Wikia

GuildWars Fanfic Wikia

Entropy/blacklist

Talk24
17,331pages on
this wiki

< User:Entropy

It is OK to edit this article, even though it is in the user namespace! In fact, it is highly appreciated if users could update this page with new information as soon as they find it!

What?Edit

Recently there have been a number of anons and users who have all performed very similar sorts of vandal-actions. Malicious intent and repeated vandalism are bannable offenses. Moreover, uploading an executable file which contained a self-extracting RAR archive is extremely dubious, even if it contained nothing explicitly malicious.

The attacks have come from sources with the following characteristics in common:

  1. Usage of South Korea flag/Asian imagery
  2. Uploading Korean MMO related registry keys in the executable
  3. Korean transliteration or nonsense usernames, sometimes with 999 appended to the end

Characteristics of attacksEdit

Nonsensical edits like this, placed randomly or replacing a section header:

[[Image:South_Korea_70x40.png|thumb|left|18px]] Alternatively, [[Image:South_Korea_70x40.png|thumb|left|mk]]

  • The image is anything, totally random. Sometimes they may upload their own. The uploaded images will have nonsense filenames.
  • Notice the thumb|left|17px / mk (the px can vary, as can the left/right alignment). This is a consistent pattern.
  • Usually there will be one vandalism edit like this to a random page, followed by an edit to the user's userpage which is the same kind of edit.
  • Seems to target/use the hi-res skill icons?
  • Creates a nonsense spam article with just the thumbed image as content.

If you see a new user do any of these things, please ban them infinitely, link to this page as the reason, and update the page with new info as necessary. Do not block IPs unless they have already vandalized before (see list below), as they are probably proxies. (Or in any case, notify an admin in-game, e-mail, IRC, etc. ASAP) Because these are likely automated bots/scripts, it is important that they are taken out as soon as they are spotted, to reduce the potential mess.

Known accountsEdit

  1. User:Kimsaejung
  2. User:HANSAEWOO
  3. User:Ikki999
  4. User:Hoho999
  5. User:Hansaewoo

AnonsEdit

  1. User:60.48.177.177
  2. User:60.48.179.106
  3. User:60.50.162.182
  4. User:60.50.163.247
  5. User:60.50.165.236
  6. User:60.50.168.0
  7. User:60.50.168.58
  8. User:60.53.64.143
  9. User:60.53.64.206
  10. User:60.53.65.202
  11. User:60.53.68.22
  12. User:60.53.68.58
  13. User:60.53.68.220
  14. User:60.53.70.142
  15. User:60.53.158.89
  16. User:60.53.217.54
  17. User:60.53.218.155
  18. User:60.53.219.180
  1. User:86.4.15.155 (anomaly?)

Known spam page titlesEdit

(sysops: edit list here)

  1. Ki
  2. Ju
  3. Bu
  4. Kuki
  5. Assss
  6. Sddd
  7. Lolzss
  8. 32132132
  9. Kamunity
  10. Lo
  11. Ko
  12. 1234
  13. Ka
  14. Sa
  15. Asmi
  16. Kimsa
  17. Kaka
  18. Logo
  19. 5555
  20. Asd
  21. Iiii
  22. Logo \\\\\\\\\\\

New titlesEdit

Please add any new spam page titles here. A sysop will add it to the protected list (and delete it etc. if not done so already).

Vandalized legetimate pagesEdit

  1. Image:Hi-res-Bane Signet.jpg
  2. Image:Hi-res-Holy Spear.jpg
  3. Guild
  4. Guild Wars

Images usedEdit

  1. Image:Hi-res-Holy_Spear.jpg
  2. Image:Hi-res-Anguish.jpg
  3. Image:Inscription_(blue).jpg
  4. Image:Mesmer_Ascended_Virtuosos_Female_FrontDyedBlue.jpg
  5. Image:South_Korea_70x40.png
  6. Image:RH-Shoop.png
  7. Image:Gold dragon.jpg - "Mystic Empire" guildcape, of which User:CRushTurner and User:Woefpoef are members
  8. Image:Hi-res-Zealous_Anthem.jpg
  9. Image:Eagle_Defender_colored.jpg
  10. Image:180px-Zombie_breakin_sign.jpg - old sig pic by User:Foul Bane
  11. Image:Example.jpg
  12. Image:ThumbnailCA6V3Y8L.jpg - Converse anklepatch
  13. Image:User_Wormy_Logo.gif - old sig pic by User:Wormy
  14. Image:647759605-1-.jpg - Naruto image
  15. Image:ThumbnailCA0ZK5WF.jpg - Naruto image
  16. Image:Start.exe - Korean MMO registry keys
  17. Image:Dragon guild logo.PNG - guild logo for User:Wings That Heal (reused)
  18. Image:"By Ural's Hammer!".jpg
  19. Image:15k armors userbox.png
  20. Image:Lemonformrsquints.jpg
  21. Image:TBALogo.JPG
  22. Image:SMK_Olias's_Staff.png
  23. Image:Ooze_pit_map.jpg
  24. Image:SP_Bloody_Mary.gif - User:GW-Shadowphoenix's Halloween image
  25. Image:Necromancer_Elite_Cabal_Armor_M_gray_chest_feet_front.jpg
  26. Image:Arenanet-logo-400-whitebg.jpg
  27. Image:Glowing_Eye.jpg - image for user skill by User:InfestedHydralisk
  28. Image:GWG logo.jpg
  29. Image:Call of the Eye.jpg
  30. Image:Lionanddragonlogo.jpg
  31. Image:Gwlogo1.jpg
  32. Image:Halloween_LionsArch_Moon.JPG
  33. Image:WNx_Logo.jpg
  34. Image:Psych_logo.jpg
  35. Image:Smiley.png
  36. Image:Glowing_Eye.jpg
  37. Image:Randomtime-guildwiki-logo-135x135.png
  38. Image:Republicanlogo.png

Contents of the executable fileEdit

contents of this section copied selectively from User talk:Entropy

Not necessarily. It would have been simple to download the file and scan it, then we would have known for certain. --◄mendel► 17:59, 24 September 2008 (UTC)
I have done that, and it did not contain a virus. That doesn't mean it wasn't malware, though. It is a self-extracting RAR archive. I found this in the "Comments" tab of the file properties window:
;The comment below contains SFX script commands

Setup=Host.exe
Setup=Regedit.exe -s -i Reg.reg
Setup=Login.exe
Silent=1
Overwrite=1
I believe that means that once it finishes extracting, it will automatically run all of the "Setup=" commands, and it will do so silently. Looks like it might be a keylogger or password cracker of some sort. —Dr Ishmael Diablo the chicken 18:35, 24 September 2008 (UTC)
Scanning the start.exe with a virus scanning might've been interesting, and so would have extracting it with winzip or winrar or some other extraction utitility - that would avoid the automatic running of the setup. I am unsure if that was an attempt to attack the server - as far as I know, they run a unixoid OS, so a file with no extension would have been more helpful there. As it is, what you wrote makes it more probable that this is malware, but it's not certain yet. --◄mendel► 09:18, 25 September 2008 (UTC)
Ishmael has a copy of the file so he could probably run any further diagnostics that you think would be interesting. I don't know what exactly its intent was, but I do think that whatever it was, it certainly wasn't meant to be a good thing. Entropy Sig (T/C) 02:29, 26 September 2008 (UTC)
I hadn't thought of opening with WinRAR, so... well. It actually only has one file in it, Reg.reg, unlike the three I'd expected from the SFX script I posted above. Here are the contents of the file:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client]
"Folder(P2)"="E:\\Game\\CIB\\RYL2"

[HKEY_LOCAL_MACHINE\SOFTWARE\GamaSoft\MP-Client(MY)]
"Folder"="E:\\Game\\CIB\\RYL2"
"Width"=dword:00000400
"Height"=dword:00000300
"Depth"=dword:00000010
"GamePort"=dword:00004e22
"DlgControl"=dword:02d7030b
"QuickSlot"=dword:02d701cd
"Status"=dword:02d70000
"Enchant"=dword:00740000
"Chat"=dword:025e01cd
"Vertical"=dword:00000000
"ChatDlgType"=dword:00000001
"VisibleFlag"=dword:0000000d
"Adapter"="NVIDIA GeForce 7300 GT"
"Refresh"=dword:0000003c
"InitValue"=hex:00,04,00,00,00,03,00,00,10,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,88,b7,d4,77
"RenderOption"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,00,00,00,00,01,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SiegeTime"=dword:0001005a
"StatusDlgExLv"=dword:00000000
"Folder(P2)"="E:\\Game\\CIB\\RYL2"
Looks like it's just some registry keys for the MMO Risk Your Life, which looks like it's just another Korean cookie-cutter. So nothing malicious, but still worthy of deletion. —Dr Ishmael Diablo the chicken 02:55, 26 September 2008 (UTC)

Around Wikia's network

Random Wiki