Warning! For experts only!
Please go to the soundclick address at the bottom of the post and click "VERA" at song #14. When you go to the band page an image loads and then your browser is taken over and you are redirected to various sites, as well as having your Explorer homepage changed, and the offending page added to your favorites. My computer also eventually froze and i had to restart. It's a real trick trying to delete the offending HTML before it recopies itself. Anyways, any daring experts with virus detectors willing to examine this and tell me if there may be other trojans embedded in my registry, i'd really appreciate the help. I filed an abuse complaint with soundclick.com
http://www.soundclick.com/genres/charts.cfm?genre=Electronica
The following are the HTML pages associated with the offender: WARNING DO NOT CLICK THEM UNLESS YOU KNOW WHAT YOU ARE DOING!!!
http://members.rogers.com/alexmosin/index.html? http://www.besonic.com/dr_mosin http://members.rogers.com/alexmosin/music.html http://members.rogers.com/alexmosin/change.html<FONT SIZE=1 COLOR="#8e236b"><p align=CENTER>[This message was edited by erik on 13 April 2002 at 07:48 AM.]</p></FONT>
I need help from a script/trojan horse expert
Moderator: Wiz Feinberg
-
Jeff Agnew
- Posts: 741
- Joined: 18 Sep 1998 12:01 am
- Location: Dallas, TX
Erik,
Bad boy. Very bad boy. You've just encountered some common tricks which you could have prevented. And you've just stumbled on marketeers' latest obnoxious trick to advertise their dreck.
The exploits for changing your home page, adding a Favorite, and popping new browser windows are common Javascript tricks. Simple to code, simple to prevent.
More troublesome is the executable the site wants to load (labeled as an .m3u file). I'm not about to download it and find out whether it's hostile. Your browser should have prompted you and given you the opportunity to decline. Since it didn't, I'll presume your security settings are vulnerable.
This exploit is the newly developed successor to popup windows: popup windows containing an automatic, or disguised, link to an executable. They've generated a lot of industry press in the last few weeks but until the public-at-large raises a fuss they aren't going away.
"Reputable" marketeers, an inherent oxymoron, don't include malicious code but who really knows? Personally, I think the morons who invent these things should be killed with a dull knife. Slowly.
The rest of the page code, viewed from Sam Spade's Safe Browser, reveals nothing obviously malicious beyond the annoyances mentioned above.
Do you have a trojan? Quite possibly. Obtain a reputable scanner, such as BOClean or The Cleaner, and run it on your system ASAP.
I'd be willing to bet your registry has, at a minimum, some nice code for spyware embedded in it. Run AdAware to detect and remove both executables and registry entries for known spyware.
Do you have a virus? Not likely, but you should also scan your system with your AV program. You do have an AV program, right? Right?
So how could you have prevented this?
<ul>[*]If you're using IE, lock down the security settings and set the Internet to use the Restricted Zone.
[*]Turn off Java, *all* ActiveX, and Javascript for all sites except those in the Trusted Zone.
[*]Disable file and font downloads in the Restricted Zone.
[*]Disable launching programs and files in an Iframe.
[*]Disable navigating sub-frames across domains.
[*]Get a pop-up stopper. There are several freebies widely available. As more people encounter the download problem like you did, these will become standard defenses. Until then, stay ahead of the curve.
[*]Better yet, get rid of IE. Get a browser that enables strong security by default, like Opera. Which, BTW, includes a built-in configurable pop-up stopper.
[*] Never surf without a current anti-Trojan and anti-virus program enabled.
[*]If a site starts popping windows rapidly, don't try to close them. Instead, hit Alt-F4 to shut down your browser. Or use Zone Alarm's Internet Lock to stop net access immediately.
[*] Consider installing a good proxy program like Proxomitron, which will stop pop-ups, filter ads, stop malicious Javascript, control cookies, and much, much more. It's a bit intimidating to use at first but is highly configurable. And it's free. I wouldn't surf on a PC without it.
[/list]
Good luck.
Bad boy. Very bad boy. You've just encountered some common tricks which you could have prevented. And you've just stumbled on marketeers' latest obnoxious trick to advertise their dreck.
The exploits for changing your home page, adding a Favorite, and popping new browser windows are common Javascript tricks. Simple to code, simple to prevent.
More troublesome is the executable the site wants to load (labeled as an .m3u file). I'm not about to download it and find out whether it's hostile. Your browser should have prompted you and given you the opportunity to decline. Since it didn't, I'll presume your security settings are vulnerable.
This exploit is the newly developed successor to popup windows: popup windows containing an automatic, or disguised, link to an executable. They've generated a lot of industry press in the last few weeks but until the public-at-large raises a fuss they aren't going away.
"Reputable" marketeers, an inherent oxymoron, don't include malicious code but who really knows? Personally, I think the morons who invent these things should be killed with a dull knife. Slowly.
The rest of the page code, viewed from Sam Spade's Safe Browser, reveals nothing obviously malicious beyond the annoyances mentioned above.
Do you have a trojan? Quite possibly. Obtain a reputable scanner, such as BOClean or The Cleaner, and run it on your system ASAP.
I'd be willing to bet your registry has, at a minimum, some nice code for spyware embedded in it. Run AdAware to detect and remove both executables and registry entries for known spyware.
Do you have a virus? Not likely, but you should also scan your system with your AV program. You do have an AV program, right? Right?
So how could you have prevented this?
<ul>[*]If you're using IE, lock down the security settings and set the Internet to use the Restricted Zone.
[*]Turn off Java, *all* ActiveX, and Javascript for all sites except those in the Trusted Zone.
[*]Disable file and font downloads in the Restricted Zone.
[*]Disable launching programs and files in an Iframe.
[*]Disable navigating sub-frames across domains.
[*]Get a pop-up stopper. There are several freebies widely available. As more people encounter the download problem like you did, these will become standard defenses. Until then, stay ahead of the curve.
[*]Better yet, get rid of IE. Get a browser that enables strong security by default, like Opera. Which, BTW, includes a built-in configurable pop-up stopper.
[*] Never surf without a current anti-Trojan and anti-virus program enabled.
[*]If a site starts popping windows rapidly, don't try to close them. Instead, hit Alt-F4 to shut down your browser. Or use Zone Alarm's Internet Lock to stop net access immediately.
[*] Consider installing a good proxy program like Proxomitron, which will stop pop-ups, filter ads, stop malicious Javascript, control cookies, and much, much more. It's a bit intimidating to use at first but is highly configurable. And it's free. I wouldn't surf on a PC without it.
[/list]
Good luck.
-
erik
- Posts: 2018
- Joined: 7 Mar 2000 1:01 am
There are certain settings in my security file that will not change. I try to switch some scripting actions to prompt. I click to change and it just goes back to the original setting. Why is this?
I tried running Norton security, and it became very cumbersome to navigate the internet. I got prompts every click so i uninstalled it.
I tried running Norton security, and it became very cumbersome to navigate the internet. I got prompts every click so i uninstalled it.
-
Jeff Agnew
- Posts: 741
- Joined: 18 Sep 1998 12:01 am
- Location: Dallas, TX
Erik,
Try this:
<ol>[*]Open IE.
[*]Select Tools/Internet Options.
[*]Click the Security tab.
[*]Select the Internet zone.
[*]Click Custom Level.... The Security Settings dialog displays.
[*]Select radio buttons as appropriate to set your security prefs.
[*]Click OK.
[*]Click Apply.
[*]Click OK to close the Internet Options dialog.[/list]
You should repeat this procedure to set more liberal preferences for locations in your trusted sites.
Let me know if this doesn't work for you.
Try this:
<ol>[*]Open IE.
[*]Select Tools/Internet Options.
[*]Click the Security tab.
[*]Select the Internet zone.
[*]Click Custom Level.... The Security Settings dialog displays.
[*]Select radio buttons as appropriate to set your security prefs.
[*]Click OK.
[*]Click Apply.
[*]Click OK to close the Internet Options dialog.[/list]
You should repeat this procedure to set more liberal preferences for locations in your trusted sites.
Let me know if this doesn't work for you.
I don't use the product so I can't tell you how to do so, but there is likely a preference to disable alerts for minor alarms. This is the way Zone Alarm works and it's necessary to keep it from crying "Wolf" for every ping that hits your PC. It's your choice but I wouldn't be without a software firewall or an integrated router/hardware firewall.<SMALL>I tried running Norton security, and it became very cumbersome to navigate the internet.</SMALL>