Thursday, August 09, 2007

MySpace d5d1 Virus

Thanks to Charles's help, I've found the bugs in my template and deleted them. As a result, my site is now loading normally. I still have to go and clean up the VT site, but having a search feature makes it a breeze to find the evil script.

If you've been affected and need to de-bug your template, here's what to look for and delete. Go to your Template, Edit HTML, and check the "Expand Widgets" box. The piece of garbage you're looking for is (script src="http://d5d1 dot com/b") I've used parentheses instead of greater than/less than signs so it wouldn't actually come out as a piece of code here. I found the intruder twice in my template.

I found the first piece at the very top of the template, first paragraph.

The second piece of it was located farther down and the language it's inserted into begins with /** Page structure tweaks for layout editor wireframe */ body#layout #header { margin-left: 0px; margin-right: 0px; } ]]

Good luck!

17 comments:

Kanrei said...

YOU"RE BACK!!!! YAY CHARLIE! My hero! I am going to link to this if you don't mind. I have had a few people (2) stop by looking for answers.

Serena Joy said...

If Charles hadn't told me what to look for, I'd still be hunting down that long string of numbers alluded to in the site you showed a link to. It didn't dawn on me 'til reading it several times that they were talking about MySpace blog templates.

By all means, link to this. Blogger is sure as hell not going to tell people what to do to solve the problem.

Kanrei said...

Sorry about the confusion. =D Fun day I suppose...(ellipse)

MONA said...

Serena Serena...It attacked me too.. that horrible virus! Charles is decoding it for me too! Charles is soooo....I dont have words to describe him!!!!!

Serena Joy said...

It all came out in the wash, Kan.:) You're now really enamored of ellipses, aren't you? LOL.

I hear you, Mona. If Charles hadn't told me what to hunt down and zap, I'd probably still be trying to figure it out. He's really good with this stuff, and great about lending a helping hand.

Charles said...

If you put this in right after the <head> tag in your template:

<script language="javascript" type="text/javascript"><![CDATA[function protect(){document.scripted=1;}]]></script>

then change the
<body>
tag to
<body onload="protect">
it should help prevent the virus from infecting your blog.

Serena Joy said...

Thank you, Charles. I'm going to go stick that in my blogs right now.

Charles said...

Something still needs to be figured out for taking care of the browsers though, I'm not sure what it's doing to the browser, probably adding an object to the core, but it's not likely that it can be prevented. I'd suggest if you open a page that is infected that you close your browser before going to any other site. If you view source and look for the 'script src="http://d5d1 dot com/b"' then you're pretty well assured its infected.

Camille Alexa said...

I don't know what this means.

Corn Dog said...

Whoa! I've been away for a few days. I didn't know any virus was going off. Glad everything is okey dokey now. Yeah Charles.

Splotchy said...

Thanks for the info.

My own blog wasn't affected, but someone I regularly reads was, and I noticed that it seemed to stick going to the d5d1 site.

He ended up changing his template and cleared up the issue.

God bless the interwebs.

Charles said...

If the virus caused you any frustration, here's the information from whois for the hosting "domain" (notice the name servers are cnmsn):

Domain name: d5d1.com

Registrant Contact:
D5 LTD
Laurence Bunch d5@d5d1.com
4157710928 fax:
704 Sutter Street
San Francisco CA 94109
us

Administrative Contact:
Laurence Bunch d5@d5d1.com
4157710928 fax:
704 Sutter Street
San Francisco CA 94109
us

Technical Contact:
Laurence Bunch d5@d5d1.com
4157710928 fax:
704 Sutter Street
San Francisco CA 94109
us

Billing Contact:
Laurence Bunch d5@d5d1.com
4157710928 fax:
704 Sutter Street
San Francisco CA 94109
us

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2007-06-20
Expires: 2008-06-20

Serena Joy said...

I know it sounds like technical gobbledy-gook, Camille. By the way, your blog is loading normally for me this morning.

I agree, CD -- 3 cheers for Charles!

You're welcome, Splotchy. I'm glad you weren't affected. If you do get infected at any point, now you'll know what to do about it.

Charles, do you think that guy generated the virus deliberately, or was it just an inadvertent side effect?

Kanrei said...

Based on what I have read I think it was spyware gone wrong. A virus would not have an address you could find information about I would think. Either way, he got attention. Does anyone know what they sell anyway?

Serena Joy said...

Yeah, he got some attention, all right. He'll be lucky if a mob with pitchforks and torches doesn't come after him. Whatever he's selling is probably dead in the water now. Jerkoff. I ran a virus scan on all my computers and none of them caught it since it was embedded in the Blogger template. Anyone know if there's a solution to that problem?

Charles said...

The long string of numbers being converted and run as code via the eval statement says the A__hat was definitely trying to obfuscate the the virus. It may have jumped from MySpace to blogger and probably other blogging providers inadvertently, but he knew what he was doing was wrong. The fact that the nameservers are in China may give us a bit of a clue, but as to what of, I haven't the foggiest idea. I do think the domain name was purchased for the express intent of hiding that he's likely in China. I haven't researched as to what the product or anything might have been. The name in itself is probably hexadecimal for something in an encoding other than ASCII. It may be a unicode encoding for something significant to Chinese.

Serena Joy said...

I used to have a terrible time with Chinese spammers on my board. They'd post messages consisting of nothing but links (in Chinese characters, of course). I'd block their IP numbers, but they always had 20 more in reserve. It finally stopped when I installed Spam Poison. I have Spam Poison on my blog, too, but it didn't stop this. Hopefully, your code snippets that I added will do that in the future.