavaScript code to
do something.

What?
 
 It redirects you page (main window) to an innocent site which will download
 a lot to your computer. If you just do a (packet) capture or examine your
 cache to find the spammer's stuff you will have to dig through all the
 other stuff.
 
 It attempts to hide this main window (it uses the JavaScript code:
  "window.moveTo(2500, 2500);" - most versions of JavaScript do NOT
  allow a site to close or hide windows or move them off screen
  like this).
  
 It opens a new window and loads in the spammer's site there.
 
(Yep ... this is just a redirecting page and we have yet to reach the
 spammer's actual page!)

The eighth function just runs the first function (they are the same).
The third and fifth just run the second function (they are the same).
The fourth, sixth and seventh all do the same thing.

So, there are only three different possibilities (the browser is gotten
into one of eight classes, such as "OPERA" which uses the sixth function
while "WEBTV" is in the fourth group and uses the fourth function and
InernetExplore in versions before 4 (ie. 3 or earlier) are in the
seventh group (and use the seventh function). As the fourth, sixth
and seventh functions are the same, all these browsers get the same
result.

Here is the short version:

(In all of these, you will not find the URLs listed in the loadlib.js
 file. They are all created from functions which return strings and
 which have the encrypted strings in loadscr.js)

 UNSUPPORTED BROWSERS (opera, webtv, early versions)
                      (as in the example above)
                      
   MAIN WINDOW: Redirected to the innocent "http://www.excite.com"
                Attempts to hide it by moving it off screen.
   POP-UP:      Opened to
                "http://(175_spaces)@home.earthlink.net/~f60a/sorry.htm"
                (which tells you to update your browser)

 NETSCAPE:

  PRELOADS GRAPHICS: The graphics are at "http://home.earthlink.net/~ad61/"
                     ("http://home.earthlink.net/~ad61/paymeth_echeck.gif"
                       for example)

  MAIN WINDOW: Redirected to "http://home.netscape.com"
               (this will load lots of ads and stuff from their partners,
                such as ads.aol.com, etc.)

  POP-UP:      The spammer's page is at
               "http://(175_spaces)@home.earthlink.net/~f60a/main.htm"  

 IE:
 
  PRELOADS GRAPHICS: The graphics are at "http://home.earthlink.net/~ad61/"
                     ("http://home.earthlink.net/~ad61/paymeth_echeck.gif"
                       for example)

  MAIN WINDOW: Redirected to "http://www.msn.com"

  POP-UP:      The spammer's page is at
               "http://(175_spaces)@home.earthlink.net/~f60a/main.htm"  
  
Images preloaded from:
http://home.earthlink.net/~ad61/
(e.g. http://home.earthlink.net/~ad61/paymeth_echeck.gif)

Then are all there ...

The next message will discuss what happens once we actually reach the
spammer's page!
