Details:


--------------------------------------------------------------------------------


Malware type: Exploit

Aliases: Bloodhound.Exploit.56, Exploit-WMF, Win32/Worfo

In the wild: No

Destructive: No

Language: English

Platform: Windows 98, ME, 2000, XP, Server 2003

Encrypted: No

Same thing happened to me. The non-home system flushed out a bunch of exe files.

odd

I got it too. WTF

Don't worry it's a non-virus/LLC.

what browser are you guys using?
my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...

QUOTE (Dead Air @ Apr 10 2006, 04:33 AM)

Don't worry it's a non-virus/LLC.

I hope! Thank you!

QUOTE (ArtechnikA @ Apr 10 2006, 04:34 AM)

what browser are you guys using? my AVG update and scan ran early this morning as scheduled and i'm not seeing anything. so Firefox isn't triggering it, AVG missed it (unlikely...) or Andy's already fixed it ...

It came up Windows Explorer.

I got it with IE also... switched over to Firefox and nada.

Seems we gots a virus or something attached to the home page.

I got it trying to install a file xpiadv602.wmf from traffmoney.biz.

Also a hacktool.IE.Exploit.

Have not looked them up yet. Gonna have my IT guy take a look at it.

Somebody wake Andy up.

Nope, not fixed yet.
Nortens is catching it every time I try to hit the main page, and thre is a redirect to trafmoney.biz or trafficmoney.biz or something like that.

If you use Nortons, get the latest virus defs. Version is 4/6/2006 Rev. 6

Zach

Norton blocked it on mine said it's a worm?

Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.

QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM)

Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.

That exactly what mine is doing. It just started today!

xpladv602.wmf

exploit.html.ObjDATA

exploit.js.cve-2005-1790.j

traffmoney.biz

IE / Win98 / main page

I got it too.

Going directly to the garage doesn't force the pop up.

QUOTE (boboli914@att.net @ Apr 10 2006, 08:10 AM)

QUOTE (rick 918-S @ Apr 10 2006, 05:05 AM) Mines done something strange a couple of times over the last several weeks. I have mine default to the home page here. Some explorer bar thing, then when I try to close it, it opens some other program.  :screwy: That exactly what mine is doing. It just started today!

you guys better check your machines. Sounds like you are infected...

Zach

Scanning Report
10 April 2006 06:21:29

Options

--------------------------------------------------------------------------------
Target:
C:\WINDOWS\Temporary Internet Files
Action:
Delete infected files
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB ZIP ARJ LZH TAR TGZ
Scan inside archives: on
Scanning Engines:
F-Secure F-PROT: 3.09.507, 2006-04-06 21:42:43
F-Secure AVP: 3.55.160.3203, 2006-04-06 21:42:43
Results

--------------------------------------------------------------------------------
Boot Sectors
Scanned: 0
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 757
Infected: 8
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 8
Quarantined: 0
Report

--------------------------------------------------------------------------------

C:\WINDOWS\Temporary Internet Files\Content.IE5\T9IHI07N\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\FYZ7IIK1\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\05EZS9YJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\V4ZWOBI2\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\LG2KCB0Y\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\UQEABL4A\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\fillmemadv602[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.
C:\WINDOWS\Temporary Internet Files\Content.IE5\81ARSHIJ\bag[1].htm Infection: Exploit.JS.CVE-2005-1790.j Deleted.


--------------------------------------------------------------------------------

ANDY??? (in my closest Aunt B voice)

Does yours look like this?

Mine is doing it too ....window looks like the one Rick posted. Keeps trying to open something up in Windows picture and fax viewer.

Mine looks like that if I cancel out of the wmf download it tries to load up.

QUOTE (rick 918-S @ Apr 10 2006, 07:06 AM)

Does yours look like this?

Mine does.

Opened the home page three times this morning and each time I got a warning from McAfee that it had found a Exploit-WMF trogan and had cleaned it. This happened once last week showing that it had found 2 of these. The computer then ran a virus scan of everything, taking about 1.5 hrs. It only happens when I come to this site.

mine too, only here.

I have notified Andy via the admin forum. Unfortunately, we probably will have to take the club site offliine to clean it up.

One of you perverts has been to a porn site and gotten infected. Then you brought it here...


We will keep you posted. But I suggest that if you dont' have a virus scanner, you get one. Until then, go to http://www.trendmicro.com and run their free virus scanner.

Here's what I got....

I had to get curious...It's still there.... Norton deleted it, but called it a high risk trojan.....I'll stay away from the home page for awhile.

GUYS! GUYS!

Just add :
127.0.0.1 traffmoney.biz

to your host file...

The club has been hacked, or sold ad space to bad guys....

Don

I got it too ?!

Same problem here. forking puters.

I changed my start up to the forum list instead of the Home page. I think that defeats it for now.

Calm down guys. I found it.

I'm sending PMs to SirAndy and Jeroen.

QUOTE (Part Pricer @ Apr 10 2006, 07:27 AM)

Calm down guys. I found it. I'm sending PMs to SirAndy and Jeroen.

OK, you found it.

So, was the site hacked, or did we sell space to bad guys?

BTW, I already posted the fix.

You should let that site stay looped, as nothing *good* would ever come out of it anyway.


Don

I feel violated

QUOTE (Sparky @ Apr 10 2006, 05:13 AM)

Virus pop up warning

yeah, i know ...

killed it ... again ...

it's a PHP exploit for the BBS software we're using. i would have upgraded to their newer version already if there was an easy way to keep all the useraccounts, posts and pictures ...

i'll either have to take the plunge and do an upgrade of the software or i'll have to figure out how to close the backdoor for this version ...

Andy

QUOTE (SirAndy @ Apr 10 2006, 11:51 AM)

killed it ... again ...

thanks.

while i'm thanking, THANK YOU (or whoever did this at your direction...) for adding the "NEXT PAGE" navigation link at the bottom.

Andy...Does this mean our computers are/may be infected? Thanks.

IF you got the virus warning and didn't let it continue, then no, you
don't have the trojan.

IF you're reading all this and saying to yourself, "What is this all about? I didn't get a thing!", then yea, you got the Trojan installed..........

BUWAHAHAHHAHAHAHAHAHHAHAHAHAHAHAHAHA!

Nowadays, computing without up to date anti-virus, is like playing Russian Roulette........with ONE empty chamber....


Don

or just switch to a mac.. then you wouldn't get it.

QUOTE (cbenitah @ Apr 10 2006, 12:43 PM)

or just switch to a mac.. then you wouldn't get it.

Or... do the smart thing and use Mozilla firefox or a similar browser.

I thought that I was the only one. Using IE I got a thwarted worm attack warning from Norton two days ago when coming to the main page. It didn't happen again, but that was the last straw with IE.

I am now running Firefox and I am not looking back!

I hope someone hasn't goofed wiht our club site

I was always given the impression you could not get a computer virus except through downloads in email. Not sufing your favorite sight!

It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me). Sorry for the delay in posting back up just got back in from a 50 mile ride on the bike. Good day for it but they really need to start getting the sand off the sides of the roads here.

My best,
Mike D.

QUOTE (Sparky @ Apr 10 2006, 11:10 AM)

It's a Microsoft exploit, there is a "patch" available form MS that should resolve it (it did for me).

umh, it's a PHP exploit, used in conjunction with the BBS software, and last time i checked, PHP was *not* made by Microsoft ...

Andy

Did anyone else get fuched by this? I guess the fix is to install Norton? Anyone??