Forum Home Forum Home > Site News, Newbies, Help and Improvements > Report bugs here
  New Posts New Posts RSS Feed - Worm attack when browsing using Firefox
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Topic ClosedWorm attack when browsing using Firefox

 Post Reply Post Reply
Author
Message
Fitzcarraldo View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: April 30 2004
Location: United Kingdom
Status: Offline
Points: 1835
Direct Link To This Post Topic: Worm attack when browsing using Firefox
    Posted: September 15 2006 at 18:21
Don't know if this was a coincidence but, when browsing the following page using Firefox:

http://www.progarchives.com/forum/forum_posts.asp?TID=28622

Norton AntiVirus displayed the following message:

Security Alert, Medium Risk

Norton Internet Worm Protection has detected and blocked an intrusion attempt.

Intrusion: HTTP Embed Tag NPDSPlay DLL BO.
Intruder: view.atdmt.com(12.130.60.2)(http(80)).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: <my computer, which I do not display here for reasons of privacy>.
Attacked Port: 1232.


It's the first time I have had a Worm warning on this PC. I hope that this was not due to one of the banner ads on this site. According to the Norton online virus encylopedia, the HTTP Embed Tag NPDSPlay DLL BO attempts to do the following:


Description

This signature detects attempts to exploit a buffer overflow vulnerability in the NPDSPLAY.DLL.


Additional Information

The Microsoft Windows Media Player plugin for non-Microsoft browsers is prone to a buffer-overflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer.

The problem presents itself in the way Media Player handles an 'EMBED' element in a malicious HTML page or email. An excessively long 'EMBED' source tag can cause a stack-based overflow and permit the overwriting of a Structured Memory Handler (SEH). Specifically, the issue occurs in 'npdsplay.10001040'.

An attacker can exploit this issue to execute arbitrary code on the victim user's computer in the context of the victim user. This may facilitate a compromise of the affected computer.

This issue is exploitable only through non-Microsoft browsers that have the Media Player plugin installed. Possible browsers include:

- Firefox .9 and later n- Netscape 8

Other browsers with the plugin installed may also be affected.



Affected:

Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP
Microsoft Windows XP Home SP1, SP2
Microsoft Windows XP Media Center Edition SP1, SP2
Microsoft Windows XP Professional SP1, SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Tablet PC Edition SP1, SP2



Response

Workaround: Microsoft has supplied the following workaround for this issue:

Modify the Access Control List on the 'npdsplay.dll' file

Modifying the Access Control List on the 'npdsplay.dll' file helps protect the affected system from attempts to exploit this vulnerability. To modify the 'npdsplay.dll file', follow these steps:

1. Click Start > Run...
2. Type:

cacls c:\program files\Windows Media Player\npdsplay.dll /d everyone

3. Click OK.

Solution:Microsoft has released security advisory MS06-006 with updates to address this issue.


Back to Top
chopper View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 13 2005
Location: Essex, UK
Status: Offline
Points: 20030
Direct Link To This Post Posted: September 16 2006 at 07:27
I'd already looked at that page before I read this. I didn't notice any problem and my virus checker hasn't found anything and firewall hasn't blocked anything from this address.
Back to Top
Fitzcarraldo View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: April 30 2004
Location: United Kingdom
Status: Offline
Points: 1835
Direct Link To This Post Posted: September 16 2006 at 14:38
Humm. I had the same message from Norton AntiVirus on another one of my PCs just now, from a different page in these forums:
 
 
and this time I was browsing using IE, not Firefox. I also noticed that there was no advert displayed at the bottom of the page (you know, jusy above the "Bulletin Board Software by Web Wiz Forums"). I'm almost certain this worm is attacking via one of the adverts appearing in these forum threads. Fortunately Norton AntiVirus is installed on my PCs and they are stopping the worm getting into my PCs.
 
Has anyone else got Norton AntiVirus installed and is seeing this warning message occasionally when browsing threads in these forums?
 


Edited by Fitzcarraldo - September 22 2006 at 22:11
Back to Top
TheProgtologist View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator / Retired Admin

Joined: May 23 2005
Location: Baltimore,Md US
Status: Offline
Points: 27802
Direct Link To This Post Posted: September 21 2006 at 05:55
I have Norton2006 and have never had that happen while viewing any of the pages on the site Fitz.


Back to Top
Fitzcarraldo View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: April 30 2004
Location: United Kingdom
Status: Offline
Points: 1835
Direct Link To This Post Posted: September 22 2006 at 10:11
I'm using Norton AntiVirus2005 on one of my PCs and Norton AntiVirus2006 on another, and I got the messages I mentioned above from both versions.

Norton AntiVirus has just now popped up the same warning when I visited this site's Home Page. I'm sure it is one of the advertising banners on this site. I don't get these warnings from Norton AntiVirus on any other site I visit.

Back to Top
Raff View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 29 2005
Location: None
Status: Offline
Points: 24429
Direct Link To This Post Posted: September 22 2006 at 10:16
I am using NOD32 (probably the best antivirus package on the market - tried and tested!), and nothing of the sort has ever happened to me. I've been using Firefox since I got broadband last May, and I must say I've found it to be infinitely more secure than Explorer. I've never had any virus or worm attacks ever since.
Back to Top
Fitzcarraldo View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: April 30 2004
Location: United Kingdom
Status: Offline
Points: 1835
Direct Link To This Post Posted: September 22 2006 at 15:21
When a ProgArchives page loads into the browser (whether it is Internet Explorer or Firefox) the URL of the advertising sites is displayed in the bottom left hand corner of the browser window. You'll see messages "Opening page http://..." with the URLs of all the domains being accessed in the loading of the ProgArchives page. You'll see things like "Opening page http://www.progarchives.com/BurstMediaAdsRectangle...", "Opening page http://www.progarchives.com/FastclickAds..." and so on. These display for only a very short time, so you have to really keep your eyes open.

Depending on the adverts displayed on the ProgArchives pages (different adverts can be displayed by these advertising sites on the same ProgArchives page every time you load it), you will sometimes see the message "Opening page http://www.progarchives.com/view.atdmt.com/...". Notice something familiar? (Look again at the Norton AntiVirus alert message in my first post.)

Your antivirus package may be silently blocking this worm, or it may not be blocking it. You can find out whether your PC is infected by runing regedit and searching for atlassolutions in the Registry. If it's not there then your PC is probably not infected.


The software test results reported in the August 2006 issue of Computer Shopper gave the following results for Anti-SpyWare software:

Anti-Spyware Software

- PRODUCT, COMPANY NAME, PRICE, RATING, AWARD

- Grisoft Ewido Anti-Spyware 4.0, Grisoft, GBP 22, 5-stars

- Sunbelt software CounterSpy 1.5, Sunbelt Software, GBP 19, 5-stars, Best Buy

- Lavasoft Ad-Aware SE Personal 1.06, lavasoft, GBP 0, 4-stars

- PC Tools Spyware Doctor 4, PC Tools, GBP 19, 4-stars

- Spybot Spybot-S&D 1.4, Spybot, GBP 0, 4-stars

- Webroot Spy Sweeper 5, Webroot software, GBP 25, 4-stars

- Etrust Pest Patrol 8, eTrust, GBP 20, 3-stars

- Microsoft Windows Defender (Beta 2), Microsoft, GBP 0, 2-stars


and the April 2006 issue of Computer Shopper gave the following test results for Anti-Virus software:


Anti-Virus Software

- PRODUCT, COMPANY NAME, PRICE, RATING, AWARD

- Kaspersky Anti-Virus 2006, Kaspersky Lab, GBP 28, 5-stars

- Steganos AntiVirus 2006, Steganos, GBP 20, 5-stars, Best Budget Buy

- F-Secure Anti-Virus 2006, F-Secure, GBP 33, 4-stars

- Grisoft AVG Free Edition 7.1, Grisoft, Free, 4-stars

- McAfee VirusScan 2006, McAfee Associates, GBP 36, 4-stars

- Trend Micro PC-cillin Internet Security 14, Trend Micro, GBP 38, 4-stars

- Symantec Norton AntiVirus 2006, Symantec, GBP 36, 3-stars

- Eset NOD 32 2.5, Eset, GBP 27, 3-stars

- Zone Labs ZoneAlarm Antivirus 6, Zone Labs, GBP 20, 3-stars

- Bullgaurd Internet Security 6.1, BullGuard, GBP 35, 2-stars   

- Alwil avast! Antivirus 4.6 (Home Edition), Avast, Free, 1-star, Free

- Panda Titanium 2006 antivirus + antispyware, Panda Software, GBP 30, 1-star




Edited by Fitzcarraldo - September 22 2006 at 22:10
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.416 seconds.
Donate monthly and keep PA fast-loading and ad-free forever.