Jo Taylor Posted January 2, 2006 Share Posted January 2, 2006 I just entered the new version of the forum, Java popped up then my AV program reported a trojan - Win32.Tactslay. No other windows open.My AV prog deleted immediately. Please, admin, check this!Jo Link to comment Share on other sites More sharing options...
Jo Taylor Posted January 2, 2006 Author Share Posted January 2, 2006 ...And it just happened again when I refreshed the main page. Link to comment Share on other sites More sharing options...
Russethouse Posted January 2, 2006 Share Posted January 2, 2006 Admin will not be back at work until tomorrow but I'm running a complete scan on my computer with AVG, what AV do you have ? Link to comment Share on other sites More sharing options...
Jo Taylor Posted January 3, 2006 Author Share Posted January 3, 2006 Thanks for your reply. I have eTrust EZ Antivirus.It didn't happen this time, but neither did the Java wotsit. A little research reveals that it might be an infected adserver; presumably the ad banners rotate and the infected one hasn't reared its head this time I logged on.Here's the report from last time:2006/01/02 18:47:19.906 File infection: C:\asdf.exe is Win32.Tactslay.U trojan. Deleted Cheers,Jo Link to comment Share on other sites More sharing options...
Jo Taylor Posted January 3, 2006 Author Share Posted January 3, 2006 (The time is correct, I'm on French time and the forum time is UK.)Jo Link to comment Share on other sites More sharing options...
Ex Forum Admin Posted January 3, 2006 Share Posted January 3, 2006 Hi, I have spoken to the developer and he has looked into this and replied:I’m pretty certain the problem isn’t our end, I have looked for the files that this Trojan supposedly copies to the machine and none of them appear on the webservers. I have checked our anti virus software on the webservers and it too hasn’t picked anything up.I will double check with Tim who is back in the office tomorrow, but I suspect it’s an issue with this user’s computer or Anti Virus software. Link to comment Share on other sites More sharing options...
Jo Taylor Posted January 4, 2006 Author Share Posted January 4, 2006 Thanks for the reply. Absolutely NOT "an issue with this user's computer or Anti Virus software" - I'm well informed & protected, system is new, very few sites visited since set-up, no other windows open at incidence of dropper infection, AV up-to-date and operating real-time. EZ is excellent AV software.It may be a glitch with Java attempting to execute via adservers; not necessarily malware. Try investigating the adserver banners.Jo Link to comment Share on other sites More sharing options...
Jc Posted January 4, 2006 Share Posted January 4, 2006 Has anyone else had any problems? Link to comment Share on other sites More sharing options...
Tim Stephenson (Archant IS) Posted January 4, 2006 Share Posted January 4, 2006 Jo,Can you clear your web browser's cache, delete any temporary files (if unsure use the Windows disk clean up wizard), run a full anti virus scan, and then try browsing the site again?If you are running Windows XP, please ensure you have updated to Service Pack 2 and that you are either running the integrated firewall or have a good 3rd party firewall installed (or are accessing the web from a properly-configured dedicated firewall system). Antivirus scanners alone are not sufficient to block some pieces of malware.Not ever having used EZ a/v I can't comment on its detection rates or quality. However I would suggest scanning your system using a different virus scanner as if something has slipped through the net then EZ may not be detecting it. You can download a free version of AVG from http://free.grisoft.com, or alternatively it would be extremely worthwhile to download and run Mcafee's Stinger tool (http://vil.nai.com/vil/averttools.asp) - which can be run from a write-protected disk and will scan for and remove any of the latest known threats.In terms of our own systems I've initiated a server-farm wide antivirus scan, but incidentally we don't actually use a Java based adserver system, nor do we use javascript to insert adverts in pages.Without disclosing too much information we use one of the leading enterprise antivirus products to scan all files being uploaded to (and served from) our web hosting platform. Each of the webservers in the farm runs a local realtime antivirus scanner, and content is scanned for a second time when it is copied to a central file server. Has anyone else experienced a problem while using this site? I hate to state the obvious but if one of our banners or pages has been infected then more than one person will have experienced a problem.Regards Link to comment Share on other sites More sharing options...
Autismuk Posted January 4, 2006 Share Posted January 4, 2006 I can't see how the accessing the forum could cause you to contract avirus. It would be difficult to do it if Archant actually *wanted* itto happen.Java would not allow you to execute any Virus code (you can runprograms but not actually hurt your system). About the only way ofgetting it in is via ActiveX ; and there doesn't actually appear to beany ActiveX downloads on the forum. I'm running under Linux andit hasn't objected at all, or queried such.I suspect you have a virus that is triggered - somehow - by accessing the website.It is theoretically possible, albeit very unlikely, that the cachedHTML produced for the website has the same signature as a virus. Link to comment Share on other sites More sharing options...
Tim Stephenson (Archant IS) Posted January 4, 2006 Share Posted January 4, 2006 [quote user="Autismuk"]I can't see how the accessing the forum could cause you to contract avirus. It would be difficult to do it if Archant actually *wanted* itto happen.Java would not allow you to execute any Virus code (you can runprograms but not actually hurt your system). About the only way ofgetting it in is via ActiveX ; and there doesn't actually appear to beany ActiveX downloads on the forum. I'm running under Linux andit hasn't objected at all, or queried such.[/quote]Some trojans have been known to attach themselves to HTML pages, and try to force browsers to download a file from a 3rd party website which then references either a known security problem within the user's browser or calls rogue ActiveX controls. These days it's fairly difficult to go via the ActiveX route as recent versions of Internet Explorer won't by default run any unsigned controls without explicitly asking the user for permission. Exploitation of a flaw is always an option, but one that can normally be prevented by application of current security patches.As ever I can only suggest that all users ensure their systems have all current security patches installed (if unsure and running Windows please visit www.windowsupdate.com or turn on Auto Updates), and secure their systems with a good quality firewall solution. Link to comment Share on other sites More sharing options...
Russethouse Posted January 4, 2006 Share Posted January 4, 2006 Just for the record my AVG scan was clear........... Link to comment Share on other sites More sharing options...
Deimos Posted January 4, 2006 Share Posted January 4, 2006 Notexperienced any problems but, if there is something in an ad server them I (andmaybe many others) would not see it as I (and maybe many …) use ad blockerswhich would stop such things. Thus itwould be possible that only a limited number of users may experience such problems(if they are from the forum).Ian Link to comment Share on other sites More sharing options...
Jo Taylor Posted January 4, 2006 Author Share Posted January 4, 2006 Thank you for the replies.Tim: Can you clear your web browser's cache, delete any temporary files (if unsure use the Windows disk clean up wizard), run a full anti virus scan, and then try browsing the site again?I do all that regularly, and no, it didn't happen again after the first two, but I blocked pop-ups after the alerts.Not ever having used EZ a/v I can't comment on its detection rates or quality. However I would suggest scanning your system using a different virus scanner as if something has slipped through the net then EZ may not be detecting it.EZ is excellent (not a freebie) - have been using it for ages on several different systems, update daily and nothing's ever got past it. EZ picked up this 'dropper' as soon as it plopped in. It didn't run and was instantly deleted.If you are running Windows XP, please ensure you have updated to Service Pack 2 and that you are either running the integrated firewall or have a good 3rd party firewall installedYes, all up to date, and I use ZoneAlarm rather than the ineffectual one-way integrated firewall.Autismuk: I can't see how the accessing the forum could cause you to contract a virus.This type of trojan (AKA a 'dropper') is normally carried on ad banners.Autismuk: It is theoretically possible, albeit very unlikely, that the cached HTML produced for the website has the same signature as a virus.No, it wasn't that. If you look at the log from my AV posted above, you'll see that an executable (asdf.exe) was dropped in the root directory. Just a heads-up for anyone with less than adequate protection, and I thought admin should know just in case there was a problem.Cheers and happy new year!Jo Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.