[Dshield] Site suspect

Johannes Ullrich jullrich at euclidian.com
Fri Oct 24 13:35:08 GMT 2003

As said earlier, the page is just a cyber squatter page. Someone who got
lucky and reserved the domain before Hyatt got it (I guess Hyatt could
get it if they have a trademark for 'Hyatt Regency').

The javascript is a harmless popup ad. I guess its a bit broken as
it is likely supposed to advertise a virus scanner / fire wall if you
click 'yes'.

I modified the javascript so it is not triggering any virus scanners
and will not execute on any client. (Replaced 'O' with '0' and 'I' with

<B0DY 0nl0ad="c0nfirmG0t0()">
 var exit=true;
 function confirmG0t0() {
 if (ex1t) {
 if (c0nf1rm("W32 RPC V1rus Warn1ng !!!\n\n Your PC may be 1nfected     
     CLICK on 0K\n    to Scan and Clean !")) {
} else {

The remainder is just junk to feed search engines.

On Fri, 2003-10-24 at 01:21, Kenneth Coney wrote:
> Tried it.  Nothing happened.  No pop up.  Probably clicking ok would have 
> started to download a virus.  Can't really tell without seeing it.
> Walrus
> Subject: [Dshield] Site suspect
> From: "john beck" <jbeck80 at hotmail.com>
> Date: Thu, 23 Oct 2003 13:55:57 -0500
> To: list at dshield.org
> I have been alerted to a website that someone was going to book a room at 
> Hyatt Regency and they went to www.hyattregency.com and there it, will give 
> a popup that says you have the rpc virus and it wants you to click ok to 
> scan your machine, I am now blocking the site and have not begun to check 
> out what it is doing or planting but wanted to let everyone know, if anyone 
> checks this or has info on it, please post or send to me off list.
> Thank You
> John
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list