I got an email (SPAM of course) that recommended I go to some randomly hosted free site because some random name had received some random item after some random event. I viewed the source remotely, stripped out unnecessary HTML, and got the following:
So I first deobfuscated the function to:
<SCRIPT LANGUAGE="JAVASCRIPT"><!--
eval (unescape("%66%75%6E%63%74%69%6F%6E%20%65%5F%65%28%65%29%7B%65%3D%75%6E%65%73%63%61%70%65%28%65%29%3B%70%3D%22%54%52%48%41%43%58%56%51%52%55%50%59%41%56%44%43%45%41%4B%49%5A%59%55%43%22%3B%73%3D%22%22%3B%73%6C%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6B%3D%30%2C%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%65%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%65%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%7B%63%3D%63%5E%70%2E%63%68%61%72%43%6F%64%65%41%74%28%6A%25%70%2E%6C%65%6E%67%74%68%29%3B%6A%2B%2B%3B%7D%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%73%6C%5B%6B%2B%2B%5D%3D%73%3B%73%3D%22%22%7D%7D%73%3D%73%6C%2E%6A%6F%69%6E%28%22%22%29%2B%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D"));//--></SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
e_e("h!%2B3*%28%22q&%2C %3C|t0&%3D5d#%3B%2F407 !17zh%5CXupe%60%7BiNOak%3E371%2C#|%2E%2E %2D%25y%7Bn%5DS594m%29%2E%28%28%2E0%3A%2Dz%3A%3A%24%25et9&! cny0%2C2%24%27%3E3%2D%3D0 3&%250%2F385%3D%24w%229%29a~LAizvznylEKcxj~!6%2201%22z");//--></SCRIPT>
So I first deobfuscated the function to:
<script>
function e_e(e){e=unescape(e);p="TRHACXVQRUPYAVDCEAKIZYUC";s="";sl=new Array(),k=0,j=0;for(i=0;i<e.length;i++){c=e.charCodeAt(i);if(c<128){c=c^p.charCodeAt(j%p.length);j++;}s+=String.fromCharCode(c);if(s.length>80){sl[k++]=s;s=""}}s=sl.join("")+s;document.write(s)}
</script>
Modified it to:
<script>
function e_e(e){e=unescape(e);p="TRHACXVQRUPYAVDCEAKIZYUC";s="";sl=new Array(),k=0,j=0;for(i=0;i<e.length;i++){c=e.charCodeAt(i);if(c<128){c=c^p.charCodeAt(j%p.length);j++;}s+=String.fromCharCode(c);if(s.length>80){sl[k++]=s;s=""}}s=sl.join("")+s;alert(s)}
</script>
I did this to prevent it from executing if it had indeed been some awful spyware program. Then I simply placed the second half of the script into a test document, and ran it to see:
<script language="text/javascript"> <!-- window.focus(); top.location.href="http://towelwithstandsweight.com"; //--> </script>All that work to simply relocate the website to a penis enlargement site. Seems like more hassle than it's worth.