Shoutbox

Moderator edit: do not download/use this, it is a virus.
This thread is here merely because it contains more information on this thing.

Ha bet you thought someone was gonna ask how

lol moving on...

Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com

anyone had that annoying message? what do they make of the program if you're using it

Moderator edit: do not download/use this, it is a virus.

looks dodgy the download count keep changing plus it says 100% accuarte and is for yahoo as well

Well it just told me my friend sent the message but on his screen i sent it... whatever it is, its dodgy

lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->

quote:

---

Originally posted by ~INVASION~
lmao

<!--
function RandomNumber(upper_limit)
{
return Math.round(upper_limit * Math.random());
}
//-->
</script>

<script language="JavaScript">
<!--
var upper_limit = 1000000;
document.write(RandomNumber(upper_limit) + ' Downloads');
//-->

---

Yar i just found that, to remove it if the uninstaller mysteriously doesnt work you have to boot in safe mode and edit the registry

it's probably a trojan/keylogger or something

someone should reverse it

okay, i've asked segosa to reverse it, first results, it is a virus, which means do not install it

strange that my anti virus never picked it up

thanks anyways m_e

rofl at newbs



block checkers don't work.....it wasn't gonna be anything else apart from a trojan

Its so called "version check" when it starts is this:

code:

---

POST /version.html HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Content-Length: 0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: www.block-checker.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 17 Aug 2005 15:51:18 GMT
Server: Apache
Last-Modified: Fri, 12 Aug 2005 00:00:51 GMT
ETag: "190107-b-34f0d2c0"
Accept-Ranges: bytes
Content-Length: 11
Content-Type: text/html
Age: 1
Connection: close

version 1.0

---

If you enter an address and click check all it does is contact http://blockstatus.com/msn/stchecker with the appropriate POST variables filled in. Effectively ripping off their service.

Installs these files in C:\Program Files\Block Checker

code:

---

08/11/2005  04:50 PM           720,896 Block Checker.exe
08/10/2005  07:46 PM            49,152 block-checker.exe
08/10/2005  07:45 PM            28,672 csrss.exe
08/17/2005  05:51 PM             2,037 setup.log
08/11/2005  04:16 PM            16,384 setup_finish.exe
10/18/2003  05:58 PM            64,512 uninstall.exe
               6 File(s)        881,653 bytes

---

"Block Checker.exe" is the one which is the block checker, the others run in the background:

csrss.exe and block-checker.exe are executed at the end of installation. csrss.exe is the name of a critical Windows process, obviously why the file was named that.

setup_finish.exe (coded in VB) is the file which is executed at the end of installation and it executes csrss.exe and block-checker.exe. It also seems to attempt to delete "system.exe".

csrss.exe is written in VB too, and its purpose is simply to constantly scan the process list and make sure block-checker.exe is there. If it isn't, it will restart the exe.

And of course our lovely block-checker.exe's reason for running is to search for Yahoo, MSN and AIM conversation windows it can send the following messages to:

"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"
"Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on MSN because I use http://www.block-checker.com"
"Did they block you too? Download a free MSN Block Checker http://www.block-checker.com"
"Find out who's blocking you on MSN, Download it free from http://www.block-checker.com"

"Find out who's blocking you on Yahoo, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on Yahoo? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on Yahoo because I use http://www.block-checker.com"
"Did they block you too? Download a free Yahoo Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on MSN! Download it now http://www.block-checker.com"

"Find out who's blocking you on AIM, Download it free from http://www.block-checker.com"
"Did you know you can find out who blocked you on AIM? Check it out, it's free http://www.block-checker.com"
"I know who's blocking me on AIM because I use http://www.block-checker.com"
"Did they block you too? Download a free AIM Block Checker http://www.block-checker.com"
"Hey you can see who's blocking you on AIM! Download it now http://www.block-checker.com"


The code has evidence that it also searches the process list for csrss.exe to keep it running, but I think their plan backfired as it will always find the legitimate Windows csrss.exe file.

To send messages to MSN Messenger conversation windows it searches for windows containing " - Conversation" and uses sendkeys to send the message.

It creates files "exclusion_AOL.ini", "exclusion_MSN.ini" and "exclusion_Yahoo.ini" in the system directory which look like they include the people the message has already been sent to, in order not to resend it to anyone...

It adds itself to startup,of course, under HKLM with the name "block-checker" pointing to C:\Program Files\Block Checker\block-checker.exe.

@mwe99: well how the hell is your antivirus going to pick it up if THIS IS A NEW VIRUS? An antivirus can't detect what it doesn't know about.

Sounds kind of lame tbh.