Closed Bug 226622 Opened 21 years ago Closed 21 years ago

javascript malware on website hangs browser intentionally

Categories

(SeaMonkey :: General, defect)

x86
Windows 98
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 13350

People

(Reporter: steevo, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5b) Gecko/20030808
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.5b) Gecko/20030808

Browsed to spammed site. 
Site contains popup:
"this site requires a 4.0 browser". 

No matter what, that locked the browser.  Clicking OK caused the script to run
again, modal window appeared again. 
There was no time to kill javascript in Mozilla, before the box would pop up
again, and nothing could be done with the browser from that point on except end
task with task manager. 

This site likely requires IE so the site operator can open windows with no
controls.  Which is why I use Mozilla for spam analysis.  But he stopped me. 

Script on site is malware. Intended to take control of the browser (IE).  But it
pretty much killed Mozilla. 

Reproducible: Always

Steps to Reproduce:
1. Browse to http://200.206.191.202/COO/index.html
2. Browser is then disabled by malware script on site. 
3.

Actual Results:  
Browser was locked up, had to be quit with task manager. 

Expected Results:  
Not allowed script to repeat?  
Script control should always be accessable even though there is a modal window
place there by script. 

Hmm.
You can press ESC before the dialog comes up.    (Or just press ESC twice in a
row if the dialog is open)

Invalid?
Might also be duped against bug 13350.

*** This bug has been marked as a duplicate of 13350 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
I agree about the dupe of 13350. 
I searched for that, got zarro. 
Oh well. 

I used view-source:http://200.206.191.202/COO/index.html to have a look at the
code. I get one long line, put in some breaks to show the start of it here:

<html><head><title>::</title><meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"><meta http-equiv='expires' content=''>
<script>var vm66=6743;CQPaeh='OBSKrOawObqEOjOMjJIgSfWO';ym='<tl<ed<citus=Ti aede
o upr orbosr  rwe eso . rhge srqie!;

... cut some, and then the end of the file: ...

eval(unescape(haur));sfb91='OnMxJdOFHkIOWLnxxwDOdlUcbswBqTdOKprPotKGmCOO';</script></head></html>

It seems to me the file consists of some strings ending with a semicolon; and
haure= somestring; is one of them. I assume unescaped it will form another
(eval(Unescape()) function, and so on. 
If you really want to decode, copy the view-source:http:// link into the
location bar, use File:Save as to save it, and maybe you can decode it using the
javascript debugger.
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.