Jump to content


Photo

Virus on Website


  • Please log in to reply
5 replies to this topic

#1 jopa66

jopa66

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 September 2004 - 05:38 PM

About a month ago, I helped a client to clean his system of
malware. Apparently a certain Internet site had installed a trojan on the
machine. Just being curious, I went back to the site today and it still
wants to install this virus. My question is, "Is this something that should
be reported?" and, "Is there some authority I should inform about this site?"

I have sent e-mail to the hosting company of this site but have received
no reply. An e-mail to the FBI resulted in a response which basically told me how to clean a virus from my system. Another e-mail to SANS.org was answered, stating that they would investigate. That was two weeks ago and the site is STILL happily trying to infect anyone who goes there.

This is not a new virus and any up-to-date scanner should catch it.
It just irritates me that this site is allowed to be up and running, infecting the
machines of unwary people who may go there. I realize that this site is
probably just one of many, but surely, does this not signify a HUGE security problem? How many thousands of other sites are out there? And more malicious than this one? Is there no one with the authority to take them down or force them to correct the problems?

the site in question is www.worldnetsearch.ORG

As soon as you get there Norton Antivirus pops up an alert message. The log
shows 2 files in TIF that cannot be repaired:
\Temporary Internet Files\Content.IE5\OC6A9QNJ\exploit[1].htm
Click for more information about this threat : Trojan Horse

\Temporary Internet Files\Content.IE5\OC6A9QNJ\fuck[1].htm
Click for more information about this threat : Trojan Horse

...then 1 file which was deleted:
D:\Documents and Settings\jopa\ApplicationData\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-614a47c6-7d3bb9af.zip
Click for more information about this threat : Trojan.ByteVerify

Symantec info here:
<http://securityrespo...yteverify.html>
--


I did a WHOIS search which returned the following information.

WHOIS information for worldnetsearch.org:
[whois.melbourneit.com]
Domain name you searched for is not registered through Melbourne IT.
Following is the information we gathered for worldnetsearch.org
------
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the PIR
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and PIR does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. PIR reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D104274887-LROR
Domain Name:WORLDNETSEARCH.ORG
Created On:27-Apr-2004 11:02:12 UTC
Last Updated On:27-Jun-2004 03:47:38 UTC
Expiration Date:27-Apr-2005 11:02:12 UTC
Sponsoring Registrar:R27-LROR
Status:OK
Registrant ID:DI_381478
Registrant Name:George Washington
Registrant Organization:Search Media Int
Registrant Street1:45-89 Lenina str.
Registrant City:Minsk
Registrant Postal Code:789521
Registrant Country:BY
Registrant Phone:+998.214589
Registrant Email:support@ovishost.com
Admin ID:DI_381478
Admin Name:George Washington
Admin Organization:Search Media Int
Admin Street1:45-89 Lenina str.
Admin City:Minsk
Admin Postal Code:789521
Admin Country:BY
Admin Phone:+998.214589
Admin Email:support@ovishost.com
Tech ID:DI_381478
Tech Name:George Washington
Tech Organization:Search Media Int
Tech Street1:45-89 Lenina str.
Tech City:Minsk
Tech Postal Code:789521
Tech Country:BY
Tech Phone:+998.214589
Tech Email:support@ovishost.com
Name Server:NS5.ESTHOST.COM
Name Server:NS6.ESTHOST.COM

--
jopa66

#2 B@ckdoor

B@ckdoor

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 23 September 2004 - 07:14 PM

Hehe, that was a funny site...

I was hit by more than you and your client.


9/24/2004 2:35 AM Infected SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRUTOTAN\counter[1].htm Exploit-IFrame
9/24/2004 2:35 AM Infected SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRUTOTAN\counter[1].htm Exploit-IFrame
9/24/2004 2:35 AM Infected SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXMZCTEX\fuck[1].htm Exploit-ObjectData
9/24/2004 2:35 AM Infected SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ELGH6DSN\exploit[1].htm Exploit-MhtRedir.gen
9/24/2004 2:35 AM Clean Error SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRUTOTAN\counter[1].htm Exploit-IFrame
9/24/2004 2:36 AM Infected SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXMZCTEX\classload[1].jar Exploit-ByteVerify
9/24/2004 2:36 AM Delete Error SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRUTOTAN\counter[1].htm Exploit-IFrame
9/24/2004 2:36 AM Delete Error SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QRUTOTAN\counter[1].htm Exploit-IFrame
9/24/2004 2:36 AM Clean Error SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXMZCTEX\fuck[1].htm Exploit-ObjectData
9/24/2004 2:36 AM Deleted SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXMZCTEX\fuck[1].htm Exploit-ObjectData
9/24/2004 2:36 AM Deleted SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ELGH6DSN\exploit[1].htm Exploit-MhtRedir.gen
9/24/2004 2:36 AM Deleted SYSTEM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CXMZCTEX\classload[1].jar Exploit-ByteVerify

Well, don't bother, there are thousands of this kind...
George Washington in Minsk, Belarus??? I think even the FBI will laugh about that one... If they can laugh...
Go get him G-man!!!

Am I infected know??? Did McAfee catch them all??? Maybe, maybe not... Only God knows...

Have a nice day and DON'T visit that site!!!

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 27 September 2004 - 02:52 PM

Standard CWS-dropping site. Nothing to see there. Just don't use IE - that way none of this crap can get through.
Signature file is under revision. This will be back shortly.

#4 B@ckdoor

B@ckdoor

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 27 September 2004 - 09:55 PM

Standard CWS-dropping site. Nothing to see there. Just don't use IE - that way none of this crap can get through.

View Post



I'm using IE... just like 80-85%? of all Windows users.

XP Pro SP2
+ SpywareGuard
+ SpywareBlaster
+ MVPS Hosts file
+ McAfee 7.1
+ Kerio 2.15
+ Ad-Aware
+ Spybot S&D

Why IE? Company Policy... > 15.000 computers, 99% of them does not have SP2 or any of the other programs except McAfee. Not a single computer for standard users is fully patched and the patches that are choosen are pushed out to the users 2-3 weeks after MS have released them... People travelling all around the world without a firewall on the laptops...

Scary eeh? That's the way it is in many (most?) large Corporations. They would never consider spending a dime on the programs above but spend $$$$$$$$$$$$$$$$$$$$$ on cleaning up the mess and even more $$$ on monitoring people... And what would the Helpdesk do if everyone was fully protected? Probably selling hamburgers...

#5 Guest_Joey1_*

Guest_Joey1_*
  • Guests

Posted 28 September 2004 - 03:34 PM

Empty your IE cache by closing IE, go to Control Panel>Internet options>Temporary Internet Files>Delete files. That will knock out anything there that's left.

Oh, yes:
Posted Image ;)

#6 Happywithspyware

Happywithspyware

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 October 2004 - 11:14 AM

Standard CWS-dropping site. Nothing to see there. Just don't use IE - that way none of this crap can get through.

View Post



I'm using IE... just like 80-85%? of all Windows users.

XP Pro SP2
+ SpywareGuard
+ SpywareBlaster
+ MVPS Hosts file
+ McAfee 7.1
+ Kerio 2.15
+ Ad-Aware
+ Spybot S&D

Why IE? Company Policy... > 15.000 computers, 99% of them does not have SP2 or any of the other programs except McAfee. Not a single computer for standard users is fully patched and the patches that are choosen are pushed out to the users 2-3 weeks after MS have released them... People travelling all around the world without a firewall on the laptops...

Scary eeh? That's the way it is in many (most?) large Corporations. They would never consider spending a dime on the programs above but spend $$$$$$$$$$$$$$$$$$$$$ on cleaning up the mess and even more $$$ on monitoring people... And what would the Helpdesk do if everyone was fully protected? Probably selling hamburgers...

View Post

Hi,
I can only say,' You have hit the nail on the head :)




Member of UNITE
Support SpywareInfo Forum - click the button