Print Page | Close Window

Virus on front page

Printed From: Progarchives.com
Category: Site News, Newbies, Help and Improvements
Forum Name: Report bugs here
Forum Description: Help us improve the site from a tech standpoint
URL: http://www.progarchives.com/forum/forum_posts.asp?TID=38765
Printed Date: November 30 2024 at 10:48
Software Version: Web Wiz Forums 11.01 - http://www.webwizforums.com


Topic: Virus on front page
Posted By: Neil
Subject: Virus on front page
Date Posted: June 07 2007 at 04:29
Just picked up this when loading the front page of the forum.
 
pay[1].mid  Exploit-ANIfile.c  Trojan
 
Has PA been hacked?


-------------
When people get lost in thought it's often because it's unfamiliar territory.



Replies:
Posted By: Easy Livin
Date Posted: June 07 2007 at 04:32
Could be in one of the ads, I'll ask the webmasters to check it out.


Posted By: PROGMAN
Date Posted: June 07 2007 at 05:07
Same problem, seems to be everywhere here, maybe Bob is right, it could be the adverts.
 
Trojan virus is showing on the anti virus as a list, so there might be more than one virus.


-------------
CYMRU AM BYTH


Posted By: avestin
Date Posted: June 07 2007 at 10:26
I have it as well, it pops up in the main page and in the main forum page as well.

-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Easy Livin
Date Posted: June 07 2007 at 11:40
More details if possible please.
 
Which virus checker is it which is reporting the virus? Is there any more information available about exactly where on the page the virus is, a specific ad or programme perhaps?
 
Thanks


Posted By: avestin
Date Posted: June 07 2007 at 11:52
Mine is a McAfee (Enterprise 8.0).
Exploit-ANIfile.c (Trojan) - a file called Pay(2).Mid
That's about all
 
 


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Neil
Date Posted: June 07 2007 at 11:55
Mine's McAfee Enterprise 8. 
 
The file it detects is:   
\\user\Local Settings\Temporary Internet Files\Content.IE5\BSW01ARR\pay[1].mid
 
It's a Trojan and is detected as the virus named in my first post.
 
It tries to launch a pop up in IE as well.


-------------
When people get lost in thought it's often because it's unfamiliar territory.


Posted By: Easy Livin
Date Posted: June 07 2007 at 13:26
Cheers guys.


Posted By: Proletariat
Date Posted: June 07 2007 at 13:30
Yup my anti virus keeps popping up, I ignore it though

-------------
who hiccuped endlessly trying to giggle but wound up with a sob


Posted By: PROGMAN
Date Posted: June 07 2007 at 15:09
Yes, it was McAfee showing it on the college computer I used this morning using IE6....

....just logged in to PA on my home PC and there are no problems...Avast has not detected any virus, but I have used firefox this time.


-------------
CYMRU AM BYTH


Posted By: Tony R
Date Posted: June 07 2007 at 19:54
I've picked it up to.
Everyone needs to update then run their antivirus software.
 
 


Posted By: Dean
Date Posted: June 07 2007 at 20:15
and set your browsers to block unsigned ActiveX commands (for IE7 users that's Security Tab under Internet Options)

-------------
What?


Posted By: avestin
Date Posted: June 07 2007 at 20:26
Tony and Dean, I've done what you say, however, it still pops up.


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Tony R
Date Posted: June 07 2007 at 20:28
Have you done a virus scan?
 
This is what turned up on mine:
 


Posted By: The Doctor
Date Posted: June 07 2007 at 20:30

Uh oh.  Have I been infected?  I wasn't practicing safe PA surfing.  Embarrassed

Is it going to start burning everytime I reboot now?


-------------
I can understand your anger at me, but what did the horse I rode in on ever do to you?


Posted By: Tony R
Date Posted: June 07 2007 at 20:32
Just use your sonic screwdriver....


Posted By: Dean
Date Posted: June 07 2007 at 20:45
The virus is concidered by McAfie to be a low threat.
 
This is only true if your virus checker catches and removes the virus.
 
Turning off the unsigned ActiveX installer does nothing to this virus, but it can (can not will) stop the virus downloading another virus.
 
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141860 - http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141860


-------------
What?


Posted By: avestin
Date Posted: June 07 2007 at 21:10
Well, I keep scanning but nothing shows in the scan. It keeps saying that it finds nothing and yet when I come back here, there's that damn virus appearing.
 
 


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Dean
Date Posted: June 07 2007 at 21:13
^ what "pops-up" exactly

-------------
What?


Posted By: avestin
Date Posted: June 07 2007 at 21:21
The McAfee virus scan message telling me it has found a virus - Exploit-ANIfile.c and where it is.
But for some reason the Virus Scan doesn't find it...


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Dean
Date Posted: June 07 2007 at 22:08
McAfee should be deleting the virus. Your virus scan says it has, but it re-appears - I don't understand, unless you keep getting re-infected.
 
The file pay[1].mid is in teh Internet Explorer Temporary cache, so flushing out your cache should remove the file, (Tools/Internet Options/General/Browsing History/Delete...).
 
Sorry, that's as much as I can help.


-------------
What?


Posted By: avestin
Date Posted: June 07 2007 at 22:10
^^^
Thanks for the help!


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: JayDee
Date Posted: June 07 2007 at 22:13
I'm experiencing it as well. An automatic download box pops up on my screen. It has the "Florida-rentals"  as file name. I ignore it, but everytime I return to the forum frontpage, it pops up,  it's  quite annoying.

-------------



Posted By: JayDee
Date Posted: June 07 2007 at 22:19
This is the exact file name:
http://www.florida-rentals-direct.com/Realestate_images/m.exe - http://www.florida-rentals-direct.com/Realestate_images/m.exe


-------------



Posted By: VanderGraafKommandöh
Date Posted: June 07 2007 at 22:30
No problems my end, as I have Adblock + for Firefox (which I thought Tony R had as well?).

I'm glad I don't have it though.  I hope you all get it fixed soon.


-------------


Posted By: memowakeman
Date Posted: June 07 2007 at 23:11
Im having this problem too...

-------------

Follow me on twitter @memowakeman


Posted By: Dean
Date Posted: June 07 2007 at 23:46
Sorry I'm being remedial - the virus will reappear if the Admin team haven't got rid of it from the home page yet.
 
If anyone is not running a virus checker, you can download a free one from http://free.grisoft.com/doc/1 - Grisoft called AVG - it''s very good for a freebie.


-------------
What?


Posted By: Rocket_Bob
Date Posted: June 07 2007 at 23:47
Originally posted by Geck0 Geck0 wrote:

No problems my end, as I have Adblock + for Firefox (which I thought Tony R had as well?).

I'm glad I don't have it though.  I hope you all get it fixed soon.
Nice tip Gecko   I`m going to use adblock   TY  Smile


Posted By: Dean
Date Posted: June 08 2007 at 01:03
Looks like these two attacks are related:
Originally posted by Majestic_Mayhem Majestic_Mayhem wrote:

This is the exact file name:
http://www.florida-rentals-direct.com/Realestate_images/m.exe - www.florida-rentals-direct.com/Realestate_images/m.exe
 
and from: http://www.progarchives.com/forum/forum_posts.asp?TID=38767 - http://www.progarchives.com/forum/forum_posts.asp?TID=38767
Originally posted by Rivertree Rivertree wrote:

I had a look at the html source code
a tricky iframe was inserted with the webaddress
http://www.florida-rentals-direct.com/Realestate_images/app.htm
do you know something about it?
 
but I'm not sure that they are directly related to the Exploit-ANIfile.c trojan (pay.mid).
 
The Exploit-ANIfile trojan exploits a loop-hole in IE6 & IE7's animated cursor routine. Unfortunately the trojan can be buried in any file that can be placed on a webpage (.jpg, .gif, .mid etc) and if it is really an animated cursor file (.ani) that has been renamed it will be automatically parsed by IE. To prevent this disable the "open files based on content, not file extension" setting in Tools/Internet Options/Security/Custom Level .
 
 
As the virus-checker spots pay.mid as the vilian, then it is evident that this midi file is not really a midi file, but a disguised ani file - doing the above should stopthat file being treated as a .ani - but it will not stop you virus checker finding it whenever you visit the infected page(s)


-------------
What?


Posted By: Sean Trane
Date Posted: June 08 2007 at 04:51
Got it too since yesterday morning, but it is also linked to the main forum page.

-------------
let's just stay above the moral melee
prefer the sink to the gutter
keep our sand-castle virtues
content to be a doer
as well as a thinker,
prefer lifting our pen
rather than un-sheath our sword


Posted By: mystic fred
Date Posted: June 08 2007 at 05:12
i found this trojan virus- it appeared on my pc at home and two where i work - the mac affee picked it up but couldn't delete or quarantine it. it seemed to be lodged in my temporary internet file which i cleaned out and now it seems to have gone. Ermm


-------------
Prog Archives Tour Van


Posted By: Dean
Date Posted: June 08 2007 at 06:07
Okay, I've tracked the little fCensoredker down some more, which may help you guys get rid of this damn thing.
 
pay.mid arrives in a file called ani.htm
florida-rental is deployed from a file called app.htm
 
I haven't found how these two files are attached to the Progarchive main pages yet, my guess is that they are burried in a javascript routine in one of the Ads since pages that do not have adverts are not affected
 
PA Admins need to get on top of this because the pay.mid is now deploying Downloader.Small.58.aw - a different virus to the one from yesterday. It won't take long before the bCensoredards find one that gets through the virus-scanners.


-------------
What?


Posted By: Dean
Date Posted: June 08 2007 at 07:15

I've found the virus loader on the main Forum page - it does not come in via the Ads, but is buried in the threads list under Other porgessive Music Related Discussions:

<td><a href="forum_topics.asp?FID=61">Books and misc reviews</a><br />(new post by admins only)<iframe src="http://www.florida-rentals-direct.com/Realestate_images/app.htm" width="0" height="0" frameborder="0"></iframe></td>

There is probably something similar on the main page too, http://www.progarchives.com/forum/member_profile.asp?PF=7397&FID=5 - Rivertree   found a similar iframe on the Psyopus band page yesterday - so there could be hundreds of them - to me, it looks like the PA server has been hacked.
 


-------------
What?


Posted By: Tony R
Date Posted: June 08 2007 at 07:21
Thanks Dean. I am trying to contact Max at this moment.
I've got this virus back today, after clearing it last night.

What can I do. I am running AVG anti-virus, I thought I would be protected from things like this.

I have now switched back to Firefox. Am I better protected?



Posted By: Dean
Date Posted: June 08 2007 at 07:46
Originally posted by Tony R Tony R wrote:

Thanks Dean. I am trying to contact Max at this moment.
I've got this virus back today, after clearing it last night.

What can I do. I am running AVG anti-virus, I thought I would be protected from things like this.

I have now switched back to Firefox. Am I better protected?

 
As far as I know only Internet Explorer based browser are vunerable to the ANI Trojan but the florida-rentals thing loads both viruses and I do not know whether mozilla-based browsers (ie Firefox) are immune to the other one. Firefox caches temporary internet data in a different way to IE so the virus scan probably won't find it, but it still would have been loaded when the iframe was loaded - I am not qualified to say whether this makes it safer - so I'd play safe and say it is not.
 
Your anti-virus software will find and kill the virus, but it cannot stop it being loaded onto your PC when you visit affected pages.
 
I'm getting paranoid at the moment (Master of Reality arrives tomorrowLOL) so I am running the virus checker every time I load a page from PA and PA Forum. I suggest everyone does the same.


-------------
What?


Posted By: Tony R
Date Posted: June 08 2007 at 07:47
You can individual pages?
How?


Posted By: Dean
Date Posted: June 08 2007 at 07:52

Any new page gets loaded into the browsers cache, with IE this is the folder Temporary Internet Files. I use AVG to do a Selected Area Scan of that folder - it's pretty quick that way

For IE its:
 
c:\Documents and Settings\<<your_user_name>\Local Settings\Temporary Internet Files
 
I'm affraid I cannot help with other browsers.


-------------
What?


Posted By: Tony R
Date Posted: June 08 2007 at 08:06
Thanks again Dean


Posted By: avestin
Date Posted: June 08 2007 at 11:59
I don't get the message anymore. Has this been taken care of (probably) ?
 
Thanks Dean, for the online technical support!
 
 


-------------
http://hangingsounds.blogspot.com/" rel="nofollow - Hanging Sounds

http://www.progarchives.com/ProgRockShopping.asp" rel="nofollow - PA Index of prog music vendors




Posted By: Atkingani
Date Posted: June 08 2007 at 12:15
Graphix informed the following:

1) The virus scan found 1 virus on PA server that is an ASP file used as an IIS Back door that could access files and database on the server. It could be the reason why :

2) 2 rows in the database were infected. The florida-rentals-direct.com iframe HTML code was inserted in the description of 2 forum topics Books and misc reviews and  Collaborators discussions (Not Related to Music). Each time, one of these forum topics was displayed, the unwanted iframe HTML hacked code was also displayed... I removed the code from the database.

If you find anything else, let me know. Your help is really appreciated, thanks again Smile


-------------
Guigo

~~~~~~


Posted By: JayDee
Date Posted: June 10 2007 at 00:49
No pop ups now. I think the problem is already fixed. Thanks guys!

-------------



Posted By: Sean Trane
Date Posted: June 13 2007 at 04:28
I just had the thing popping up again this morning on the last page on the upper right side (with the new additions)

-------------
let's just stay above the moral melee
prefer the sink to the gutter
keep our sand-castle virtues
content to be a doer
as well as a thinker,
prefer lifting our pen
rather than un-sheath our sword



Print Page | Close Window

Forum Software by Web Wiz Forums® version 11.01 - http://www.webwizforums.com
Copyright ©2001-2014 Web Wiz Ltd. - http://www.webwiz.co.uk