What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » Block-Checker

Pages: (7): « First [ 1 ] 2 3 4 5 » Last »
Block-Checker
Author: Message:
mwe99
Veteran Member
*****

Avatar

Posts: 2514
Reputation: 67
36 / Male / Flag
Joined: Jul 2004
O.P. Block-Checker
Moderator edit: do not download/use this, it is a virus.
This thread is here merely because it contains more information on this thing.

Ha :P bet you thought someone was gonna ask how

lol moving on...

Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com

anyone had that annoying message? what do they make of the program if you're using it

Moderator edit: do not download/use this, it is a virus.

This post was edited on 08-17-2005 at 04:38 PM by Tochjo.
08-17-2005 03:29 PM
Profile PM Find Quote Report
absorbation
Elite Member
*****

Avatar

Posts: 3636
Reputation: 81
– / Male / Flag
Joined: Feb 2005
RE: Block-Checker
looks dodgy the download count keep changing :S plus it says 100% accuarte and is for yahoo as well :(
08-17-2005 03:31 PM
Profile PM Find Quote Report
mwe99
Veteran Member
*****

Avatar

Posts: 2514
Reputation: 67
36 / Male / Flag
Joined: Jul 2004
O.P. RE: Block-Checker
Well it just told me my friend sent the message but on his screen i sent it... whatever it is, its dodgy
08-17-2005 03:32 PM
Profile PM Find Quote Report
~INVASION~
Veteran Member
*****

Avatar

Posts: 1094
Reputation: 29
36 / Male / Flag
Joined: May 2004
Status: Away
RE: Block-Checker
lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->
{WindowsLive Butterfly ~ 2006 - 2009}
08-17-2005 03:34 PM
Profile PM Find Quote Report
mwe99
Veteran Member
*****

Avatar

Posts: 2514
Reputation: 67
36 / Male / Flag
Joined: Jul 2004
O.P. RE: Block-Checker
quote:
Originally posted by ~INVASION~
lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->


Yar i just found that, to remove it if the uninstaller mysteriously doesnt work you have to boot in safe mode and edit the registry
08-17-2005 03:36 PM
Profile PM Find Quote Report
Millenium_edition
Veteran Member
*****

Avatar

Posts: 1787
Reputation: 57
Joined: Apr 2003
RE: Block-Checker
it's probably a trojan/keylogger or something :-/

someone should reverse it

okay, i've asked segosa to reverse it, first results, it is a virus, which means do not install it

This post was edited on 08-17-2005 at 03:52 PM by Millenium_edition.
08-17-2005 03:41 PM
Profile E-Mail PM Find Quote Report
mwe99
Veteran Member
*****

Avatar

Posts: 2514
Reputation: 67
36 / Male / Flag
Joined: Jul 2004
O.P. RE: Block-Checker
strange that my anti virus never picked it up :S

thanks anyways m_e
08-17-2005 04:04 PM
Profile PM Find Quote Report
toddy
Veteran Member
*****

Avatar
kcus uoy

Posts: 2573
Reputation: 49
– / Male / Flag
Joined: Jun 2004
RE: Block-Checker
rofl at newbs



block checkers don't work.....it wasn't gonna be anything else apart from a trojan
08-17-2005 04:05 PM
Profile PM Find Quote Report
segosa
Community's Choice
*****


Posts: 1407
Reputation: 92
Joined: Feb 2003
RE: Block-Checker
Its so called "version check" when it starts is this:

code:
POST /version.html HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Content-Length: 0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.block-checker.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 17 Aug 2005 15:51:18 GMT
Server: Apache
Last-Modified: Fri, 12 Aug 2005 00:00:51 GMT
ETag: "190107-b-34f0d2c0"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html
Age: 1
Connection: close

version 1.0


If you enter an address and click check all it does is contact http://blockstatus.com/msn/stchecker with the appropriate POST variables filled in. Effectively ripping off their service.

Installs these files in C:\Program Files\Block Checker
code:
08/11/2005  04:50 PM           720,896 Block Checker.exe
08/10/2005  07:46 PM            49,152 block-checker.exe
08/10/2005  07:45 PM            28,672 csrss.exe
08/17/2005  05:51 PM             2,037 setup.log
08/11/2005  04:16 PM            16,384 setup_finish.exe
10/18/2003  05:58 PM            64,512 uninstall.exe
               6 File(s)        881,653 bytes

"Block Checker.exe" is the one which is the block checker, the others run in the background:

csrss.exe and block-checker.exe are executed at the end of installation. csrss.exe is the name of a critical Windows process, obviously why the file was named that.

setup_finish.exe (coded in VB) is the file which is executed at the end of installation and it executes csrss.exe and block-checker.exe. It also seems to attempt to delete "system.exe".

csrss.exe is written in VB too, and its purpose is simply to constantly scan the process list and make sure block-checker.exe is there. If it isn't, it will restart the exe.

And of course our lovely block-checker.exe's reason for running is to search for Yahoo, MSN and AIM conversation windows it can send the following messages to:

"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"
"Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on MSN because I use http://www.block-checker.com"
"Did they block you too? Download a free MSN Block Checker http://www.block-checker.com"
"Find out who's blocking you on MSN, Download it free from http://www.block-checker.com"

"Find out who's blocking you on Yahoo, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on Yahoo? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on Yahoo because I use http://www.block-checker.com"
"Did they block you too? Download a free Yahoo Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"

"Find out who's blocking you on AIM, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on AIM? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on AIM because I use http://www.block-checker.com"
"Did they block you too? Download a free AIM Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on AIM! Download it now http://www.block-checker.com"


The code has evidence that it also searches the process list for csrss.exe to keep it running, but I think their plan backfired as it will always find the legitimate Windows csrss.exe file.

To send messages to MSN Messenger conversation windows it searches for windows containing " - Conversation" and uses sendkeys to send the message.

It creates files "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" in the system directory which look like they include the people the message has already been sent to, in order not to resend it to anyone...

It adds itself to startup,of course, under HKLM with the name "block-checker" pointing to C:\Program Files\Block Checker\block-checker.exe.

@mwe99: well how the hell is your antivirus going to pick it up if THIS IS A NEW VIRUS? An antivirus can't detect what it doesn't know about.

This post was edited on 08-17-2005 at 04:21 PM by segosa.
The previous sentence is false. The following sentence is true.
08-17-2005 04:17 PM
Profile PM Find Quote Report
Concord Dawn
Veteran Member
*****

Avatar
This is a loopy fruit.

Posts: 1203
Reputation: 16
34 / Male / –
Joined: Feb 2004
RE: Block-Checker
Sounds kind of lame tbh.
[Image: 7.png]
08-17-2005 04:33 PM
Profile E-Mail PM Find Quote Report
Pages: (7): « First [ 1 ] 2 3 4 5 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On