GoFuckYourself.com - Adult Webmaster Forum - View Single Post

nastigirl · 10-16-2002, 01:06 AM

IMPORTANT!
THE FOLLOWING WEBSITES ARE TROJANS!
PLEASE READ!

FRIENDS OF THE JS SEEKER VIRUS

www.interneteraser.com
www.sureseeker.com
www.topnukers.com
www.primenetwork.net
www.adultbusiness.co.uk
www.pushinit.com
www.sexthatsells.com
www.topnukers.com
www.62nds.co.nz

Well, it finally happened...I caught a virus while surfing for an in house search engine I was considering using, I stumbled onto one of the adult biz opps sites that seemed interesting: www.adultbusiness.co.uk. From there, I went to their link page. Down at the bottom is a link button to a site located at: www.sexthatsells.com. Since my own ebook is called SEX SELLS! it piqued my curiosity so I gave it a click to see what it was about.

I noticed in the status bar I was being redirected to another site at: www.pushinit.com...but when the page finally transited, I found myself at the home of the dread INTERNET ERASER www.interneteraser.com. I've stumbled over this site several times in the past and get rather annoyed because it's always a blind link from something that sounds interesting, only to end up at the INTERNET ERASER site, which is basically set up to appear as an advertisement for "software" or hacker protection, with bold alerts warning about the machine you're using isn't safe, and other privacy issues. When you close it out, it runs a script that opens your Windows Explorer window, showing you all your files on your hard drive. I've seen the script here and there so pretty much dismissed it, closed out the window and the site, and resumed what I'd been doing.

No sooner had I closed out, suddenly my Norton AntiVirus program jumped up to tell me I'd gotten infected by the JS.Seeker virus, along with the prompts for how to deal with it.

on 004176438 C:\WINDOWS\TEMPORARYINTERNETFILES\Content.IE5\1IC8 NE8B\d[1].py infected with the JS.Seeker virus. NAV was unable to repair, quarantine, or delete file. Access to file denied.

I went thru the "Repair/Quarantine/Delete" steps but it kicked back saying it couldn't do any of those functions. I stopped, got offline, and went thru the virus scan on NAV. I had no idea what the hell was going on, I'd never gotten a virus before, and I had no clue how to remedy it. I knew not to reboot if at all possible, since that's usually when the virus will launch so, being the conscientious netizen I am, I hit Yahoo and typed in JS.Seeker. Fortunately there were many wonderful links about the virus and how to eliminate it:

JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta. This file runs only if the Windows Scripting Host is installed. This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy use to drop itself to the Windows Startup directory.

This trojan consists of three different parts: one HTML web page, and two hta files.

The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory.

After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. That way the user cannot see the previosly dropped "runme.hta" file. To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft: (Note: Active Link)

http://www.microsoft.com/technet/sec...n/ms99-032.asp

Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Threat Metrics

Wild: High
Damage: Low
Distribution: Low

Damage:
Payload: Modifies files: Registry
Distribution: Name of attachment: Runme.hta Size of attachment: 3 to 5 K

When JS.Seeker is executed, it makes changes to the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.

And from a message board entry on the topic, I learned:

> -----Original Message-----
> From: Nate W [mailto:[email protected]]
> Sent: Monday, October 30, 2000 5:18 PM
> To: [email protected]
> Subject: sureseeker.com

> > > If anyone can think of a better place to report this, other than > [email protected] and [email protected], do let me know. >

> Looks like somewhere out there is a web server that cracks into web > clients and does a little bit of reconfiguring without the users's > knowledge or consent. >

> The main objective of the malicious code is to set the user's > start page> to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web > site consists largely of 'affiliate clickthrough' links, for > example news> headlines from isyndicate.com, web searches from goto.com and > searchtraffic.com, and so on. >

> The method appears to begin with the installation of an 'html > application' called runme.hta in the StartUp directory. runme.hta appears > to re-set the start pages for Internet Explorer and Netscap, and also re-set the > seach URLs used by IE in various places. I say "appears to" because I > don't actually have a copy of the file - a second file, called > removeit.hta, is placed in the c:\ directory and executed via > a link from the StartUp folder. removeit.hta deletes runme.hta in an > attempt to cover their tracks. Removeit.hta doesn't get deleted though, and a > set of .reg files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also > remain on the victim's hard drive. >

> The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent > string, so that victims are left running about advertising their > misfortune to every web server they visit. Furthermore, > sureseeker's tag appears in the articles they post to newsgroups using IE and > deja.com, as in this case: >

http://www.deja.com/getdoc.xp?AN=680049493&fmt=text

I have notified sureseeker's internet service providers (ni.net, primenetworks.net, and verio.net just in case either of those is in cahoots with the sureseeker people).

I'm not sure what steps to take next, but if anyone has ideas I'm all ears.

Thanks,

Nate Waddoups
Redmond WA USA

Hmmm...interesting. I went thru the steps and got rid of it. All's well that ends well.

Not quite. I got to thinking about it and tried to remember where the hell I was when it happened. I'd shortcutted a handful of sites but none of them looked familiar after all the virus drama. The idea was to go back to the originating biz op site and email them, tell them their "SEX THAT SELLS" link is a redirect to a virus. I couldn't find the shortcut I'd saved, and then I had a brainflash. WooHoo. I'd remembered that just prior to that net session, I'd cleaned out my cookies, history, recent, temp, and temp net files...which I learned to do a long time back so I'd have some record of where I'd been 'per session', or anyone else using my machine, in case of troubles. I went to the Cookies folder in Windows and browsed thru them...

I found 3 cookies that coinsided with the time frame of 2:06am, including the one NAV recognized:

[email protected]1[1].txt= mses 3d3e50163d3e501600000001Mz9ZwPSHtpsDIqS4 search.py1.com/ 0 1978724096 29651074 2723741696 29504224 * (2:06AM)

ME@www.topnukers[1].txt = lang english www.topnukers.com// 0 3685634176 29577594 2273775680 29504170 *

ME@ www.interneteraser[1].txt = IERASERPARTNER 9545863%2ANoREF www.interneteraser.com/ 0 2787326464 29504566 3811608992 29504223 * (2:01AM)

10-16-2002, 01:06 AM
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	Website Trojans! Please Read! IMPORTANT! THE FOLLOWING WEBSITES ARE TROJANS! PLEASE READ! FRIENDS OF THE JS SEEKER VIRUS www.interneteraser.com www.sureseeker.com www.topnukers.com www.primenetwork.net www.adultbusiness.co.uk www.pushinit.com www.sexthatsells.com www.topnukers.com www.62nds.co.nz Well, it finally happened...I caught a virus while surfing for an in house search engine I was considering using, I stumbled onto one of the adult biz opps sites that seemed interesting: www.adultbusiness.co.uk. From there, I went to their link page. Down at the bottom is a link button to a site located at: www.sexthatsells.com. Since my own ebook is called SEX SELLS! it piqued my curiosity so I gave it a click to see what it was about. I noticed in the status bar I was being redirected to another site at: www.pushinit.com...but when the page finally transited, I found myself at the home of the dread INTERNET ERASER www.interneteraser.com. I've stumbled over this site several times in the past and get rather annoyed because it's always a blind link from something that sounds interesting, only to end up at the INTERNET ERASER site, which is basically set up to appear as an advertisement for "software" or hacker protection, with bold alerts warning about the machine you're using isn't safe, and other privacy issues. When you close it out, it runs a script that opens your Windows Explorer window, showing you all your files on your hard drive. I've seen the script here and there so pretty much dismissed it, closed out the window and the site, and resumed what I'd been doing. No sooner had I closed out, suddenly my Norton AntiVirus program jumped up to tell me I'd gotten infected by the JS.Seeker virus, along with the prompts for how to deal with it. on 004176438 C:\WINDOWS\TEMPORARYINTERNETFILES\Content.IE5\1IC8 NE8B\d[1].py infected with the JS.Seeker virus. NAV was unable to repair, quarantine, or delete file. Access to file denied. I went thru the "Repair/Quarantine/Delete" steps but it kicked back saying it couldn't do any of those functions. I stopped, got offline, and went thru the virus scan on NAV. I had no idea what the hell was going on, I'd never gotten a virus before, and I had no clue how to remedy it. I knew not to reboot if at all possible, since that's usually when the virus will launch so, being the conscientious netizen I am, I hit Yahoo and typed in JS.Seeker. Fortunately there were many wonderful links about the virus and how to eliminate it: JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta. This file runs only if the Windows Scripting Host is installed. This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy use to drop itself to the Windows Startup directory. This trojan consists of three different parts: one HTML web page, and two hta files. The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory. After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. That way the user cannot see the previosly dropped "runme.hta" file. To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft: (Note: Active Link) http://www.microsoft.com/technet/sec...n/ms99-032.asp Wild: Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: Low Threat containment: Easy Removal: Easy Threat Metrics Wild: High Damage: Low Distribution: Low Damage: Payload: Modifies files: Registry Distribution: Name of attachment: Runme.hta Size of attachment: 3 to 5 K When JS.Seeker is executed, it makes changes to the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg . The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder. JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own. And from a message board entry on the topic, I learned: > -----Original Message----- > From: Nate W [mailto:[email protected]] > Sent: Monday, October 30, 2000 5:18 PM > To: [email protected] > Subject: sureseeker.com > > > If anyone can think of a better place to report this, other than > [email protected] and [email protected], do let me know. > > Looks like somewhere out there is a web server that cracks into web > clients and does a little bit of reconfiguring without the users's > knowledge or consent. > > The main objective of the malicious code is to set the user's > start page> to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web > site consists largely of 'affiliate clickthrough' links, for > example news> headlines from isyndicate.com, web searches from goto.com and > searchtraffic.com, and so on. > > The method appears to begin with the installation of an 'html > application' called runme.hta in the StartUp directory. runme.hta appears > to re-set the start pages for Internet Explorer and Netscap, and also re-set the > seach URLs used by IE in various places. I say "appears to" because I > don't actually have a copy of the file - a second file, called > removeit.hta, is placed in the c:\ directory and executed via > a link from the StartUp folder. removeit.hta deletes runme.hta in an > attempt to cover their tracks. Removeit.hta doesn't get deleted though, and a > set of .reg files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also > remain on the victim's hard drive. > > The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent > string, so that victims are left running about advertising their > misfortune to every web server they visit. Furthermore, > sureseeker's tag appears in the articles they post to newsgroups using IE and > deja.com, as in this case: > http://www.deja.com/getdoc.xp?AN=680049493&fmt=text I have notified sureseeker's internet service providers (ni.net, primenetworks.net, and verio.net just in case either of those is in cahoots with the sureseeker people). I'm not sure what steps to take next, but if anyone has ideas I'm all ears. Thanks, Nate Waddoups Redmond WA USA Hmmm...interesting. I went thru the steps and got rid of it. All's well that ends well. Not quite. I got to thinking about it and tried to remember where the hell I was when it happened. I'd shortcutted a handful of sites but none of them looked familiar after all the virus drama. The idea was to go back to the originating biz op site and email them, tell them their "SEX THAT SELLS" link is a redirect to a virus. I couldn't find the shortcut I'd saved, and then I had a brainflash. WooHoo. I'd remembered that just prior to that net session, I'd cleaned out my cookies, history, recent, temp, and temp net files...which I learned to do a long time back so I'd have some record of where I'd been 'per session', or anyone else using my machine, in case of troubles. I went to the Cookies folder in Windows and browsed thru them... I found 3 cookies that coinsided with the time frame of 2:06am, including the one NAV recognized: [email protected]1[1].txt= mses 3d3e50163d3e501600000001Mz9ZwPSHtpsDIqS4 search.py1.com/ 0 1978724096 29651074 2723741696 29504224 * (2:06AM) ME@www.topnukers[1].txt = lang english www.topnukers.com// 0 3685634176 29577594 2273775680 29504170 * ME@ www.interneteraser[1].txt = IERASERPARTNER 9545863%2ANoREF www.interneteraser.com/ 0 2787326464 29504566 3811608992 29504223 * (2:01AM) __________________ ==================<br> from a <br> ~Nikki