Worst I've seen yet

[Lil' Abner]

Someone pointed this URL out to me
hpppp:// firefox dot on dot nimp dot org / index.php
I've munged it bad enough so no one will get there accidentally.
In Firefox, it brings up a small logo which if you click on will take you
to a page of questionable taste.
But in Internet Explorer, it puts on a show you'll never forget. The only
way I could stop it was by killing IExplore in Task Manager, and Task
Manager didn't want to come up very bad. It's unending popups, and really
fast. I thought I was pretty well protected, but not against that!
I read the source in Firefox and first line down was...
<title>GNAA Last Measure v4.1 by Rucas with Armorfist's PopupByPasser Mod.
</title>.
I haven't run a scan yet, but I don't think I "caught" anything.
Not for the weak of heart. I know some brave soul will have to try it and
report back.... :-)

--
-- Being "over the hill" is much better than being under it! --

[VTJim]

On Thu, 31 Mar 2005 19:28:38 -0600, "Lil' Abner" <blvstk@dogpatch.com>
wrote:

>I haven't run a scan yet, but I don't think I "caught" anything.
>Not for the weak of heart. I know some brave soul will have to try it and
>report back.... :-)

Kind of like a wet paint sign? You bet.

So what do I have set wrong in firefox? *IE* tells me the page cannot be
displayed, but Firefox, without javascript enabled, went totally bull****
loading tabs faster then you could kill them. Questionable is quite an
understatement on what was being displayed.

Why does it run in Firefox, and NOT IE, in my case? (IE internet is set
at High)

[Ian JP Kenefick]

On Thu, 31 Mar 2005 19:28:38 -0600, "Lil' Abner" <blvstk@dogpatch.com>
wrote:

>Someone pointed this URL out to me
>hpppp:// firefox dot on dot nimp dot org / index.php
>I've munged it bad enough so no one will get there accidentally.
>In Firefox, it brings up a small logo which if you click on will take you
>to a page of questionable taste.
>But in Internet Explorer, it puts on a show you'll never forget. The only
>way I could stop it was by killing IExplore in Task Manager, and Task
>Manager didn't want to come up very bad. It's unending popups, and really
>fast. I thought I was pretty well protected, but not against that!
>I read the source in Firefox and first line down was...
><title>GNAA Last Measure v4.1 by Rucas with Armorfist's PopupByPasser Mod.
></title>.
>I haven't run a scan yet, but I don't think I "caught" anything.
>Not for the weak of heart. I know some brave soul will have to try it and
>report back.... :-)

nothing malicious here with the exception of the onslaught of popups
and the wav file 'Hey everybody I'm looking at gay porno' BTW, I do
NOT recommend you visit this website.
--

Regards,
Ian Kenefick
www.ik-cs.com/got-a-virus.htm

[Ian JP Kenefick]

On Thu, 31 Mar 2005 19:28:38 -0600, "Lil' Abner" <blvstk@dogpatch.com>
wrote:

>Someone pointed this URL out to me
>hpppp:// firefox dot on dot nimp dot org / index.php
>I've munged it bad enough so no one will get there accidentally.
>In Firefox, it brings up a small logo which if you click on will take you
>to a page of questionable taste.
>But in Internet Explorer, it puts on a show you'll never forget. The only
>way I could stop it was by killing IExplore in Task Manager, and Task
>Manager didn't want to come up very bad. It's unending popups, and really
>fast. I thought I was pretty well protected, but not against that!
>I read the source in Firefox and first line down was...
><title>GNAA Last Measure v4.1 by Rucas with Armorfist's PopupByPasser Mod.
></title>.
>I haven't run a scan yet, but I don't think I "caught" anything.
>Not for the weak of heart. I know some brave soul will have to try it and
>report back.... :-)

It's the spawn.php page that it opens 'spawns' the browser windows. I
sent this file to a few vendors for detection. When NOD32 add
detection IMON will block the script from running.
--

Regards,
Ian Kenefick
www.ik-cs.com/got-a-virus.htm

[David H. Lipman]

From: "Lil' Abner" <blvstk@dogpatch.com>

| Someone pointed this URL out to me
| hpppp:// firefox dot on dot nimp dot org / index.php
| I've munged it bad enough so no one will get there accidentally.
| In Firefox, it brings up a small logo which if you click on will take you
| to a page of questionable taste.
| But in Internet Explorer, it puts on a show you'll never forget. The only
| way I could stop it was by killing IExplore in Task Manager, and Task
| Manager didn't want to come up very bad. It's unending popups, and really
| fast. I thought I was pretty well protected, but not against that!
| I read the source in Firefox and first line down was...
| <title>GNAA Last Measure v4.1 by Rucas with Armorfist's PopupByPasser Mod.
| </title>.
| I haven't run a scan yet, but I don't think I "caught" anything.
| Not for the weak of heart. I know some brave soul will have to try it and
| report back.... :-)
|
| --
| -- Being "over the hill" is much better than being under it! --


index[1].php\000003e4.js "Exploit-IEPageSpoof"
http://vil.nai.com/vil/content/v_130508.htm
http://www.kb.cert.org/vuls/id/356600

IE must be patched with MS05-013
http://www.microsoft.com/technet/sec.../MS05-013.mspx

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[optikl]

VTJim wrote:

>
> Why does it run in Firefox, and NOT IE, in my case? (IE internet is set
> at High)
>
>

If it's set on high security, scripting is disabled.

[Doc]

"Lil' Abner" <blvstk@dogpatch.com> wrote in
news:Xns962AC6244B12Ebutter@daisymae.com:

> Someone pointed this URL out to me
> hpppp:// firefox dot on dot nimp dot org / index.php
<snip>
> Not for the weak of heart. I know some brave soul will have to try it
> and report back.... :-)
>

Ah well, I had to try. Win ME using IE 6 SP1 (Maxthon).

Firewall asked me if I wanted to allow the site to use ActiveX and I said
NO. Firewall also blocked javascript. All I got was an almost blank page,
just with a .png graphic logo to gnaa.com in the centre. So I got extra
brave and clicked the link. Got taken to a webpage for "Gay Niggers
Association of America", lol. And nothing 'bad' on that site either, just 3
..png images and some text, no ActiveX nor javascript.

At least I know that my setup behaved as I expected it would.

BTW, what does a pop-up look like ? Never seen one here.

--
Life should NOT be a journey to the grave with the intention of arriving
safely in a pretty and well preserved body, but rather to skid in
broadside, thoroughly used up, totally worn out and loudly proclaiming
"WOW, WHAT A RIDE"

[Ian JP Kenefick]

On Fri, 01 Apr 2005 03:25:08 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Lil' Abner" <blvstk@dogpatch.com>
>
>| Someone pointed this URL out to me
>| hpppp:// firefox dot on dot nimp dot org / index.php
>| I've munged it bad enough so no one will get there accidentally.
>| In Firefox, it brings up a small logo which if you click on will take you
>| to a page of questionable taste.
>| But in Internet Explorer, it puts on a show you'll never forget. The only
>| way I could stop it was by killing IExplore in Task Manager, and Task
>| Manager didn't want to come up very bad. It's unending popups, and really
>| fast. I thought I was pretty well protected, but not against that!
>| I read the source in Firefox and first line down was...
>| <title>GNAA Last Measure v4.1 by Rucas with Armorfist's PopupByPasser Mod.
>| </title>.
>| I haven't run a scan yet, but I don't think I "caught" anything.
>| Not for the weak of heart. I know some brave soul will have to try it and
>| report back.... :-)
>|
>| --
>| -- Being "over the hill" is much better than being under it! --
>
>
>index[1].php\000003e4.js "Exploit-IEPageSpoof"
>http://vil.nai.com/vil/content/v_130508.htm
>http://www.kb.cert.org/vuls/id/356600
>
>IE must be patched with MS05-013
>http://www.microsoft.com/technet/sec.../MS05-013.mspx

This detect the forged url but not the embedded javascript which
launches the attack.
--

Regards,
Ian Kenefick
www.ik-cs.com/got-a-virus.htm

[Jay T. Blocksom]

On Thu, 31 Mar 2005 19:28:38 -0600, in <alt.privacy.spyware>, "Lil' Abner"
<blvstk@dogpatch.com> wrote:
>
[snip]

> But in Internet Explorer, it puts on a show you'll never forget. The only
> way I could stop it was by killing IExplore in Task Manager, and Task
> Manager didn't want to come up very bad. It's unending popups, and really
> fast. I thought I was pretty well protected, but not against that!

1. - You've allowed MSIE to remain installed on your system
2. - You're actually *running* MSIE.
3. - You're actually running MSIE with pop-ups, Java**** and/or ActiveXploit
enabled.

Yet, for some completely unfathomable reason, you "thought [you were] pretty
well protected"...?!?

The mind boggles.

--

Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet02[at]appropriate-tech.net

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this domain is expressly prohibited under
47 USC S227 and State Law. Violators are subject to prosecution.

[Lil' Abner]

Jay T. Blocksom <not.deliverable+usenet02@appropriate-tech.net> wrote in
news:7tuq41trcrcb48h2ki1i64i1fen1r5j7if@news.speak easy.net:

> On Thu, 31 Mar 2005 19:28:38 -0600, in <alt.privacy.spyware>, "Lil'
> Abner"
><blvstk@dogpatch.com> wrote:
> >
> [snip]
>
> > But in Internet Explorer, it puts on a show you'll never forget. The
> > only way I could stop it was by killing IExplore in Task Manager,
> > and Task Manager didn't want to come up very bad. It's unending
> > popups, and really fast. I thought I was pretty well protected, but
> > not against that!
>
> 1. - You've allowed MSIE to remain installed on your system
> 2. - You're actually *running* MSIE.
> 3. - You're actually running MSIE with pop-ups, Java**** and/or
> ActiveXploit
> enabled.
>
> Yet, for some completely unfathomable reason, you "thought [you were]
> pretty well protected"...?!?

I don't run IE... never ever. I just had to try it this once to see what
I was missing. But I figured with Spybot's "immunization" and a 231 kb
hosts file, and whatever spywareblaster does, that maybe I'd escape
anything drastic. The patch someone mentioned above didn't help either.

--
-- Being "over the hill" is much better than being under it! --