GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Machete_ · 06-10-2005, 06:31 PM

this is the techinfo about the exploit.. its the previous version, but again, have nothing to do with sleazy

-------------------------------
When the target user visits the Web site, http://www.<BLOCKED>roads.com, this malware downloads itself on the target system as a GIF file. For the malware to execute, it needs to be set as the source code of the script language used in an HTML file. When opened in an Image viewer, it fails to run.
It sets a specific adult Web site as the default homepage, Search page, Search bar and Search assistant of Internet Explorer by modifying the registry as follows:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
?Search Page? = http://www.<BLOCKED>roads.com/search.html

HKEY_CURRENT_USER\Software\\Microsoft\Internet Explorer\Main
?Start Page?=http://www.<BLOCKED>roads.com/movie/homepage.html

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
?Search Bar?=http://www.<BLOCKED>roads.com/search.html

HKEY_CURRENT_USER\Software\\Microsoft\Internet Explorer
?SearchURL?=http://www.<BLOCKED>roads.com/search.html

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
?SearchAssistant?=http://www.<BLOCKED>roads.com/search.html

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
?SearchAssistant?=http://www.<BLOCKED>roads.com/search.html

Aside from carrying out the modifications mentioned above, it also adds the following adult sites to the favorites list of Internet Explorer:

"SixRoads" = http://www.<BLOCKED>roads.com/main.shtml
?Torridora Cocktails? =http://www.<BLOCKED>ridora.com/
Then, it checks if the page being currently browsed is a Russian page. It does this by checking if the following characters exist on the URL address:

BE
CZ
LT
LV
PL
RU
SK
UA
YU
If the abovementioned condition is met, this URL is added to the favorites section of the IE browser:

Öåíû Íà Àâòîìîáèëè ÂÀÇ = http://www.<BLOCKED>index.ru/

It also adds the following links to the Links section of Internet Explorer. These links direct the target user to sites which contain obscene material:

?Torridora Cocktails" = http://www.<BLOCKED>rridora.com/
"Hamlet of 21 century" = "http://www.<BLOCKED>mlet.com/"
"Adult Cartoon"="http://www.<BLOCKED>toondirectory.com/main.shtml"
"Six Roads of Sex" ="http://www.<BLOCKED>roads.com/main.shtml"
"Free Sex Forest" = "http://www.<BLOCKED>forest.com/"
"Sky Maids" ="http://www.<BLOCKED>maids.com/"
"Fairy River"="http://www.<BLOCKED>river.com/"

06-10-2005, 06:31 PM
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	this is the techinfo about the exploit.. its the previous version, but again, have nothing to do with sleazy ------------------------------- When the target user visits the Web site, http://www.<BLOCKED>roads.com, this malware downloads itself on the target system as a GIF file. For the malware to execute, it needs to be set as the source code of the script language used in an HTML file. When opened in an Image viewer, it fails to run. It sets a specific adult Web site as the default homepage, Search page, Search bar and Search assistant of Internet Explorer by modifying the registry as follows: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main ?Search Page? = http://www.<BLOCKED>roads.com/search.html HKEY_CURRENT_USER\Software\\Microsoft\Internet Explorer\Main ?Start Page?=http://www.<BLOCKED>roads.com/movie/homepage.html HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main ?Search Bar?=http://www.<BLOCKED>roads.com/search.html HKEY_CURRENT_USER\Software\\Microsoft\Internet Explorer ?SearchURL?=http://www.<BLOCKED>roads.com/search.html HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search ?SearchAssistant?=http://www.<BLOCKED>roads.com/search.html HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search ?SearchAssistant?=http://www.<BLOCKED>roads.com/search.html Aside from carrying out the modifications mentioned above, it also adds the following adult sites to the favorites list of Internet Explorer: "SixRoads" = http://www.<BLOCKED>roads.com/main.shtml ?Torridora Cocktails? =http://www.<BLOCKED>ridora.com/ Then, it checks if the page being currently browsed is a Russian page. It does this by checking if the following characters exist on the URL address: BE CZ LT LV PL RU SK UA YU If the abovementioned condition is met, this URL is added to the favorites section of the IE browser: Öåíû Íà Àâòîìîáèëè ÂÀÇ = http://www.<BLOCKED>index.ru/ It also adds the following links to the Links section of Internet Explorer. These links direct the target user to sites which contain obscene material: ?Torridora Cocktails" = http://www.<BLOCKED>rridora.com/ "Hamlet of 21 century" = "http://www.<BLOCKED>mlet.com/" "Adult Cartoon"="http://www.<BLOCKED>toondirectory.com/main.shtml" "Six Roads of Sex" ="http://www.<BLOCKED>roads.com/main.shtml" "Free Sex Forest" = "http://www.<BLOCKED>forest.com/" "Sky Maids" ="http://www.<BLOCKED>maids.com/" "Fairy River"="http://www.<BLOCKED>river.com/"