It is currently Fri Mar 29, 2024 6:48 am


All times are UTC


Forum rules


Please click here to view the forum rules



Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: WebX
PostPosted: Wed Feb 23, 2005 12:54 pm 
Noobie
Noobie

Joined: Wed Feb 23, 2005 12:42 pm
Posts: 1
Location: Przemysl, Poland
I have designed alternative scripting language.
I called it WebX.

http://CENSURED - THERE WAS A VIRUS ON THIS ADDRESS - Moderated by Oliver Reed (100WebSpace Support Team)

I could propose it as easy alternative for HTML frames.
But I had problems with special resvices of Ukraine.
(Coz I knew about their HARD CRIMES.)

At now I'm looking for hosting of this language,
to try it with real site.

As for my MIND, this language
is simples and faster then PHP.

P.S. I worked at new language.
But SSu (sequrity service of Ukraine stole my notebook).
Finally, I left country.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 23, 2005 5:53 pm 
Moderator
Moderator

Joined: Fri Feb 11, 2005 5:38 pm
Posts: 850
Location: in a tent outside..
OH MY GOD, hey , just to let you know , when i was viewing your site , my etrust EZ antivirus went off when i was viewing your site , saying that Page index.html has the VBS.Redlof virus! DUDE YOU SHOULD TAKE THAT SITE DOWN , and if you computer made that site , you whole computer has the polymorphic virus

VBS.Redlof is an encrypted, polymorphic virus, that has the ability to attach itself to outgoing e-mail sent by Microsoft Outlook and Outlook Express.

Redlof infects blank.htm & index.htm in the "Program Files\Common Files\Microsoft Shared\Stationery\" directory or creates this file if it does not exist.

In order to spread via e-mail, the virus sets the following registry values so that the file " blank.htm " becomes the default stationary used by Outlook and Outlook Express:

HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank"

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank"

HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\Outlook Express\(OE Version)\Mail\Compose Use Stationery = "1"

HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\Outlook Express\(OE Version)\Mail\Stationery Name = "blank.htm"

HKEY_CURRENT_USER\Identities\(User ID)\Software\Microsoft\Outlook Express\(OE Version)\Mail\Wide Stationery Name" = "blank.htm"

Where (User ID) is read from the registry key:

HKEY_CURRENT_USER\Identities\Default User ID

and (OE Version) is read from the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer

Redlof re-associates the .dll extension to run Scripts and creates an infected VBScript file Kernel.dll in the Windows directory:

HKEY_CLASSES_ROOT\.dll\ = "dllfile"
HKEY_CLASSES_ROOT\.dll\Content Type = "application/x-msdownload"
HKEY_CLASSES_ROOT\dllfile\ScriptEngine\ = "VBScript"
HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\ = "Windows\System\WScript.exe ""%1"" %*"
The key:
HKEY_CLASSES_ROOT\dllfile\DefaultIcon\
is also set to the contents of the key:
"HKEY_CLASSES_ROOT\vxdfile\ DefaultIcon\"

It adds a registry key to run the infected script on Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32

Redlof infects Folder.htt in the Windows\Web directory and copies this file along with desktop.ini to multiple directories. Folder.htt is the default file used by Windows Explorer as a template when Web view mode is active. In effect, this will cause the virus to run when the folder is viewed.

To infect files, it first checks the value of the registry key;
HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree
using this folder as a starting point for infection. If this key is empty, Redlof searches five sub-directories in the first directory found on the hard drive and infects files with following extensions:
.HTML, .HTM, .VBS, .HTT, .ASP, .JSP, .PHP

Dude , you almost got my computer!!!!

_________________


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 23, 2005 5:57 pm 
Moderator
Moderator

Joined: Fri Feb 11, 2005 5:38 pm
Posts: 850
Location: in a tent outside..
to infect other peoples computers ,LIKE IT ALMOST DID TO MINE!, it first checks the value of the registry key;
HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree
using this folder as a starting point for infection. If this key is empty, Redlof searches five sub-directories in the first directory found on the hard drive and infects files with following extensions:
.HTML, .HTM, .VBS, .HTT, .ASP, .JSP, .PHP , MEAINING YOUR SITE!

_________________


Top
 Profile  
 
 Post subject: Umm..
PostPosted: Fri Feb 25, 2005 4:27 pm 
Noobie
Noobie

Joined: Thu Feb 10, 2005 4:30 pm
Posts: 13
Location: London UK
...ban him? That was obviously deliberate.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ]  Moderators: fhmagic, KJ, Moderators, Support Team

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
100WebSpace © 2011