Printable Version of Topic

Click here to view this topic in its original format

914World.com _ 914World Garage _ Virus pop up warning

Posted by: Sparky Apr 10 2006, 06:13 AM

Details:

--------------------------------------------------------------------------------

Malware type: Exploit

Aliases: Bloodhound.Exploit.56, Exploit-WMF, Win32/Worfo

In the wild: No

Destructive: No

Language: English

Platform: Windows 98, ME, 2000, XP, Server 2003

Encrypted: No

Posted by: plas76targa Apr 10 2006, 06:16 AM

Same thing happened to me. The non-home system flushed out a bunch of exe files.

odd

Posted by: boboli914@att.net Apr 10 2006, 06:19 AM

I got it too. WTF

Posted by: Dead Air Apr 10 2006, 06:33 AM

Don't worry it's a non-virus/LLC.

Posted by: ArtechnikA Apr 10 2006, 06:34 AM

what browser are you guys using?
my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...

Posted by: boboli914@att.net Apr 10 2006, 06:47 AM

QUOTE (Dead Air @ Apr 10 2006, 04:33 AM)
Don't worry it's a non-virus/LLC.

I hope! Thank you!

Posted by: boboli914@att.net Apr 10 2006, 06:48 AM

QUOTE (ArtechnikA @ Apr 10 2006, 04:34 AM)
what browser are you guys using?
my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...

It came up Windows Explorer.

Posted by: tdgray Apr 10 2006, 06:54 AM

I got it with IE also... switched over to Firefox and nada.

Seems we gots a virus or something attached to the home page.

I got it trying to install a file xpiadv602.wmf from traffmoney.biz.

Also a hacktool.IE.Exploit.

Have not looked them up yet. Gonna have my IT guy take a look at it.

Somebody wake Andy up.

Posted by: Vacca Rabite Apr 10 2006, 06:55 AM

Nope, not fixed yet.
Nortens is catching it every time I try to hit the main page, and thre is a redirect to trafmoney.biz or trafficmoney.biz or something like that.

If you use Nortons, get the latest virus defs. Version is 4/6/2006 Rev. 6

Zach

Posted by: spunone Apr 10 2006, 06:55 AM

Norton blocked it on mine said it's a worm?

Posted by: rick 918-S Apr 10 2006, 07:05 AM

Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.

Posted by: boboli914@att.net Apr 10 2006, 07:10 AM

QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM)
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.

That exactly what mine is doing. It just started today!

Posted by: Toast Apr 10 2006, 07:18 AM

xpladv602.wmf

exploit.html.ObjDATA

exploit.js.cve-2005-1790.j

traffmoney.biz

IE / Win98 / main page

Posted by: Jaiden Apr 10 2006, 07:18 AM

I got it too.

Going directly to the garage doesn't force the pop up.

Posted by: Vacca Rabite Apr 10 2006, 07:18 AM

QUOTE (boboli914@att.net @ Apr 10 2006, 08:10 AM)

QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM)
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program. :screwy:

That exactly what mine is doing. It just started today!

you guys better check your machines. Sounds like you are infected...

Zach

Posted by: SLITS Apr 10 2006, 07:26 AM

Scanning Report
10 April 2006 06:21:29

Options

--------------------------------------------------------------------------------
Target:
C:\WINDOWS\Temporary Internet Files
Action:
Delete infected files
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB ZIP ARJ LZH TAR TGZ
Scan inside archives: on
Scanning Engines:
F-Secure F-PROT: 3.09.507, 2006-04-06 21:42:43
F-Secure AVP: 3.55.160.3203, 2006-04-06 21:42:43
Results

--------------------------------------------------------------------------------
Boot Sectors
Scanned: 0
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 757
Infected: 8
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 8
Quarantined: 0
Report

--------------------------------------------------------------------------------

C:\WINDOWS\Temporary Internet Files\Content.IE5\T9IHI07N\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\FYZ7IIK1\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\05EZS9YJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\V4ZWOBI2\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\LG2KCB0Y\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\UQEABL4A\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\bag[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.

--------------------------------------------------------------------------------

Posted by: boboli914@att.net Apr 10 2006, 07:29 AM

ANDY??? (in my closest Aunt B voice)

Posted by: rick 918-S Apr 10 2006, 08:06 AM

Does yours look like this?

Attached image(s)

Posted by: David_S Apr 10 2006, 08:14 AM

Mine is doing it too ....window looks like the one Rick posted. Keeps trying to open something up in Windows picture and fax viewer.

Posted by: Jaiden Apr 10 2006, 08:14 AM

Mine looks like that if I cancel out of the wmf download it tries to load up.

Posted by: Hammy Apr 10 2006, 08:15 AM

QUOTE (rick 918-S @ Apr 10 2006, 07:06 AM)
Does yours look like this?

Mine does.

Posted by: shelby/914 Apr 10 2006, 08:19 AM

Opened the home page three times this morning and each time I got a warning from McAfee that it had found a Exploit-WMF trogan and had cleaned it. This happened once last week showing that it had found 2 of these. The computer then ran a virus scan of everything, taking about 1.5 hrs. It only happens when I come to this site.

Posted by: rick 918-S Apr 10 2006, 08:29 AM

mine too, only here.

Posted by: ClayPerrine Apr 10 2006, 08:31 AM

I have notified Andy via the admin forum. Unfortunately, we probably will have to take the club site offliine to clean it up.

One of you perverts has been to a porn site and gotten infected. Then you brought it here...

We will keep you posted. But I suggest that if you dont' have a virus scanner, you get one. Until then, go to http://www.trendmicro.com and run their free virus scanner.

Posted by: Mrs. K Apr 10 2006, 08:35 AM

Here's what I got....

Attached image(s)

Posted by: Pugbug Apr 10 2006, 08:54 AM

I had to get curious...It's still there.... Norton deleted it, but called it a high risk trojan.....I'll stay away from the home page for awhile.

Posted by: dstar Apr 10 2006, 09:12 AM

GUYS! GUYS!

Just add :
127.0.0.1 traffmoney.biz

to your host file...

The club has been hacked, or sold ad space to bad guys....

Don

Posted by: sk8kat1 Apr 10 2006, 09:16 AM

I got it too ?!

Posted by: william harris Apr 10 2006, 09:25 AM

Same problem here. forking puters.

Posted by: rick 918-S Apr 10 2006, 09:25 AM

I changed my start up to the forum list instead of the Home page. I think that defeats it for now.

Posted by: Part Pricer Apr 10 2006, 09:27 AM

Calm down guys. I found it.

I'm sending PMs to SirAndy and Jeroen.

Posted by: dstar Apr 10 2006, 09:29 AM

QUOTE (Part Pricer @ Apr 10 2006, 07:27 AM)
Calm down guys. I found it.

I'm sending PMs to SirAndy and Jeroen.

OK, you found it.

So, was the site hacked, or did we sell space to bad guys?

BTW, I already posted the fix.

You should let that site stay looped, as nothing *good* would ever come out of it anyway.

Don

Posted by: boboli914@att.net Apr 10 2006, 09:51 AM

I feel violated

Posted by: SirAndy Apr 10 2006, 09:51 AM

QUOTE (Sparky @ Apr 10 2006, 05:13 AM)
Virus pop up warning

yeah, i know ...

killed it ... again ...

it's a PHP exploit for the BBS software we're using. i would have upgraded to their newer version already if there was an easy way to keep all the useraccounts, posts and pictures ...

i'll either have to take the plunge and do an upgrade of the software or i'll have to figure out how to close the backdoor for this version ...

Andy

Posted by: ArtechnikA Apr 10 2006, 10:11 AM

QUOTE (SirAndy @ Apr 10 2006, 11:51 AM)
killed it ... again ...

thanks.

while i'm thanking, THANK YOU (or whoever did this at your direction...) for adding the "NEXT PAGE" navigation link at the bottom.

Posted by: boboli914@att.net Apr 10 2006, 10:15 AM

Andy...Does this mean our computers are/may be infected? Thanks.

Posted by: dstar Apr 10 2006, 10:37 AM

IF you got the virus warning and didn't let it continue, then no, you
don't have the trojan.

IF you're reading all this and saying to yourself, "What is this all about? I didn't get a thing!", then yea, you got the Trojan installed..........

BUWAHAHAHHAHAHAHAHAHHAHAHAHAHAHAHAHA!

Nowadays, computing without up to date anti-virus, is like playing Russian Roulette........with ONE empty chamber....

Don

Posted by: cbenitah Apr 10 2006, 10:43 AM

or just switch to a mac.. then you wouldn't get it.

Posted by: tdgray Apr 10 2006, 10:50 AM

QUOTE (cbenitah @ Apr 10 2006, 12:43 PM)
or just switch to a mac.. then you wouldn't get it.

Or... do the smart thing and use Mozilla firefox or a similar browser.

Posted by: Dr Evil Apr 10 2006, 10:57 AM

I thought that I was the only one. Using IE I got a thwarted worm attack warning from Norton two days ago when coming to the main page. It didn't happen again, but that was the last straw with IE.

I am now running Firefox and I am not looking back!

I hope someone hasn't goofed wiht our club site

Posted by: boboli914@att.net Apr 10 2006, 11:52 AM

I was always given the impression you could not get a computer virus except through downloads in email. Not sufing your favorite sight!

Posted by: Sparky Apr 10 2006, 12:10 PM

It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). Sorry for the delay in posting back up just got back in from a 50 mile ride on the bike. Good day for it but they really need to start getting the sand off the sides of the roads here.

My best,
Mike D.

Posted by: SirAndy Apr 10 2006, 01:34 PM

QUOTE (Sparky @ Apr 10 2006, 11:10 AM)
It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me).

umh, it's a PHP exploit, used in conjunction with the BBS software, and last time i checked, PHP was *not* made by Microsoft ...

Andy

Posted by: boboli914@att.net Apr 10 2006, 01:42 PM

Did anyone else get fuched by this? I guess the fix is to install Norton? Anyone??