Jump to content

Virus from forum?


Jo Taylor
 Share

Recommended Posts

Thanks for your reply. I have eTrust EZ Antivirus.

It didn't happen this time, but neither did the Java wotsit. A little research reveals that it might be an infected adserver; presumably the ad banners rotate and the infected one hasn't reared its head this time I logged on.

Here's the report from last time:

2006/01/02 18:47:19.906 File infection: C:\asdf.exe is Win32.Tactslay.U trojan. Deleted

 

Cheers,

Jo

Link to comment
Share on other sites

Hi, 

I have spoken to the developer and he has looked into this and replied:

I’m pretty certain the problem isn’t our end,  I have looked for the files that this Trojan supposedly copies to the machine and none of them appear on the webservers.  I have checked our anti virus software on the webservers and it too hasn’t picked anything up.

I will double check with Tim who is back in the office tomorrow, but I suspect it’s an issue with this user’s computer or Anti Virus software.

Link to comment
Share on other sites

Thanks for the reply.

Absolutely NOT "an issue with this user's computer or Anti Virus software" - I'm well informed & protected, system is new, very few sites visited since set-up, no other windows open at incidence of dropper infection, AV up-to-date and operating real-time. EZ is excellent AV software.

It may be a glitch with Java attempting to execute via adservers; not necessarily malware. Try investigating the adserver banners.

Jo

Link to comment
Share on other sites

Jo,

Can you clear your web browser's cache, delete any temporary files (if unsure use the Windows disk clean up wizard), run a full anti virus scan, and then try browsing the site again?

If you are running Windows XP, please ensure you have updated to Service Pack 2 and that you are either running the integrated firewall or have a good 3rd party firewall installed (or are accessing the web from a properly-configured dedicated firewall system).

Antivirus scanners alone are not sufficient to block some pieces of malware.

Not ever having used EZ a/v I can't comment on its detection rates or quality. However I would suggest scanning your system using a different virus scanner as if something has slipped through the net then EZ may not be detecting it. You can download a free version of AVG from http://free.grisoft.com, or alternatively it would be extremely worthwhile to download and run Mcafee's Stinger tool (http://vil.nai.com/vil/averttools.asp) - which can be run from a write-protected disk and will scan for and remove any of the latest known threats.

In terms of our own systems I've initiated a server-farm wide antivirus scan, but incidentally we don't actually use a Java based adserver system, nor do we use javascript to insert adverts in pages.

Without disclosing too much information we use one of the leading enterprise antivirus products to scan all files being uploaded to (and served from) our web hosting platform. Each of the webservers in the farm runs a local realtime antivirus scanner, and content is scanned for a second time when it is copied to a central file server.

Has anyone else experienced a problem while using this site? I hate to state the obvious but if one of our banners or pages has been infected then more than one person will have experienced a problem.

Regards

Link to comment
Share on other sites

I can't see how the accessing the forum could cause you to contract a

virus. It would be difficult to do it if Archant actually *wanted* it

to happen.

Java would not allow you to execute any Virus code (you can run

programs but not actually hurt your system). About the only way of

getting it in is via ActiveX ; and there doesn't actually appear to be

any ActiveX downloads on the forum.  I'm running under Linux and

it hasn't objected at all, or queried such.

I suspect you have a virus that is triggered - somehow - by accessing the website.

It is theoretically possible, albeit very unlikely, that the cached

HTML produced for the website has the same signature as a virus.

Link to comment
Share on other sites

[quote user="Autismuk"]I can't see how the accessing the forum could cause you to contract a

virus. It would be difficult to do it if Archant actually *wanted* it

to happen.

Java would not allow you to execute any Virus code (you can run

programs but not actually hurt your system). About the only way of

getting it in is via ActiveX ; and there doesn't actually appear to be

any ActiveX downloads on the forum.  I'm running under Linux and

it hasn't objected at all, or queried such.[/quote]

Some trojans have been known to attach themselves to HTML pages, and try to force browsers to download a file from a 3rd party website which then references either a known security problem within the user's browser or calls rogue ActiveX controls. These days it's fairly difficult to go via the ActiveX route as recent versions of Internet Explorer won't by default run any unsigned controls without explicitly asking the user for permission. Exploitation of a flaw is always an option, but one that can normally be prevented by application of current security patches.

As ever I can only suggest that all users ensure their systems have all current security patches installed (if unsure and running Windows please visit www.windowsupdate.com or turn on Auto Updates), and secure their systems with a good quality firewall solution.

Link to comment
Share on other sites

Not

experienced any problems but, if there is something in an ad server them I (and

maybe many others) would not see it as I (and maybe many …) use ad blockers

which would stop such things.  Thus it

would be possible that only a limited number of users may experience such problems

(if they are from the forum).

Ian

Link to comment
Share on other sites

Thank you for the replies.

Tim: Can you clear your web browser's cache, delete any temporary files (if unsure use the Windows disk clean up wizard), run a full anti virus scan, and then try browsing the site again?

I do all that regularly, and no, it didn't happen again after the first two, but I blocked pop-ups after the alerts.

Not ever having used EZ a/v I can't comment on its detection rates or quality. However I would suggest scanning your system using a different virus scanner as if something has slipped through the net then EZ may not be detecting it.

EZ is excellent (not a freebie) - have been using it for ages on several different systems, update daily and nothing's ever got past it. EZ picked up this 'dropper' as soon as it plopped in. It didn't run and was instantly deleted.

If you are running Windows XP, please ensure you have updated to Service Pack 2 and that you are either running the integrated firewall or have a good 3rd party firewall installed

Yes, all up to date, and I use ZoneAlarm rather than the ineffectual one-way integrated firewall.

Autismuk: I can't see how the accessing the forum could cause you to contract a virus.

This type of trojan (AKA a 'dropper') is normally carried on ad banners.

Autismuk: It is theoretically possible, albeit very unlikely, that the cached HTML produced for the website has the same signature as a virus.

No, it wasn't that. If you look at the log from my AV posted above, you'll see that an executable (asdf.exe) was dropped in the root directory.

 

Just a heads-up for anyone with less than adequate protection, and I thought admin should know just in case there was a problem.

Cheers and happy new year!

Jo
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...