User:Entropy/blacklist

It is OK to edit this article, even though it is in the user namespace! In fact, it is highly appreciated if users could update this page with new information as soon as they find it!

What?
Recently there have been a number of anons and users who have all performed very similar sorts of vandal-actions. I suspect that they are all controlled by the same person, and/or that they are automated scripts, bots, etc. Sockpuppetry by itself is not a bannable offense, however, malicious intent and repeated vandalism is. Moreover, uploading an executable file which contained a self-extracting RAR archive is extremely dubious.

It is believed at this time that the bot/script/whatever is of Korean origin.
 * 1) Usage of South Korea flag
 * 2) Uploading Korean MMO related registry keys in the executable
 * 3) Korean transliteration usernames

Characteristics
Nonsensical edits like this, placed randomly or replacing a section header:




 * The image is anything, totally random. Sometimes they may upload their own. The uploaded images will have nonsense names.
 * Notice the thumb|left|17px (the px can vary, as can the left/right alignment). This is a consistent pattern.
 * Usually there will be one vandalism edit like this to a random page, followed by an edit to the user's userpage which is the same kind of edit.
 * Seems to target/use the hi-res skill icons?
 * Creates a nonsense spam article with just the image as content.

Registered accounts

 * 1) User:Kimsaejung
 * 2) User:HANSAEWOO
 * 3) User:Ikki999

Anons

 * 1) User:60.53.70.142
 * 2) User:60.53.65.202

Known targets

 * 1) Ki
 * 2) Ju
 * 3) 32132132
 * Image:Hi-res-Bane Signet.jpg
 * Image:Hi-res-Holy Spear.jpg
 * Image:647759605-1-.jpg
 * Image:ThumbnailCA0ZK5WF.jpg
 * Image:Start.exe

Images used

 * Image:Hi-res-Holy_Spear.jpg
 * Image:Hi-res-Anguish.jpg
 * Image:Inscription_(blue).jpg
 * Image:Mesmer_Ascended_Virtuosos_Female_FrontDyedBlue.jpg
 * Image:South_Korea_70x40.png
 * Image:RH-Shoop.png
 * Image:Gold dragon.jpg
 * Image:Hi-res-Zealous_Anthem.jpg
 * Image:Eagle_Defender_colored.jpg
 * Image:180px-Zombie_breakin_sign.jpg
 * Image:Example.jpg

Contents of executable file
contents of this section copied selectively from User talk:Entropy


 * Not necessarily. It would have been simple to download the file and scan it, then we would have known for certain. --◄mendel► 17:59, 24 September 2008 (UTC)


 * I have done that, and it did not contain a virus. That doesn't mean it wasn't malware, though.  It is a self-extracting RAR archive.  I found this in the "Comments" tab of the file properties window:

;The comment below contains SFX script commands

Setup=Host.exe Setup=Regedit.exe -s -i Reg.reg Setup=Login.exe Silent=1 Overwrite=1
 * I believe that means that once it finishes extracting, it will automatically run all of the "Setup=" commands, and it will do so silently. Looks like it might be a keylogger or password cracker of some sort.  &mdash;Dr Ishmael [[Image:Diablo_the_chicken.gif]] 18:35, 24 September 2008 (UTC)
 * Scanning the start.exe with a virus scanning might've been interesting, and so would have extracting it with winzip or winrar or some other extraction utitility - that would avoid the automatic running of the setup. I am unsure if that was an attempt to attack the server - as far as I know, they run a unixoid OS, so a file with no extension would have been more helpful there. As it is, what you wrote makes it more probable that this is malware, but it's not certain yet. --◄mendel► 09:18, 25 September 2008 (UTC)
 * Ishmael has a copy of the file so he could probably run any further diagnostics that you think would be interesting. I don't know what exactly its intent was, but I do think that whatever it was, it certainly wasn't meant to be a good thing. [[Image:Entropy Sig.jpg]] (T/C) 02:29, 26 September 2008 (UTC)
 * I hadn't thought of opening with WinRAR, so... well. It actually only has one file in it, Reg.reg, unlike the three I'd expected from the SFX script I posted above.  Here are the contents of the file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client] "Folder(P2)"="E:\\Game\\CIB\\RYL2"

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client(MY)] "Folder"="E:\\Game\\CIB\\RYL2" "Width"=dword:00000400 "Height"=dword:00000300 "Depth"=dword:00000010 "GamePort"=dword:00004e22 "DlgControl"=dword:02d7030b "QuickSlot"=dword:02d701cd "Status"=dword:02d70000 "Enchant"=dword:00740000 "Chat"=dword:025e01cd "Vertical"=dword:00000000 "ChatDlgType"=dword:00000001 "VisibleFlag"=dword:0000000d "Adapter"="NVIDIA GeForce 7300 GT" "Refresh"=dword:0000003c "InitValue"=hex:00,04,00,00,00,03,00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,88,b7,d4,77 "RenderOption"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,01,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\  00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "SiegeTime"=dword:0001005a "StatusDlgExLv"=dword:00000000 "Folder(P2)"="E:\\Game\\CIB\\RYL2"
 * Looks like it's just some registry keys for the MMO Risk Your Life, which looks like it's just another Korean cookie-cutter. So nothing malicious, but still worthy of deletion.  &mdash;Dr Ishmael [[Image:Diablo_the_chicken.gif]] 02:55, 26 September 2008 (UTC)