what would cause this ??
am 17.10.2007 01:35:55 von DrZaius
PC belonging to a friend.
Friend clicks on a link to a website:
http://sajpj.eaqcfmc.cn/bupkgwd.html
What happened next, is supposedly the
printer attached to the PC, proceeded
to print off 94 pages of random words &
gibberish sentences.
The website link above is no longer
in service.
Question is, what kind of "attack" (if
this was one), was this ?
And, what was the source of the some 94
pages of words ? (since supposedly many
of the words / sentences in the pile of
paper were contents of emails the owner
had on the machine).
Any possible explanations for this ?
How could just visiting a website cause a
printer to spew out 94 pages of stuff ???
Re: what would cause this ??
am 17.10.2007 03:55:28 von M Trimble
Quoting DrZaius on Tue, 16 Oct 2007 19:35:55 -0400:
> PC belonging to a friend.
>
> Friend clicks on a link to a website:
>
> http://sajpj.eaqcfmc.cn/bupkgwd.html
>
> What happened next, is supposedly the
> printer attached to the PC, proceeded
> to print off 94 pages of random words &
> gibberish sentences.
>
> The website link above is no longer
> in service.
>
> Question is, what kind of "attack" (if
> this was one), was this ?...
>
> Any possible explanations for this ?
>
> How could just visiting a website cause a
> printer to spew out 94 pages of stuff ???
IN theory, it should be possible. Right (or wrong, depending on viewpoint)
settings in the OS and or the browser; right kind of script embedded in
the web page; just the right bug in just the right software....
I'd be more inclined to think in terms of user error - the user might have
accidentally hit the wrong button at the wrong time.
Re: what would cause this ??
am 17.10.2007 20:30:30 von Ant
"DrZaius" wrote:
> Friend clicks on a link to a website:
>
> hxxp://sajpj.eaqcfmc.cn/bupkgwd.html
That looks like the kind of link one sees in spam. A script redirects
to another site which should display the following:
ActiveX Object Error:
Your browser cannot display this image file.
You need to download new version of ActiveX
Object to view this image file.
To download and install ActiveX Object click Continue.
[Continue] [Cancel] [Details...]
Choosing [Continue] will present you with a Windows executable to run
(VideoAccessCodecInstall.exe). Choosing [Cancel] will send you into a
loop of dialogs (preventing the browser window from being closed)
until 'ok' is clicked, which has the same effect as [Continue].
This is the infamous Zlob trojan, installer of adware, bogus security
software and other malware.
> What happened next, is supposedly the
> printer attached to the PC, proceeded
> to print off 94 pages of random words &
> gibberish sentences.
>
> The website link above is no longer
> in service.
It is still live.
> Question is, what kind of "attack" (if
> this was one), was this ?
Social engineering.
> And, what was the source of the some 94
> pages of words ? (since supposedly many
> of the words / sentences in the pile of
> paper were contents of emails the owner
> had on the machine).
Perhaps the data was intended to be sent back to the attacker.
> How could just visiting a website cause a
> printer to spew out 94 pages of stuff ???
I suppose your friend installed the trojan in the hope of seeing some
pr0n. Who knows what damage it has done to the system.
Re: what would cause this ??
am 17.10.2007 23:40:46 von DrZaius
"Ant" wrote in message
news:i_ydnZ_rXqu5yIvanZ2dnUVZ8s-qnZ2d@brightview.co.uk...
> "DrZaius" wrote:
>
> > Friend clicks on a link to a website:
> >
> > hxxp://sajpj.eaqcfmc.cn/bupkgwd.html
>
> That looks like the kind of link one sees in spam. A script redirects
> to another site which should display the following:
>
> ActiveX Object Error:
> Your browser cannot display this image file.
>
> You need to download new version of ActiveX
> Object to view this image file.
>
> To download and install ActiveX Object click Continue.
>
> [Continue] [Cancel] [Details...]
>
>
> Choosing [Continue] will present you with a Windows executable to run
> (VideoAccessCodecInstall.exe). Choosing [Cancel] will send you into a
> loop of dialogs (preventing the browser window from being closed)
> until 'ok' is clicked, which has the same effect as [Continue].
>
> This is the infamous Zlob trojan, installer of adware, bogus security
> software and other malware.
>
> > What happened next, is supposedly the
> > printer attached to the PC, proceeded
> > to print off 94 pages of random words &
> > gibberish sentences.
> >
> > The website link above is no longer
> > in service.
>
> It is still live.
>
> > Question is, what kind of "attack" (if
> > this was one), was this ?
>
> Social engineering.
>
> > And, what was the source of the some 94
> > pages of words ? (since supposedly many
> > of the words / sentences in the pile of
> > paper were contents of emails the owner
> > had on the machine).
>
> Perhaps the data was intended to be sent back to the attacker.
>
> > How could just visiting a website cause a
> > printer to spew out 94 pages of stuff ???
>
> I suppose your friend installed the trojan in the hope of seeing some
> pr0n. Who knows what damage it has done to the system.
>
supposedly, this person thinks someone they met
online, deliberately aimed the attack at one specific
machine (hers).
is there a way to find out who the site belongs to?
i tried the usual methods, but came up short. my
day job is working with aircraft, not computer
security.
all those who responded/will respond thanks.
Re: what would cause this ??
am 18.10.2007 22:08:37 von Ant
"DrZaius" wrote:
> supposedly, this person thinks someone they met
> online, deliberately aimed the attack at one specific
> machine (hers).
How so? It's just a link; there's no obligation to click it. And even
if you do, Windows won't directly run the executable but will first
ask what to do with it if subsequently, the scripted dialog on the
page was clicked.
> is there a way to find out who the site belongs to?
> i tried the usual methods, but came up short.
The standard way is to use 'whois' but Windows doesn't have that
application by default. There are several websites where you can do
a whois lookup.
In any case, that was just the first link in the chain. there are a
few domains and hosts involved before you get to the malware.
sajpj.eaqcfmc.cn (the host for the original link) -> runs a script at:
goodnserver.info -> loads a page at:
mystats.name -> redirects to:
themymoviessite.com -> loads the malware execuable from:
videowebsoft.com
The domain eaqcfmc.cn is registered in China. I can't tell which
registry because the name is in Chinese. sajpj.eaqcfmc.cn has IP
address 217.20.112.28 which I find belongs to netdirekt in Germany.
goodnserver.info is registered through EstDomains (Estonia) and its
IP (217.20.113.27) also belongs to netdirekt.
mystats.name gives no useful info about the registry or registrant but
its hosted by 'Beyond The Network America' in the US at IP address
205.177.122.130.
themymoviessite.com and videowebsoft.com are both registered through
EstDomains and share the IP address 81.29.249.27. This is hosted by
'LLC GlobalWholesaleTrade' in Moscow, Russia.
All the EstDomains registrant (domain owner) details are unavailable.
Looking at the providers and countries here, I wouldn't count on fast
action in taking anything offline but you may be lucky.