Sparky
Apr 10 2006, 06:13 AM
Details:
--------------------------------------------------------------------------------
Malware type: Exploit
Aliases: Bloodhound.Exploit.56, Exploit-WMF, Win32/Worfo
In the wild: No
Destructive: No
Language: English
Platform: Windows 98, ME, 2000, XP, Server 2003
Encrypted: No
plas76targa
Apr 10 2006, 06:16 AM
Same thing happened to me. The non-home system flushed out a bunch of exe files.
odd
nomore9one4
Apr 10 2006, 06:19 AM
I got it too. WTF
Dead Air
Apr 10 2006, 06:33 AM
Don't worry it's a non-virus/LLC.
ArtechnikA
Apr 10 2006, 06:34 AM
what browser are you guys using?
my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...
nomore9one4
Apr 10 2006, 06:47 AM
QUOTE (Dead Air @ Apr 10 2006, 04:33 AM) |
Don't worry it's a non-virus/LLC. |
I hope! Thank you!
nomore9one4
Apr 10 2006, 06:48 AM
QUOTE (ArtechnikA @ Apr 10 2006, 04:34 AM) |
what browser are you guys using? my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ... |
It came up Windows Explorer.
tdgray
Apr 10 2006, 06:54 AM
I got it with IE also... switched over to Firefox and nada.
Seems we gots a virus or something attached to the home page.
I got it trying to install a file xpiadv602.wmf from traffmoney.biz.
Also a hacktool.IE.Exploit.
Have not looked them up yet. Gonna have my IT guy take a look at it.
Somebody wake Andy up.
VaccaRabite
Apr 10 2006, 06:55 AM
Nope, not fixed yet.
Nortens is catching it every time I try to hit the main page, and thre is a redirect to trafmoney.biz or trafficmoney.biz or something like that.
If you use Nortons, get the latest virus defs. Version is 4/6/2006 Rev. 6
Zach
spunone
Apr 10 2006, 06:55 AM
Norton blocked it on mine said it's a worm?
rick 918-S
Apr 10 2006, 07:05 AM
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.
nomore9one4
Apr 10 2006, 07:10 AM
QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM) |
Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program. |
That exactly what mine is doing. It just started today!
Toast
Apr 10 2006, 07:18 AM
xpladv602.wmf
exploit.html.ObjDATA
exploit.js.cve-2005-1790.j
traffmoney.biz
IE / Win98 / main page
Jaiden
Apr 10 2006, 07:18 AM
I got it too.
Going directly to the garage doesn't force the pop up.
VaccaRabite
Apr 10 2006, 07:18 AM
QUOTE (boboli914@att.net @ Apr 10 2006, 08:10 AM) |
QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM) | Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program. :screwy: |
That exactly what mine is doing. It just started today! |
you guys better check your machines. Sounds like you are infected...
Zach
SLITS
Apr 10 2006, 07:26 AM
Scanning Report
10 April 2006 06:21:29
Options
--------------------------------------------------------------------------------
Target:
C:\WINDOWS\Temporary Internet Files
Action:
Delete infected files
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB ZIP ARJ LZH TAR TGZ
Scan inside archives: on
Scanning Engines:
F-Secure F-PROT: 3.09.507, 2006-04-06 21:42:43
F-Secure AVP: 3.55.160.3203, 2006-04-06 21:42:43
Results
--------------------------------------------------------------------------------
Boot Sectors
Scanned: 0
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 757
Infected: 8
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 8
Quarantined: 0
Report
--------------------------------------------------------------------------------
C:\WINDOWS\Temporary Internet Files\Content.IE5\T9IHI07N\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\FYZ7IIK1\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\05EZS9YJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\V4ZWOBI2\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\LG2KCB0Y\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\UQEABL4A\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\bag[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
--------------------------------------------------------------------------------
nomore9one4
Apr 10 2006, 07:29 AM
ANDY??? (in my closest Aunt B voice)
rick 918-S
Apr 10 2006, 08:06 AM
Does yours look like this?
David_S
Apr 10 2006, 08:14 AM
Mine is doing it too ....window looks like the one Rick posted. Keeps trying to open something up in Windows picture and fax viewer.
Jaiden
Apr 10 2006, 08:14 AM
Mine looks like that if I cancel out of the wmf download it tries to load up.
Hammy
Apr 10 2006, 08:15 AM
QUOTE (rick 918-S @ Apr 10 2006, 07:06 AM) |
Does yours look like this? |
Mine does.
shelby/914
Apr 10 2006, 08:19 AM
Opened the home page three times this morning and each time I got a warning from McAfee that it had found a Exploit-WMF trogan and had cleaned it. This happened once last week showing that it had found 2 of these. The computer then ran a virus scan of everything, taking about 1.5 hrs. It only happens when I come to this site.
rick 918-S
Apr 10 2006, 08:29 AM
mine too, only here.
ClayPerrine
Apr 10 2006, 08:31 AM
I have notified Andy via the admin forum. Unfortunately, we probably will have to take the club site offliine to clean it up.
One of you perverts has been to a porn site and gotten infected. Then you brought it here...
We will keep you posted. But I suggest that if you dont' have a virus scanner, you get one. Until then, go to
http://www.trendmicro.com and run their free virus scanner.
Mrs. K
Apr 10 2006, 08:35 AM
Here's what I got....
Pugbug
Apr 10 2006, 08:54 AM
I had to get curious...It's still there.... Norton deleted it, but called it a high risk trojan.....I'll stay away from the home page for awhile.
dstar
Apr 10 2006, 09:12 AM
GUYS! GUYS!
Just add :
127.0.0.1 traffmoney.biz
to your host file...
The club has been hacked, or sold ad space to bad guys....
Don
sk8kat1
Apr 10 2006, 09:16 AM
I got it too ?!
william harris
Apr 10 2006, 09:25 AM
Same problem here. forking puters.
rick 918-S
Apr 10 2006, 09:25 AM
I changed my start up to the forum list instead of the Home page. I think that defeats it for now.
Part Pricer
Apr 10 2006, 09:27 AM
Calm down guys. I found it.
I'm sending PMs to SirAndy and Jeroen.
dstar
Apr 10 2006, 09:29 AM
QUOTE (Part Pricer @ Apr 10 2006, 07:27 AM) |
Calm down guys. I found it.
I'm sending PMs to SirAndy and Jeroen. |
OK, you found it.
So, was the site hacked, or did we sell space to bad guys?
BTW, I already posted the fix.
You should let that site stay looped, as nothing *good* would ever come out of it anyway.
Don
nomore9one4
Apr 10 2006, 09:51 AM
I feel violated
SirAndy
Apr 10 2006, 09:51 AM
QUOTE (Sparky @ Apr 10 2006, 05:13 AM) |
Virus pop up warning |
yeah, i know ...
killed it ... again ...
it's a PHP exploit for the BBS software we're using. i would have upgraded to their newer version already if there was an easy way to keep all the useraccounts, posts and pictures ...
i'll either have to take the plunge and do an upgrade of the software or i'll have to figure out how to close the backdoor for this version ...
Andy
ArtechnikA
Apr 10 2006, 10:11 AM
QUOTE (SirAndy @ Apr 10 2006, 11:51 AM) |
killed it ... again ... |
thanks.
while i'm thanking, THANK YOU (or whoever did this at your direction...) for adding the "NEXT PAGE" navigation link at the bottom.
nomore9one4
Apr 10 2006, 10:15 AM
Andy...Does this mean our computers are/may be infected? Thanks.
dstar
Apr 10 2006, 10:37 AM
IF you got the virus warning and didn't let it continue, then no, you
don't have the trojan.
IF you're reading all this and saying to yourself, "What is this all about? I didn't get a thing!", then yea, you got the Trojan installed..........
BUWAHAHAHHAHAHAHAHAHHAHAHAHAHAHAHAHA!
Nowadays, computing without up to date anti-virus, is like playing Russian Roulette........with ONE empty chamber....
Don
cbenitah
Apr 10 2006, 10:43 AM
or just switch to a mac.. then you wouldn't get it.
tdgray
Apr 10 2006, 10:50 AM
QUOTE (cbenitah @ Apr 10 2006, 12:43 PM) |
or just switch to a mac.. then you wouldn't get it. |
Or... do the smart thing and use Mozilla firefox or a similar browser.
Dr Evil
Apr 10 2006, 10:57 AM
I thought that I was the only one. Using IE I got a thwarted worm attack warning from Norton two days ago when coming to the main page. It didn't happen again, but that was the last straw with IE.
I am now running Firefox and I am not looking back!
I hope someone hasn't goofed wiht our club site
nomore9one4
Apr 10 2006, 11:52 AM
Sparky
Apr 10 2006, 12:10 PM
It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). Sorry for the delay in posting back up just got back in from a 50 mile ride on the bike. Good day for it but they really need to start getting the sand off the sides of the roads here.
My best,
Mike D.
SirAndy
Apr 10 2006, 01:34 PM
QUOTE (Sparky @ Apr 10 2006, 11:10 AM) |
It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). |
umh, it's a PHP exploit, used in conjunction with the BBS software, and last time i checked, PHP was *not* made by Microsoft ...
Andy
nomore9one4
Apr 10 2006, 01:42 PM
Did anyone else get fuched by this? I guess the fix is to install Norton? Anyone??
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.