Details:
--------------------------------------------------------------------------------
Malware type: Exploit
Aliases: Bloodhound.Exploit.56, Exploit-WMF, Win32/Worfo
In the wild: No
Destructive: No
Language: English
Platform: Windows 98, ME, 2000, XP, Server 2003
Encrypted: No
Same thing happened to me. The non-home system flushed out a bunch of exe files.
odd
I got it too. WTF
Don't worry it's a non-virus/LLC.
what browser are you guys using?
my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...
QUOTE (Dead Air @ Apr 10 2006, 04:33 AM) |
Don't worry it's a non-virus/LLC. |
QUOTE (ArtechnikA @ Apr 10 2006, 04:34 AM) |
what browser are you guys using? my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ... |
I got it with IE also... switched over to Firefox and nada.
Seems we gots a virus or something attached to the home page.
I got it trying to install a file xpiadv602.wmf from traffmoney.biz.
Also a hacktool.IE.Exploit.
Have not looked them up yet. Gonna have my IT guy take a look at it.
Somebody wake Andy up.
Nope, not fixed yet.
Nortens is catching it every time I try to hit the main page, and thre is a redirect to trafmoney.biz or trafficmoney.biz or something like that.
If you use Nortons, get the latest virus defs. Version is 4/6/2006 Rev. 6
Zach
Norton blocked it on mine said it's a worm?
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.
QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM) |
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program. |
xpladv602.wmf
exploit.html.ObjDATA
exploit.js.cve-2005-1790.j
traffmoney.biz
IE / Win98 / main page
I got it too.
Going directly to the garage doesn't force the pop up.
QUOTE (boboli914@att.net @ Apr 10 2006, 08:10 AM) | ||
That exactly what mine is doing. It just started today! |
Scanning Report
10 April 2006 06:21:29
Options
--------------------------------------------------------------------------------
Target:
C:\WINDOWS\Temporary Internet Files
Action:
Delete infected files
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB ZIP ARJ LZH TAR TGZ
Scan inside archives: on
Scanning Engines:
F-Secure F-PROT: 3.09.507, 2006-04-06 21:42:43
F-Secure AVP: 3.55.160.3203, 2006-04-06 21:42:43
Results
--------------------------------------------------------------------------------
Boot Sectors
Scanned: 0
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 757
Infected: 8
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 8
Quarantined: 0
Report
--------------------------------------------------------------------------------
C:\WINDOWS\Temporary Internet Files\Content.IE5\T9IHI07N\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\FYZ7IIK1\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\05EZS9YJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\V4ZWOBI2\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\LG2KCB0Y\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\UQEABL4A\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\bag[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
--------------------------------------------------------------------------------
ANDY??? (in my closest Aunt B voice)
Does yours look like this?
Attached image(s)
Mine is doing it too ....window looks like the one Rick posted. Keeps trying to open something up in Windows picture and fax viewer.
Mine looks like that if I cancel out of the wmf download it tries to load up.
QUOTE (rick 918-S @ Apr 10 2006, 07:06 AM) |
Does yours look like this? |
Opened the home page three times this morning and each time I got a warning from McAfee that it had found a Exploit-WMF trogan and had cleaned it. This happened once last week showing that it had found 2 of these. The computer then ran a virus scan of everything, taking about 1.5 hrs. It only happens when I come to this site.
mine too, only here.
I have notified Andy via the admin forum. Unfortunately, we probably will have to take the club site offliine to clean it up.
One of you perverts has been to a porn site and gotten infected. Then you brought it here...
We will keep you posted. But I suggest that if you dont' have a virus scanner, you get one. Until then, go to http://www.trendmicro.com and run their free virus scanner.
Here's what I got....
Attached image(s)
I had to get curious...It's still there.... Norton deleted it, but called it a high risk trojan.....I'll stay away from the home page for awhile.
GUYS! GUYS!
Just add :
127.0.0.1 traffmoney.biz
to your host file...
The club has been hacked, or sold ad space to bad guys....
Don
I got it too ?!
Same problem here. forking puters.
I changed my start up to the forum list instead of the Home page. I think that defeats it for now.
Calm down guys. I found it.
I'm sending PMs to SirAndy and Jeroen.
QUOTE (Part Pricer @ Apr 10 2006, 07:27 AM) |
Calm down guys. I found it. I'm sending PMs to SirAndy and Jeroen. |
I feel violated
QUOTE (Sparky @ Apr 10 2006, 05:13 AM) |
Virus pop up warning |
QUOTE (SirAndy @ Apr 10 2006, 11:51 AM) |
killed it ... again ... |
Andy...Does this mean our computers are/may be infected? Thanks.
IF you got the virus warning and didn't let it continue, then no, you
don't have the trojan.
IF you're reading all this and saying to yourself, "What is this all about? I didn't get a thing!", then yea, you got the Trojan installed..........
BUWAHAHAHHAHAHAHAHAHHAHAHAHAHAHAHAHA!
Nowadays, computing without up to date anti-virus, is like playing Russian Roulette........with ONE empty chamber....
Don
or just switch to a mac.. then you wouldn't get it.
QUOTE (cbenitah @ Apr 10 2006, 12:43 PM) |
or just switch to a mac.. then you wouldn't get it. |
I thought that I was the only one. Using IE I got a thwarted worm attack warning from Norton two days ago when coming to the main page. It didn't happen again, but that was the last straw with IE.
I am now running Firefox and I am not looking back!
I hope someone hasn't goofed wiht our club site
I was always given the impression you could not get a computer virus except through downloads in email. Not sufing your favorite sight!
It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). Sorry for the delay in posting back up just got back in from a 50 mile ride on the bike. Good day for it but they really need to start getting the sand off the sides of the roads here.
My best,
Mike D.
QUOTE (Sparky @ Apr 10 2006, 11:10 AM) |
It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). |
Did anyone else get fuched by this? I guess the fix is to install Norton? Anyone??
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)