Trojans?

[PranK]

its the reverse placebo effect.

there used to be the problem on the board, hence this topic, but its since been fixed. however some people dont realise its been fixed, and hence are thinking its somehow still happening

God I hope so... I've had enough of working on SAU to last me another 6 months, and I'm still not finished.

[cooks44]

Fingers xed... I saw the boards down today at work, logged on later in the day no problems.

Just logged on at home (11.28pm, 3/7) and I had the exploit blocked (I'm hoping from a locally cached version of the page, but I haven't logged on from here for a week?)

Anyway, I know you'll still be monitoring it - just thought I'd let you know.

[ish]

it will be a patching problem not entirley on the IVB side. Wait for dicrosoft to patch it properly Ie wise and Ivb to run out the kink's i bet over a few weeks . IVB the will be still very worried about it and a few features will no doubt be not functioning for saftey ! .

Microsoft let out a Doossie with one of there upgrades that found pirate copies of Xp . since then alot of people are unpatched and there are lots of conflicts.

Edited July 3, 2006 by ishh

[PranK]

Yeah its really starting to irritate me.. specially the people that think its cause the site is dodgy.

cooks44, thanks for letting us know mate, had you recieved the exploit before tonight?

[cooks44]

No, haven't received it before... Was only reading about the Billion boards being affected by it this morning, didn't even blink as to why the SAU boards were down (stocktake was a b!tch.)

Silly me didn't check the timestamp in the temp file before it was removed... I've reloaded the page & IE many a time anyway - hasn't reappeared.

Who knows, peculiarity of Apache or one of the various proxies I'm running through I guess...

(Edit: Ugh... bloody thing is still running, back soon.)

Edited July 3, 2006 by cooks44

[NewKleer]

i used to get it, and no longer do

ie6/nortons antivirus

[R32 TT]

Got it today at work after the site had been down... and just got it now at home. Each time my McAfee seems to have caught it, although there is a HEAP of HDD activity for quite some time and the computer slows down... (and no, I wasn't running a virus scan)

So something still creepy in there guys,

M

[PranK]

R32 TT, can you try clearing your temp files for SAU and trying again? Looks like it may just be from a cached page load atm.

Lets hope so anyway.

[funkymonkey]

The reason this security alert comes up is because of an exploit used on IE.

This utility released by Norton (antivirus software developers) can be used to disable windows scripting... if at any time you find that you need windows scripting enabled (if one of your apps won't work) you can use the same utility to re-enable it.

http://www.symantec.com/avcenter/noscript.exe

Its recommended that you turn off scripting so that no malicious websites or people can force your browser to download and run trojans/worms.

[cooks44]

Cleaned all traces, can't duplicate it. Odd... I didn't think I had any upstream proxies (turned mine off on the w/end).

Ah well, enough work - time for play!

[ish]

this is more an exploit being found By your Av than Trojans loading off the SAU Page slowing down your systems hard disk.

It doesn’t mean that a Trojan is loading ... It means it has vulnerable scripting and it is possible.. < this is the message to get out !

I highly doubt that anyone got infected as it was just a generic warning from the AV reading the scripting.

Prank i would try to word a statement that states it is the vulnerability that has been found, Detected by AV not a virus or Trojan.

I am Guessing a bit there because i don’t know if anyone got infected but that’s my guess in the confusion !

For someone to achieve this they would need access to private FTp to embedded the server or an identical mirror linked with the embedded server.

Most members would have this Short cutted so the mirror would not work either.

If by the slightest chance it was mirrored then its going to jag non members surfing from an engine.

Tell the whingers that it is there old Av update that is detecting the Script.

and to please be patient.

if you can Categorically state that nothing dloaded from the page and infected anyone then this will help out a lot with the complaints you may get....

[ookami]

My virus scanner is still detecting a trojan EXPL_TXTRANGE.A when i come to the site.

Just thought i'd let you know.

EDIT: forgot to add my cache was cleared before coming to the site.

Edited July 3, 2006 by ookami

[sewid]

I was experiencing this last night and this morning I cleared my cache and it is now gone.

[ish]

GET FIREFOX or OPERA instead of the IE browser.... ITS not the SAU board, its because the SAU board is Invision and Ie has a big hole in it ... the same will happen on any Invision Board using an Ie browser until Microsoft do something .

[R32 TT]

Hi guys,

Just in case it helps, the offending file that McAfee pointed at was called 0day.htm

This file goes to http://196.regvista.com/0day.htm

Maybe this would help to sniff it out?

Immediately after McAfee finds it and cleans it, McAfee is disabled! And there is a c$#@load of hard drive activity for several minutes..

Cheers,

Matt.

[Beer Baron]

yeah i got the trojan downloaded to my home machine over the weekend. i removed all the crud using adaware but my pc is now a bit fuxored unfortunately. AVG is broken so i've tried uninstalling it and installing norton but cant get through the install without it dying.

anyone got any advice?

[Munkyb0y]

I thought it had gone, but alas, I just got another warning from my a/v (Avast pro).

Seems to identify it as WIN32 Trojano ...

My a/v catches it and terminates connection before there's any consequence.

This only happened for the first time on Friday I think.

Has never happened before, so I cant imagine, as previously mentioned by someone, that it's Invision, unless SAU has just changed their system over.

Also, had no old cache, i clean it almost daily, and IE is set to load new page everytime (no caching).

Anyways, not a big deal on my end, but perhaps might be helpful to track down the issue.

[ish]

i am looking at all the manual ways now....

... For a try install norton in Safe mode ... Or systems restoring before hand and repeating...

Looking into this more now I see its a fairly old exploit reworked . So until more info unfolds its a bit hard.

F8 key hold down on reboot until you get Safe mode ... then run the the install. Its tricky because you have to some how get the Av to update in safe mode

My AV rips it straight out !!! Pm me if you would like to try it .

Munkyb0y Av only finds it once its been reported. the exploits can function and go on for months before this!

Edited July 4, 2006 by ishh

[R31Nismoid]

GET FIREFOX or OPERA instead of the IE browser.... ITS not the SAU board, its because the SAU board is Invision and Ie has a big hole in it ... the same will happen on any Invision Board using an Ie browser until Microsoft do something .

This is not an option for me

cheers.

Hi guys,

Just in case it helps, the offending file that McAfee pointed at was called 0day.htm

This file goes to http://196.regvista.com/0day.htm

Maybe this would help to sniff it out?

I just got the identical thing.

I've been browsing SAU for 4 hours now (from the uber protected work PC). And the Norton box just fired up @ 10:44 with the same above ^^^

I've flushed ALL the temp files etc etc etc.

And ive just done it again.

Will report back if it get it again

[ish]

Hello again.. this is a test

I am using ie 6 NO AV and nothing is connecting , Downloading or Executing .

As i mentioned before to Munky these exploits are oftern not reported for months so everyone is oblivious until there is an Alert.. Then poo fly fanward forth!

this ie exploit can be used so braodly so i still think the Sau board is fine now upgraded and more the users buggy infected Pc's ,its just that this situation Alerted alot of people that they had a problem....

For all the people with Disabled AV Try this link to actualy see what state your PC is in. Not sure if the demo will clean it! My guess is it will

http://www.trendmicro.com/hc_intro/default.asp

Ie is Every uni students wet dream to practice code on .... Its also the most cloaked process giving people the impression that its fine because its always running . DANGEROUS

I am still working on the manual removal... It would be good to look at the old unpatched pages ???

Bac soon ish!