> An easy way to de-obfuscate this is to give your browser this URL. Works
> at least with Mozilla, but I think other browsers support the javascript:
> pseudo-protocol, too.
>
> javascript:alert(decodeURI('<obfuscated-URL-here>'))
>
We have seen this done and exploited *mostly* on IRC spam (directed at
the mIRC client).
Let's decode a URL that may end up making IE destroying the PC or
emailing our passwords.. or downloading a dropper or,,, :o)
Gadi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Fri Jan 23 07:38:10 2004
This archive was generated by hypermail 2.1.8 : Fri Jan 23 2004 - 08:01:02 CST
