User:Entropy/blacklist

It is OK to edit this article, even though it is in the user namespace! In fact, it is highly appreciated if users could update this page with new information as soon as they find it!

What?
Recently there have been a number of anons and users who have all performed very similar sorts of vandal-actions. Malicious intent and repeated vandalism are bannable offenses. Moreover, uploading an executable file which contained a self-extracting RAR archive is extremely dubious, even if it contained nothing explicitly malicious.

The attacks have come from sources with the following characteristics in common:
 * 1) Usage of South Korea flag/Asian imagery
 * 2) Uploading Korean MMO related registry keys in the executable
 * 3) Korean transliteration or nonsense usernames, sometimes with 999 appended to the end

Characteristics of attacks
Nonsensical edits like this, placed randomly or replacing a section header:




 * The image is anything, totally random. Sometimes they may upload their own. The uploaded images will have nonsense filenames.
 * Notice the thumb|left|17px (the px can vary, as can the left/right alignment). This is a consistent pattern.
 * Usually there will be one vandalism edit like this to a random page, followed by an edit to the user's userpage which is the same kind of edit.
 * Seems to target/use the hi-res skill icons?
 * Creates a nonsense spam article with just the thumbed image as content.

'If you see a new user do any of these things, please ban them infinitely, link to this page as the reason, and update the page with new info as necessary. Do not block IPs, as they are probably proxies.' (Or in any case, notify an admin in-game, e-mail, IRC, etc. ASAP) Because these are likely automated bots/scripts, it is important that they are taken out as soon as they are spotted, to reduce the potential mess.

Known vandalism targets/spam page titles

 * 1) Ki
 * 2) Ju
 * 3) Bu
 * 4) Kuki
 * 5) Assss
 * 6) Sddd
 * 7) Lolzss
 * 8) 32132132
 * 9) Kamunity
 * 10) Lo
 * 11) Ko
 * 12) 1234
 * Image:Hi-res-Bane Signet.jpg
 * Image:Hi-res-Holy Spear.jpg
 * 1) Ka
 * 2) Sa
 * 3) Guild

Images used

 * Image:Hi-res-Holy_Spear.jpg
 * Image:Hi-res-Anguish.jpg
 * Image:Inscription_(blue).jpg
 * Image:Mesmer_Ascended_Virtuosos_Female_FrontDyedBlue.jpg
 * Image:South_Korea_70x40.png
 * Image:RH-Shoop.png
 * Image:Gold dragon.jpg - "Mystic Empire" guildcape, of which User:CRushTurner and User:Woefpoef are members
 * Image:Hi-res-Zealous_Anthem.jpg
 * Image:Eagle_Defender_colored.jpg
 * Image:180px-Zombie_breakin_sign.jpg - old sig pic by User:Foul Bane
 * Image:Example.jpg
 * Image:ThumbnailCA6V3Y8L.jpg - Converse anklepatch
 * Image:User_Wormy_Logo.gif - old sig pic by User:Wormy
 * Image:647759605-1-.jpg - Naruto image
 * Image:ThumbnailCA0ZK5WF.jpg - Naruto image
 * Image:Start.exe - Korean MMO registry keys
 * Image:Dragon guild logo.PNG - guild logo for User:Wings That Heal
 * Image:"By Ural's Hammer!".jpg
 * Image:15k armors userbox.png
 * Image:Lemonformrsquints.jpg
 * Image:TBALogo.JPG
 * Image:SMK_Olias's_Staff.png
 * Image:Ooze_pit_map.jpg
 * Image:SP_Bloody_Mary.gif - User:GW-Shadowphoenix's Halloween image

Contents of the executable file
contents of this section copied selectively from User talk:Entropy


 * Not necessarily. It would have been simple to download the file and scan it, then we would have known for certain. --◄mendel► 17:59, 24 September 2008 (UTC)


 * I have done that, and it did not contain a virus. That doesn't mean it wasn't malware, though.  It is a self-extracting RAR archive.  I found this in the "Comments" tab of the file properties window:

;The comment below contains SFX script commands

Setup=Host.exe Setup=Regedit.exe -s -i Reg.reg Setup=Login.exe Silent=1 Overwrite=1
 * I believe that means that once it finishes extracting, it will automatically run all of the "Setup=" commands, and it will do so silently. Looks like it might be a keylogger or password cracker of some sort.  &mdash;Dr Ishmael [[Image:Diablo_the_chicken.gif]] 18:35, 24 September 2008 (UTC)
 * Scanning the start.exe with a virus scanning might've been interesting, and so would have extracting it with winzip or winrar or some other extraction utitility - that would avoid the automatic running of the setup. I am unsure if that was an attempt to attack the server - as far as I know, they run a unixoid OS, so a file with no extension would have been more helpful there. As it is, what you wrote makes it more probable that this is malware, but it's not certain yet. --◄mendel► 09:18, 25 September 2008 (UTC)
 * Ishmael has a copy of the file so he could probably run any further diagnostics that you think would be interesting. I don't know what exactly its intent was, but I do think that whatever it was, it certainly wasn't meant to be a good thing. [[Image:Entropy Sig.jpg]] (T/C) 02:29, 26 September 2008 (UTC)
 * I hadn't thought of opening with WinRAR, so... well. It actually only has one file in it, Reg.reg, unlike the three I'd expected from the SFX script I posted above.  Here are the contents of the file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client] "Folder(P2)"="E:\\Game\\CIB\\RYL2"

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client(MY)] "Folder"="E:\\Game\\CIB\\RYL2" "Width"=dword:00000400 "Height"=dword:00000300 "Depth"=dword:00000010 "GamePort"=dword:00004e22 "DlgControl"=dword:02d7030b "QuickSlot"=dword:02d701cd "Status"=dword:02d70000 "Enchant"=dword:00740000 "Chat"=dword:025e01cd "Vertical"=dword:00000000 "ChatDlgType"=dword:00000001 "VisibleFlag"=dword:0000000d "Adapter"="NVIDIA GeForce 7300 GT" "Refresh"=dword:0000003c "InitValue"=hex:00,04,00,00,00,03,00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,88,b7,d4,77 "RenderOption"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,01,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\  00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "SiegeTime"=dword:0001005a "StatusDlgExLv"=dword:00000000 "Folder(P2)"="E:\\Game\\CIB\\RYL2"
 * Looks like it's just some registry keys for the MMO Risk Your Life, which looks like it's just another Korean cookie-cutter. So nothing malicious, but still worthy of deletion.  &mdash;Dr Ishmael [[Image:Diablo_the_chicken.gif]] 02:55, 26 September 2008 (UTC)