GuildWiki has been locked down: anonymous editing and account creation are disabled. Current registered users are unaffected. Leave any comments on the Community Portal.

User:Entropy/blacklist

From GuildWiki
Jump to: navigation, search

It is OK to edit this article, even though it is in the user namespace! In fact, it is highly appreciated if users could update this page with new information as soon as they find it!

What?[edit | edit source]

Recently there have been a number of anons and users who have all performed very similar sorts of vandal-actions. Malicious intent and repeated vandalism are bannable offenses. Moreover, uploading an executable file which contained a self-extracting RAR archive is extremely dubious, even if it contained nothing explicitly malicious.

The attacks have come from sources with the following characteristics in common:

  1. Usage of South Korea flag/Asian imagery
  2. Uploading Korean MMO related registry keys in the executable
  3. Korean transliteration or nonsense usernames, sometimes with 999 appended to the end

Characteristics of attacks[edit | edit source]

Nonsensical edits like this, placed randomly or replacing a section header:

[[Image:South_Korea_70x40.png|thumb|left|18px]] Alternatively, [[Image:South_Korea_70x40.png|thumb|left|mk]]

  • The image is anything, totally random. Sometimes they may upload their own. The uploaded images will have nonsense filenames.
  • Notice the thumb|left|17px / mk (the px can vary, as can the left/right alignment). This is a consistent pattern.
  • Usually there will be one vandalism edit like this to a random page, followed by an edit to the user's userpage which is the same kind of edit.
  • Seems to target/use the hi-res skill icons?
  • Creates a nonsense spam article with just the thumbed image as content.

If you see a new user do any of these things, please ban them infinitely, link to this page as the reason, and update the page with new info as necessary. Do not block IPs unless they have already vandalized before (see list below), as they are probably proxies. (Or in any case, notify an admin in-game, e-mail, IRC, etc. ASAP) Because these are likely automated bots/scripts, it is important that they are taken out as soon as they are spotted, to reduce the potential mess.

Known accounts[edit | edit source]

#[[User:Kimsaejung]]
#[[User:HANSAEWOO]]
#[[User:Ikki999]]
#[[User:Hoho999]]
#[[User:Hansaewoo]]

Anons[edit | edit source]

#[[User:60.48.177.177]]
#[[User:60.48.179.106]]
#[[User:60.50.162.182]]
#[[User:60.50.163.247]]
#[[User:60.50.165.236]]
#[[User:60.50.168.0]]
#[[User:60.50.168.58]]
#[[User:60.53.64.143]]
#[[User:60.53.64.206]]
#[[User:60.53.65.202]]
#[[User:60.53.68.22]]
#[[User:60.53.68.58]]
#[[User:60.53.68.220]]
#[[User:60.53.70.142]]
#[[User:60.53.158.89]]
#[[User:60.53.217.54]]
#[[User:60.53.218.155]]
#[[User:60.53.219.180]]

#[[User:86.4.15.155]] (anomaly?)

Known spam page titles[edit | edit source]

(sysops: edit list here)

#{{:Ki}}
#{{:Ju}}
#{{:Bu}}
#{{:Kuki}}
#{{:Assss}}
#{{:Sddd}}
#{{:Lolzss}}
#{{:32132132}}
#{{:Kamunity}}
#{{:Lo}}
#{{:Ko}}
#{{:1234}}
#{{:Ka}}
#{{:Sa}}
#{{:Asmi}}
#{{:Kimsa}}
#{{:Kaka}}
#{{:Logo}}
#{{:5555}}
#{{:Asd}}
#{{:Iiii}}
#{{:Logo \\\\\\\\\\\}}

New titles[edit | edit source]

Please add any new spam page titles here. A sysop will add it to the protected list (and delete it etc. if not done so already).

Vandalized legetimate pages[edit | edit source]

  1. Image:Hi-res-Bane Signet.jpg
  2. Image:Hi-res-Holy Spear.jpg
  3. Guild
  4. Guild Wars

Images used[edit | edit source]

#[[:Image:Hi-res-Holy_Spear.jpg]]
#[[:Image:Hi-res-Anguish.jpg]]
#[[:Image:Inscription_(blue).jpg]]
#[[:Image:Mesmer_Ascended_Virtuosos_Female_FrontDyedBlue.jpg]]
#[[:Image:South_Korea_70x40.png]]
#[[:Image:RH-Shoop.png]]
#[[:Image:Gold dragon.jpg]] - "Mystic Empire" guildcape, of which [[User:CRushTurner]] and [[User:Woefpoef]] are members
#[[:Image:Hi-res-Zealous_Anthem.jpg]]
#[[:Image:Eagle_Defender_colored.jpg]]
#[[:Image:180px-Zombie_breakin_sign.jpg]] - old sig pic by [[User:Foul Bane]]
#[[:Image:Example.jpg]]
#[[:Image:ThumbnailCA6V3Y8L.jpg]] - Converse anklepatch
#[[:Image:User_Wormy_Logo.gif]] - old sig pic by [[User:Wormy]]
#[[:Image:647759605-1-.jpg]] - Naruto image
#[[:Image:ThumbnailCA0ZK5WF.jpg]] - Naruto image
#[[:Image:Start.exe]] - Korean MMO registry keys
#[[:Image:Dragon guild logo.PNG]] - guild logo for [[User:Wings That Heal]] (reused)
#[[:Image:"By Ural's Hammer!".jpg]]
#[[:Image:15k armors userbox.png]]
#[[:Image:Lemonformrsquints.jpg]]
#[[:Image:TBALogo.JPG]]
#[[:Image:SMK_Olias's_Staff.png]]
#[[:Image:Ooze_pit_map.jpg]]
#[[:Image:SP_Bloody_Mary.gif]] - [[User:GW-Shadowphoenix]]'s Halloween image
#[[:Image:Necromancer_Elite_Cabal_Armor_M_gray_chest_feet_front.jpg]]
#[[:Image:Arenanet-logo-400-whitebg.jpg]]
#[[:Image:Glowing_Eye.jpg]] - image for user skill by [[User:InfestedHydralisk]]
#[[:Image:GWG logo.jpg]]
#[[:Image:Call of the Eye.jpg]]
#[[:Image:Lionanddragonlogo.jpg]]
#[[:Image:Gwlogo1.jpg]]
#[[:Image:Halloween_LionsArch_Moon.JPG]]
#[[:Image:WNx_Logo.jpg]]
#[[:Image:Psych_logo.jpg]]
#[[:Image:Smiley.png]]
#[[:Image:Glowing_Eye.jpg]]
#[[:Image:Randomtime-guildwiki-logo-135x135.png]]
#[[:Image:Republicanlogo.png]]

Contents of the executable file[edit | edit source]

contents of this section copied selectively from User talk:Entropy

Not necessarily. It would have been simple to download the file and scan it, then we would have known for certain. --◄mendel► 17:59, 24 September 2008 (UTC)
I have done that, and it did not contain a virus. That doesn't mean it wasn't malware, though. It is a self-extracting RAR archive. I found this in the "Comments" tab of the file properties window:
;The comment below contains SFX script commands

Setup=Host.exe
Setup=Regedit.exe -s -i Reg.reg
Setup=Login.exe
Silent=1
Overwrite=1
I believe that means that once it finishes extracting, it will automatically run all of the "Setup=" commands, and it will do so silently. Looks like it might be a keylogger or password cracker of some sort. —Dr Ishmael Diablo the chicken.gif 18:35, 24 September 2008 (UTC)
Scanning the start.exe with a virus scanning might've been interesting, and so would have extracting it with winzip or winrar or some other extraction utitility - that would avoid the automatic running of the setup. I am unsure if that was an attempt to attack the server - as far as I know, they run a unixoid OS, so a file with no extension would have been more helpful there. As it is, what you wrote makes it more probable that this is malware, but it's not certain yet. --◄mendel► 09:18, 25 September 2008 (UTC)
Ishmael has a copy of the file so he could probably run any further diagnostics that you think would be interesting. I don't know what exactly its intent was, but I do think that whatever it was, it certainly wasn't meant to be a good thing. Entropy Sig.jpg (T/C) 02:29, 26 September 2008 (UTC)
I hadn't thought of opening with WinRAR, so... well. It actually only has one file in it, Reg.reg, unlike the three I'd expected from the SFX script I posted above. Here are the contents of the file:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client]
"Folder(P2)"="E:\\Game\\CIB\\RYL2"

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client(MY)]
"Folder"="E:\\Game\\CIB\\RYL2"
"Width"=dword:00000400
"Height"=dword:00000300
"Depth"=dword:00000010
"GamePort"=dword:00004e22
"DlgControl"=dword:02d7030b
"QuickSlot"=dword:02d701cd
"Status"=dword:02d70000
"Enchant"=dword:00740000
"Chat"=dword:025e01cd
"Vertical"=dword:00000000
"ChatDlgType"=dword:00000001
"VisibleFlag"=dword:0000000d
"Adapter"="NVIDIA GeForce 7300 GT"
"Refresh"=dword:0000003c
"InitValue"=hex:00,04,00,00,00,03,00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,88,b7,d4,77
"RenderOption"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,01,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SiegeTime"=dword:0001005a
"StatusDlgExLv"=dword:00000000
"Folder(P2)"="E:\\Game\\CIB\\RYL2"
Looks like it's just some registry keys for the MMO Risk Your Life, which looks like it's just another Korean cookie-cutter. So nothing malicious, but still worthy of deletion. —Dr Ishmael Diablo the chicken.gif 02:55, 26 September 2008 (UTC)