Worm attack when browsing using Firefox

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Don't know if this was a coincidence but, when browsing the following page using Firefox:

http://www.progarchives.com/forum/forum_posts.asp?TID=28622

Norton AntiVirus displayed the following message:

Security Alert, Medium Risk

Norton Internet Worm Protection has detected and blocked an intrusion attempt.

Intrusion: HTTP Embed Tag NPDSPlay DLL BO.
Intruder: view.atdmt.com(12.130.60.2)(http(80)).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: <my computer, which I do not display here for reasons of privacy>.
Attacked Port: 1232.

It's the first time I have had a Worm warning on this PC. I hope that this was not due to one of the banner ads on this site. According to the Norton online virus encylopedia, the HTTP Embed Tag NPDSPlay DLL BO attempts to do the following:

Description

This signature detects attempts to exploit a buffer overflow vulnerability in the NPDSPLAY.DLL. 

Additional Information

The Microsoft Windows Media Player plugin for non-Microsoft browsers is prone to a buffer-overflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer.

The problem presents itself in the way Media Player handles an 'EMBED' element in a malicious HTML page or email. An excessively long 'EMBED' source tag can cause a stack-based overflow and permit the overwriting of a Structured Memory Handler (SEH). Specifically, the issue occurs in 'npdsplay.10001040'.

An attacker can exploit this issue to execute arbitrary code on the victim user's computer in the context of the victim user. This may facilitate a compromise of the affected computer.

This issue is exploitable only through non-Microsoft browsers that have the Media Player plugin installed. Possible browsers include:

- Firefox .9 and later n- Netscape 8

Other browsers with the plugin installed may also be affected.

Affected:

Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter x64 Edition 
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise x64 Edition 
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition 
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP 
Microsoft Windows XP Home SP1, SP2
Microsoft Windows XP Media Center Edition SP1, SP2
Microsoft Windows XP Professional SP1, SP2
Microsoft Windows XP Professional x64 Edition 
Microsoft Windows XP Tablet PC Edition SP1, SP2

Response

Workaround: Microsoft has supplied the following workaround for this issue:

Modify the Access Control List on the 'npdsplay.dll' file

Modifying the Access Control List on the 'npdsplay.dll' file helps protect the affected system from attempts to exploit this vulnerability. To modify the 'npdsplay.dll file', follow these steps:

1. Click Start > Run...
2. Type:

cacls c:\program files\Windows Media Player\npdsplay.dll /d everyone

3. Click OK.

Solution:Microsoft has released security advisory MS06-006 with updates to address this issue.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Fitzcarraldo Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: April 30 2004 Location: United Kingdom Status: Offline Points: 1835	Topic: Worm attack when browsing using Firefox Posted: September 15 2006 at 18:21
	Don't know if this was a coincidence but, when browsing the following page using Firefox: http://www.progarchives.com/forum/forum_posts.asp?TID=28622 Norton AntiVirus displayed the following message: Security Alert, Medium Risk Norton Internet Worm Protection has detected and blocked an intrusion attempt. Intrusion: HTTP Embed Tag NPDSPlay DLL BO. Intruder: view.atdmt.com(12.130.60.2)(http(80)). Risk Level: Medium. Protocol: TCP. Attacked IP: <my computer, which I do not display here for reasons of privacy>. Attacked Port: 1232. It's the first time I have had a Worm warning on this PC. I hope that this was not due to one of the banner ads on this site. According to the Norton online virus encylopedia, the HTTP Embed Tag NPDSPlay DLL BO attempts to do the following: Description This signature detects attempts to exploit a buffer overflow vulnerability in the NPDSPLAY.DLL. Additional Information The Microsoft Windows Media Player plugin for non-Microsoft browsers is prone to a buffer-overflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer. The problem presents itself in the way Media Player handles an 'EMBED' element in a malicious HTML page or email. An excessively long 'EMBED' source tag can cause a stack-based overflow and permit the overwriting of a Structured Memory Handler (SEH). Specifically, the issue occurs in 'npdsplay.10001040'. An attacker can exploit this issue to execute arbitrary code on the victim user's computer in the context of the victim user. This may facilitate a compromise of the affected computer. This issue is exploitable only through non-Microsoft browsers that have the Media Player plugin installed. Possible browsers include: - Firefox .9 and later n- Netscape 8 Other browsers with the plugin installed may also be affected. Affected: Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4 Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4 Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4 Microsoft Windows 2000 Server SP1, SP2, SP3, SP4 Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter x64 Edition Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows XP Microsoft Windows XP Home SP1, SP2 Microsoft Windows XP Media Center Edition SP1, SP2 Microsoft Windows XP Professional SP1, SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Tablet PC Edition SP1, SP2 Response Workaround: Microsoft has supplied the following workaround for this issue: Modify the Access Control List on the 'npdsplay.dll' file Modifying the Access Control List on the 'npdsplay.dll' file helps protect the affected system from attempts to exploit this vulnerability. To modify the 'npdsplay.dll file', follow these steps: 1. Click Start > Run... 2. Type: cacls c:\program files\Windows Media Player\npdsplay.dll /d everyone 3. Click OK. Solution:Microsoft has released security advisory MS06-006 with updates to address this issue.
	Read reviews by Fitzcarraldo

chopper Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: July 13 2005 Location: Essex, UK Status: Offline Points: 20030	Posted: September 16 2006 at 07:27
	I'd already looked at that page before I read this. I didn't notice any problem and my virus checker hasn't found anything and firewall hasn't blocked anything from this address.

Fitzcarraldo Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: April 30 2004 Location: United Kingdom Status: Offline Points: 1835	Posted: September 16 2006 at 14:38
	Humm. I had the same message from Norton AntiVirus on another one of my PCs just now, from a different page in these forums: http://www.progarchives.com/forum/forum_posts.asp?TID=7715&get=last#2181478 and this time I was browsing using IE, not Firefox. I also noticed that there was no advert displayed at the bottom of the page (you know, jusy above the "Bulletin Board Software by Web Wiz Forums"). I'm almost certain this worm is attacking via one of the adverts appearing in these forum threads. Fortunately Norton AntiVirus is installed on my PCs and they are stopping the worm getting into my PCs. Has anyone else got Norton AntiVirus installed and is seeing this warning message occasionally when browsing threads in these forums? Edited by Fitzcarraldo - September 22 2006 at 22:11
	Read reviews by Fitzcarraldo

TheProgtologist Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator / Retired Admin Joined: May 23 2005 Location: Baltimore,Md US Status: Offline Points: 27802	Posted: September 21 2006 at 05:55
	I have Norton2006 and have never had that happen while viewing any of the pages on the site Fitz.


Fitzcarraldo Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: April 30 2004 Location: United Kingdom Status: Offline Points: 1835	Posted: September 22 2006 at 10:11
	I'm using Norton AntiVirus2005 on one of my PCs and Norton AntiVirus2006 on another, and I got the messages I mentioned above from both versions. Norton AntiVirus has just now popped up the same warning when I visited this site's Home Page. I'm sure it is one of the advertising banners on this site. I don't get these warnings from Norton AntiVirus on any other site I visit.
	Read reviews by Fitzcarraldo

Raff Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: July 29 2005 Location: None Status: Offline Points: 24429	Posted: September 22 2006 at 10:16
	I am using NOD32 (probably the best antivirus package on the market - tried and tested!), and nothing of the sort has ever happened to me. I've been using Firefox since I got broadband last May, and I must say I've found it to be infinitely more secure than Explorer. I've never had any virus or worm attacks ever since.

Fitzcarraldo Members Profile Send Private Message Find Members Posts Add to Buddy List Reviewer page Special Collaborator Honorary Collaborator Joined: April 30 2004 Location: United Kingdom Status: Offline Points: 1835	Posted: September 22 2006 at 15:21
	When a ProgArchives page loads into the browser (whether it is Internet Explorer or Firefox) the URL of the advertising sites is displayed in the bottom left hand corner of the browser window. You'll see messages "Opening page http://..." with the URLs of all the domains being accessed in the loading of the ProgArchives page. You'll see things like "Opening page http://www.progarchives.com/BurstMediaAdsRectangle...", "Opening page http://www.progarchives.com/FastclickAds..." and so on. These display for only a very short time, so you have to really keep your eyes open. Depending on the adverts displayed on the ProgArchives pages (different adverts can be displayed by these advertising sites on the same ProgArchives page every time you load it), you will sometimes see the message "Opening page http://www.progarchives.com/view.atdmt.com/...". Notice something familiar? (Look again at the Norton AntiVirus alert message in my first post.) Your antivirus package may be silently blocking this worm, or it may not be blocking it. You can find out whether your PC is infected by runing regedit and searching for atlassolutions in the Registry. If it's not there then your PC is probably not infected. The software test results reported in the August 2006 issue of Computer Shopper gave the following results for Anti-SpyWare software: Anti-Spyware Software - PRODUCT, COMPANY NAME, PRICE, RATING, AWARD - Grisoft Ewido Anti-Spyware 4.0, Grisoft, GBP 22, 5-stars - Sunbelt software CounterSpy 1.5, Sunbelt Software, GBP 19, 5-stars, Best Buy - Lavasoft Ad-Aware SE Personal 1.06, lavasoft, GBP 0, 4-stars - PC Tools Spyware Doctor 4, PC Tools, GBP 19, 4-stars - Spybot Spybot-S&D 1.4, Spybot, GBP 0, 4-stars - Webroot Spy Sweeper 5, Webroot software, GBP 25, 4-stars - Etrust Pest Patrol 8, eTrust, GBP 20, 3-stars - Microsoft Windows Defender (Beta 2), Microsoft, GBP 0, 2-stars and the April 2006 issue of Computer Shopper gave the following test results for Anti-Virus software: Anti-Virus Software - PRODUCT, COMPANY NAME, PRICE, RATING, AWARD - Kaspersky Anti-Virus 2006, Kaspersky Lab, GBP 28, 5-stars - Steganos AntiVirus 2006, Steganos, GBP 20, 5-stars, Best Budget Buy - F-Secure Anti-Virus 2006, F-Secure, GBP 33, 4-stars - Grisoft AVG Free Edition 7.1, Grisoft, Free, 4-stars - McAfee VirusScan 2006, McAfee Associates, GBP 36, 4-stars - Trend Micro PC-cillin Internet Security 14, Trend Micro, GBP 38, 4-stars - Symantec Norton AntiVirus 2006, Symantec, GBP 36, 3-stars - Eset NOD 32 2.5, Eset, GBP 27, *3-stars* - Zone Labs ZoneAlarm Antivirus 6, Zone Labs, GBP 20, 3-stars - Bullgaurd Internet Security 6.1, BullGuard, GBP 35, 2-stars - Alwil avast! Antivirus 4.6 (Home Edition), Avast, Free, 1-star, Free - Panda Titanium 2006 antivirus + antispyware, Panda Software, GBP 30, 1-star Edited by Fitzcarraldo - September 22 2006 at 22:10
	Read reviews by Fitzcarraldo