[CelestialTeardrop]

Can someone please tell me if the source code for two pop-ups I got is malicious and whether it installs anything on one's computer without the user's knowledge (I use firefox 2.0.0.3)?

This pop-up got through firefox, but only flashed a blank, white box on the screen briefly before closing. I found it in my browsing history and clicked on the link to get its page source (was this a risky move?).
Source for: http://media.fastcli...c...d=4507&c=42

~~~~~~~~~~~~~~~~~~~~~~~

<html>
<BODY>

<script language="JavaScript">
<!--

function SymError()
{
return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script>
self.close();
</script>
</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}

function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~



The second appeared as a redirection page. It was white except for a dark blue band at the top saying something along the lines of please visit our sponsors; you will be redirected in ... seconds.
Source for http://media.fastcli...d...p;tp=6&url=

~~~~~~~~~~~~~~~~~~~~~~~~~~

<html>
<head>
<title>Get Cursors!</title>
<style>
.button2{font-family: Verdana; font-size: 10px; padding-right: 1; padding-left: 1; color: EEEEFF; vertical-align: middle; border: 1px solid FFFFFF; text-decoration: none; background-color: 000033;}
</style>

<script language="JavaScript">
<!--

function SymError()
{
return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script language="javascript">
// Copyright © 2004 Fastclick.com, Inc
var stop=1;
var time=10;
var iCK=0;
function rD(){
if(stop) location.href="";
}
function cD(){
if(time>0){
setTimeout('cD();',1000);
}
if(document.getElementById){
modify(time);
}
time=time-1;
}

function modify(timX){
var element=document.getElementById("txT");
if(stop==1){
if(time==0){
timX='Redirecting .........';
}else{
timX=timX+" seconds.";
}
}else{
timX=".... stopped ....";
}
if(element){
var newNode=document.createTextNode(timX);
element.replaceChild(newNode, element.firstChild);
}
}
</script>
</head>
<body bgcolor="ffffff" link="0033CC" vlink="0033CC" leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 marginheight=0 marginwidth=0>
<table cellpadding=3 cellspacing=1 border=0 bgcolor="000033" width="100%">
<tr>
<td>

&nbsp;<font style="font-family: Verdana; font-size: 11px;color: #dddddd;">Please take a moment to visit our sponsor. &nbsp;&nbsp;
<script language="javascript">
if(document.cookie.indexOf('fsH=1') < 0){
document.write('You will be redirected to <a href=""><font color="eeeeee"></font></a> in <a id="txT">a few seconds.</a></font>');
}
</script>
</td>
<td align="right">
<a href=""><span class="button2">Skip</span></a>&nbsp;
</td>
</tr>
</table>
<table cellpadding=0 cellspacing=0 border=0 width="100%" height="90%">
<tr>
<td align="center" valign="middle">

<script src="http://cdn.fastclick...></script></td>

</tr>
</table>

<script language="javascript">
// Copyright © 2004 Fastclick.com, Inc
for (i=0; i<40; i++){
setTimeout('loaded('+i+');',i*250);
}
function loaded(i){
if((document.pI.complete || i==39) && iCK==0){
if(document.cookie.indexOf('fsH=1') < 0){
setTimeout('rD();',10*1000);
cD();
var date_ob=new Date();
date_ob.setTime(date_ob.getTime()+70*1000);
document.cookie='rfsH=1; path=/; expires='+ date_ob.toGMTString();
}
iCK=1;
}
}
</script>
</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
window.open = SymWinOpen;
if(SymRealOnUnload != null)
SymRealOnUnload();
}

function SymOnLoad()
{
if(SymRealOnLoad != null)
SymRealOnLoad();
window.open = SymRealWinOpen;
SymRealOnUnload = window.onunload;
window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks in advance!

[Advertisements]

I see noting malicious in it.

self.close(); this would be making the windows close as soon as they open.

[Michael]

I see noting malicious in it.

self.close(); this would be making the windows close as soon as they open.

[CelestialTeardrop]

Fantastic, thanks so much for your reply Michael (and quick too)!

I was most worried about the second code, since (being new to web coding) I wasn't sure if
<script src="http://cdn.fastclick...></script></td>
would install something or do other damage (even though I didn't click on anything).

[Michael]

No the script tag is just for including scripts into the document. 99% of them are non-malicious. And the other 1% are normally targeted at IE. Normally they might modify part of the page if you do something, or collect more info from a web server. Like the quick reply on this page.

Your not going to pick up most of the virus out there, since they target IE. IE is a very easy target you see

[CelestialTeardrop]

Ahh, good to know. ::sigh of relief:: I try to avoid IE for just about everything besides windows updates, but I don't want to get too relaxed with ff, just in case.

Thanks again!

[Michael]

I run windows updates in Firefox http://ietab.mozdev.org/

[CelestialTeardrop]

Sweet, thanks for sharing that!

[Michael]

Oh and for the odd site that will just not let you in if your not useing IE http://chrispederick...agent-switcher/
I have visited a number of sites that that say you need IE 6 or better. Well I am one Firefox 2, that is better right

Like I know my bank does not allow it, because other browsers are not secure enough

Now back to writing my own extensions

[CelestialTeardrop]

Well I am one Firefox 2, that is better right

Hahaha, exactly!

This is a bit off-topic, but it's about firefox-ness... I noticed that the option to search images, videos, etc on www.google.com has been moved to the top left of the page instead of being right under the google logo in the center, and that the google firefox start page no longer has the options to search images, etc. at all. Is it just my security settings preventing the extra search options in http://www.google.com/firefox or did they just change their page?

[Michael]

I noticed the same thing, It is Google changing it.

I don't know, but maybe there will be an option in https://addons.mozil...refox/addon/743 to change it back soon.

[CelestialTeardrop]

Ok, I found the script that was linked to in the second code (first post) at the address http: //cdn.fastclick.net/fastclick.net/v4flash.js.

If you enter that url, you'll be given an option to save the script.
I did not open/run the script but I did however open it with wordpad, and here's what I got:

click_url=escape(click_url);
var swf_url=swf_path+'?clickTag='+click_url;
var loaded=false;
var plugin=(navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]) ? navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin : 0;
if(plugin){
plugin=parseInt(plugin.description.substring(plugin.description.indexOf(".")-1)) >= 5;
}
else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0 && (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0)) {
document.write('<SCR' + 'IPT LANGUAGE=VBScript\> \n');
document.write('on error resume next \n');
document.write('plugin=( IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5")))\n');
document.write('</SCRIPT\> \n');
}
if(plugin){
document.write('<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"');
document.write('  codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=5,0,0,0" ');
document.write(' ID=movie WIDTH='+width+' HEIGHT='+height+'>');
document.write(' <PARAM NAME=movie VALUE="'+swf_url+'"> <PARAM NAME=play VALUE=true> <PARAM NAME=loop VALUE=true> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE='+bcolor+'>  ');
document.write(' <EMBED name=movie src="'+swf_url+'" play=true loop=true quality=high bgcolor='+bcolor+'  ');
document.write(' swLiveConnect=TRUE WIDTH='+width+' HEIGHT='+height+'');
document.write(' TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">');
document.write(' </EMBED>');
document.write(' </OBJECT>');
}else{
document.write('<a target=_blank href="'+click_url2+'"><IMG SRC="'+img_path+'" WIDTH='+width+' HEIGHT='+height+'  BORDER=0></a>');
}

Does any of that look suspicious? And is there any way to actually check what is inside the script without running it?

Thanks.

[Michael]

Just looks kind of stupid. Well you can just read it, so you don't have to run it. You don't seam concerned about all the code of mine you posted

[CelestialTeardrop]

Haha, I was thinking either it's quite complex, or quite stupid, but if your expert opinion says it's stupid I'm inclined to agree.

Sorry for not checking with you first (in answering to New Zealand's post), but since anyone with firefox could see your code and since I did say it was from your site, I thought you wouldn't be too offended. I can delete my post if you want.

[Michael]

No, the more people that use it the better

It hardly looks complex to me

[CelestialTeardrop]

Oh, ok, good (about your code)

As for the other script...I must admit I'm pretty much a total freshman in regards to javascript, and anything from fastclick.com or casalemedia.com makes me suspicious. Who knows in what innocent package they pack their poison

Thanks for putting up with my novice questions!