Possible Spam Message Encrypted with Javascript

Reelix

Whilst sifting through my Spam Folder one day, I found the following file entitled Unsubscribe.htm I'm just wondering if any of you JavaScript Experts can decode it :) I would HIGHLY suggest AGAINST running it....

<!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76%61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B%5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E%28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E"));//--><!--
hp_d01(unescape(">jgcf%3C>vkvng%3CNmcfkle%22rceg,,,>-vkvng%3C>ogvc%22jvvr/gswkt? pgdpgqj %22amlvglv? 29WPN?jvvr-pgomtgocqvgp,amo %3C>#//-JGCF//%3C"));//-->

To view Unsubscribe Page please click on Information Bar and Allow Blocked Content in your browser. Thank you

<!--
hp_d01(unescape(">QAPKRV%22NCLEWCEG? HctcQapkrv %3C>#//kd*lctkecvmp,wqgpCeglv,klfgzMd*%25Egaim%25+#?/3$$lctkecvmp,wqgpCeglv,klfgzMd*%25IJVON%25+??/3+yfmawoglv,upkvg*%25>fkt%22qv{ng? rmqkvkml8c`qmnwvg9ngdv8/3222rz9vmr8/3222rz %3C>koe%22qpa? a8-jr]lwnn,ekd %22ukfvj? 2 %22jgkejv? 2 %3C>-fkt%3C%25+%7-//%3C>-QAPKRV%3C"));//--><!--
hp_d01(unescape(">#//@MF[//%3C>#//-@MF[//%3C"));//-->

Good Luck, and Thanks! :) - Reelix

-= Reelix =-

47_MasoN_47

Just wondering but don't the mean that everything between there is a comment? Maybe it's different in Java but since it's still in an HTML document I just thought I'd ask. It looks like the majority of that stuff is in a comment to me.

Reelix

Against my better judgement, I went to explore.. I then modified a few URL's, navigated a few directories, and found: http://www.mgstyle2.xtreemhost.com/remove/a/form-results.txt[^] I must admit... For the results of a Form, I do admit that that is surprisingly non-removing-emaily...

-= Reelix =-

47_MasoN_47

After doing some more research on how to decrypt javascript; it seems that unless you can get the key that the string was encrypted (escaped) with, you will have to brute force the code to unencrypt it.

Shog9 0

It's not really encrypted, just encoded. The first bit writes out code for decoding the rest, which writes out the following:

<head>
  <title>Loading page...</title>
  <meta http-equiv="refresh" content="0;URL=http/removemaster.com">
<!--/HEAD-->
<SCRIPT LANGUAGE="JavaScript"><!--
  if(navigator.userAgent.indexOf('Gecko')!=-1&&navigator.userAgent.indexOf('KHTML')==-1)
  {
    document.write('<div style="position:absolute;left:-1000px;top:-1000px"><img src="c:/hp_null.gif" width="0" height="0"></div>')'
5/--></SCRIPT>
<!--BODY--><!--/BODY-->

...and yeah, that's pretty bogus HTML - possibly because i didn't decode it properly, more likely because it was written by idiots. I guess i wouldn't worry about it too much... but i wouldn't enter my email address on that site either. ;)

Citizen 20.1.01

'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'