Re: how does this load
From: Kaylene aka Taurarian (taurarian_at_REMOVE_CAPS_hotmail.com)
Date: 02/17/04
- Next message: Ramesh [MVP]: "Re: XP/he - Mystery Process"
- Previous message: Kaylene aka Taurarian: "Re: How to Backup? How to be Administrator? Still Locked out."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 17 Feb 2004 20:33:52 +1100
Don't know how it works but you may wish to get rid of it!
Spyware Programs links:-
www.lavasoftusa.com Ad-Aware
www.security.kolla.de Spybot
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
"Important" <allpurposes@hotmail.com> wrote in message
news:10d7301c3f4da$5ab64b50$a301280a@phx.gbl...
>
> <script>parasite_status= 'NoIE';
> /*@cc_on
> @if (@_jscript_version>4)
> parasite= {
>
> defs: [
> ['FFEEDDCC-BBAA-9988-7766-554433221100','(control)','',''],
> ['F414C260-6AC0-11CF-B6D1-00AA00BBBB58','(control)','',''],
>
> ['1EEC3C99-7AA3-4F6E-B381-AF6942B51618','PUP','AS',''],
> ['00EF2092-6AC5-47c0-BD25-CF2D5D657FEB','Google','AS','']
> ],
>
> warn: 'Warning!',
> infest1: 'Your browser appears to have the "',
> infest2: '" parasite installed',
> prob1: '. This software ',
> can: 'can ',
> may: 'may ',
> and: ' and ',
> infest3: '. It might have been installed without your
> knowledge. ',
>
> delay: 500,
>
> write: function(doc) {
>
> var i, p, h= '';
> var cb= (doc.implementation)?'view-
> source:about:blank':'javascript:';
> h= '<div id="parasite" style="display: none;">';
> for (i= this.defs.length; i-->0;) {
> p= this.defs[i];
> if (p[0].length==36) {
>
> h+= '<object id="parasite_o'+i+'" classid="clsid:'+p
> [0]+'" ';
> h+= 'codebase="'+cb+'"> <\/object>';
> }
> }
> h+= '<\/div>';
> doc.write(h);
> parasite_status= 'wait';
> },
>
> check: function(doc) {
> var i, p, pmv, h, el, infs= [];
> if (doc.all['parasite_o0']) return;
> for (i= this.defs.length; i-->2;) {
> p= this.defs[i]
> if (p[0].length==36) {
> el= doc.all['parasite_o'+i];
> if (el && el.readyState!=0)
> infs[infs.length]= p;
> } else { try {
> el= new ActiveXObject(p[0]);
> infs[infs.length]= p;
> } catch(e) {}}
> }
> el= doc.all['parasite'];
> if (infs.length==0) {
> // THIS IS WHAT WE DO IF IT'S NOT INSTALLED
> startRun();
> parasite_status= (doc.all
> ['parasite_o1']) ? 'clean' : 'NoAX';
> return;
> }
> parasite_status= 'dirty';
> // THIS IS WHAT WE DO IF IT'S INSTALLED
> },
>
> listprobs: function(s) {
> var i, r= '';
> for (i= 0; i<s.length; i++) {
> r= r+this[s.charAt(i)];
> if (i==s.length-2) r= r+this.and;
> if (i<s.length-2) r= r+', ';
> }
> return r;
> }
> }
>
> if (typeof(document)=='undefined') {
> var ie= WScript.createObject
> ('InternetExplorer.Application');
> ie.navigate('about:blank');
> ie.visible= true;
> var doc= ie.document;
> parasite.write(doc);
> do {
> WScript.Sleep(parasite.delay);
> parasite.check(ie.document);
> } while (parasite_status=='wait');
> if (parasite_status=='clean') {
> doc.body.innerHTML= 'Nothing found';
> }
> } else {
> parasite.write(document);
> var parasite_check= function() {
> parasite.check(document);
> if (parasite_status=='wait') {
> setTimeout(parasite_check, parasite.delay);
>
> }
> }
> setTimeout(parasite_check, parasite.delay);
> }
> @end @*/
> </script>
> this automatically loads pup.exe and over.exe
> as soon as you visit
> the http://www.clickheretofind.com
> i want to know how it runs the exe even with highest
> security settings and how i could run a remote notepad
> instead
> like
> http://www.angelfire.com/new/hah/notepad.exe
> ..so i can understand the vulnerability it uses somehow
> i believe its a .cab one
>
- Next message: Ramesh [MVP]: "Re: XP/he - Mystery Process"
- Previous message: Kaylene aka Taurarian: "Re: How to Backup? How to be Administrator? Still Locked out."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
