Virius alerts [merged with 11/20 updates]
11-18-2009, 06:35 PM
#1
Team Owner
Thread Starter
Virius alerts [merged with 11/20 updates]
It seems the site is still under some kind of attack. I started my computer and came directly to this site, it was slow to load and I noticed on the lower left corner of my screen it was waiting on an odd URL with the F word in it, something like "www.f*ckthecrisis". As soon as the page loaded, my antivirus went nuts and caught 3 bloodhound exploit files.
The virus name is being reported as Bloodhound.Exploit.193 and it is a .swf file named inEt[1].swf.
It definitely came from a ad type of redirect from this site.
*edit*
Found it in my IE history, it is www.****thecrisis.biz, definitely a hack site stocked w/ viruses.
Domain Name: ****THECRISIS.BIZ
Domain ID: D32529972-BIZ
Sponsoring Registrar: REGTIME LTD.
Sponsoring Registrar IANA ID: 1362
Domain Status: ok
Registrant ID: CO513949-RT
Registrant Name: Anton Robin
Registrant Organization: Anton Soft
Registrant Address1: Kolitina 16-4
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 193009
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.4956788435
Registrant Email: *************@pochta.ru
Administrative Contact ID: CA513949-RT
Administrative Contact Name: Anton Robin
Administrative Contact Organization: Anton Soft
Administrative Contact Address1: Kolitina 16-4
Administrative Contact City: Moscow
Administrative Contact State/Province: Moscow
Administrative Contact Postal Code: 193009
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.4956788435
Administrative Contact Email: *************@pochta.ru
Billing Contact ID: CB513949-RT
Billing Contact Name: Anton Robin
Billing Contact Organization: Anton Soft
Billing Contact Address1: Kolitina 16-4
Billing Contact City: Moscow
Billing Contact State/Province: Moscow
Billing Contact Postal Code: 193009
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.4956788435
Billing Contact Email: *************@pochta.ru
Technical Contact ID: CT513949-RT
Technical Contact Name: Anton Robin
Technical Contact Organization: Anton Soft
Technical Contact Address1: Kolitina 16-4
Technical Contact City: Moscow
Technical Contact State/Province: Moscow
Technical Contact Postal Code: 193009
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.4956788435
Technical Contact Email: *************@pochta.ru
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Created by Registrar: REGTIME LTD.
Last Updated by Registrar: REGTIME LTD.
Domain Registration Date: Tue Jun 23 14:11:15 GMT 2009
Domain Expiration Date: Tue Jun 22 23:59:59 GMT 2010
Domain Last Updated Date: Fri Nov 13 12:11:24 GMT 2009
The virus name is being reported as Bloodhound.Exploit.193 and it is a .swf file named inEt[1].swf.
It definitely came from a ad type of redirect from this site.
*edit*
Found it in my IE history, it is www.****thecrisis.biz, definitely a hack site stocked w/ viruses.
Domain Name: ****THECRISIS.BIZ
Domain ID: D32529972-BIZ
Sponsoring Registrar: REGTIME LTD.
Sponsoring Registrar IANA ID: 1362
Domain Status: ok
Registrant ID: CO513949-RT
Registrant Name: Anton Robin
Registrant Organization: Anton Soft
Registrant Address1: Kolitina 16-4
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 193009
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.4956788435
Registrant Email: *************@pochta.ru
Administrative Contact ID: CA513949-RT
Administrative Contact Name: Anton Robin
Administrative Contact Organization: Anton Soft
Administrative Contact Address1: Kolitina 16-4
Administrative Contact City: Moscow
Administrative Contact State/Province: Moscow
Administrative Contact Postal Code: 193009
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.4956788435
Administrative Contact Email: *************@pochta.ru
Billing Contact ID: CB513949-RT
Billing Contact Name: Anton Robin
Billing Contact Organization: Anton Soft
Billing Contact Address1: Kolitina 16-4
Billing Contact City: Moscow
Billing Contact State/Province: Moscow
Billing Contact Postal Code: 193009
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.4956788435
Billing Contact Email: *************@pochta.ru
Technical Contact ID: CT513949-RT
Technical Contact Name: Anton Robin
Technical Contact Organization: Anton Soft
Technical Contact Address1: Kolitina 16-4
Technical Contact City: Moscow
Technical Contact State/Province: Moscow
Technical Contact Postal Code: 193009
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.4956788435
Technical Contact Email: *************@pochta.ru
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Created by Registrar: REGTIME LTD.
Last Updated by Registrar: REGTIME LTD.
Domain Registration Date: Tue Jun 23 14:11:15 GMT 2009
Domain Expiration Date: Tue Jun 22 23:59:59 GMT 2010
Domain Last Updated Date: Fri Nov 13 12:11:24 GMT 2009
Last edited by Chevy Guy; 11-18-2009 at 06:44 PM.
11-18-2009, 07:09 PM
#3
Did this occur on the front/home page:
http://forums.corvetteforum.com/
Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.
Of course it's possible that it's not the above and it's something else, such as through the ad network.
http://forums.corvetteforum.com/
Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.
Of course it's possible that it's not the above and it's something else, such as through the ad network.
11-18-2009, 07:14 PM
#4
Team Owner
Thread Starter
Did this occur on the front/home page:
http://forums.corvetteforum.com/
Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.
Of course it's possible that it's not the above and it's something else, such as through the ad network.
http://forums.corvetteforum.com/
Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.
Of course it's possible that it's not the above and it's something else, such as through the ad network.
11-18-2009, 07:31 PM
#5
Team Owner
I'm using Firefox with AdBlockerPlus and I have all signatures turned off. McAfee has not given me any warning messages and I've been on the forum off and on all day.
I do not go through the front/home page, but use a desktop shortcut to go directly to the C6 General forum or the Off Topic forum.
Don't know if this information will help with any diagnosis or not. Just thought it might.
I do not go through the front/home page, but use a desktop shortcut to go directly to the C6 General forum or the Off Topic forum.
Don't know if this information will help with any diagnosis or not. Just thought it might.
11-18-2009, 07:45 PM
#7
Drifting
Member Since: Dec 2005
Location: Cape Coral Fl
Posts: 1,716
Received 116 Likes
on
76 Posts
St. Jude Donor '06-'07-'08-'09-'10-'11-'12-'13-'14-'15-'16-'17-'18-'19-'20-'21
AVG detected Javascript Obfuscation (type 714) www.f*ckthecrisisas I just came on this site http://forums.corvetteforum.com/!
11-18-2009, 07:45 PM
#8
Team Owner
Google Chrome is telling me this......
Warning: Visiting this site may harm your computer!
The website at forums.corvetteforum.com contains elements from the site *******.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for *******.com.
Learn more about how to protect yourself from harmful software online.
I'm using FireFox now and it let's me through (although I'm scared to be here)......
Warning: Visiting this site may harm your computer!
The website at forums.corvetteforum.com contains elements from the site *******.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for *******.com.
Learn more about how to protect yourself from harmful software online.
I'm using FireFox now and it let's me through (although I'm scared to be here)......
11-18-2009, 08:01 PM
#10
Administrator
Member Since: Aug 1999
Location: Chattanooga, TN
Posts: 63,591
Received 1,304 Likes
on
497 Posts
CI 2-3-4-5-6-7-8-9-10-11-12
Wounded Warrior Escort '11
St. Jude Donor '03 thru '24
NCM Lifetime Member
NCM Sinkhole Donor
Not sure what's up with the messages some of you are getting, but I'll report the issue to the tech team at IB. I'm not getting any warning messages. 
11-18-2009, 08:04 PM
#11
Team Owner
Here's more from Google......
http://safebrowsing.clients.google.c...hrome&hl=en-US
Safe Browsing
Diagnostic page for *******.com
What is the current listing status for *******.com?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-18, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 30 trojan(s).
This site was hosted on 1 network(s) including AS39150 (VLTELECOM).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, *******.com appeared to function as an intermediary for the infection of 5 site(s) including turkforum.net/, webhatti.com/, maktoob.com/.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 17 hours ago
©2008 Google - Google Home
Diagnostic page for *******.com
What is the current listing status for *******.com?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-18, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 30 trojan(s).
This site was hosted on 1 network(s) including AS39150 (VLTELECOM).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, *******.com appeared to function as an intermediary for the infection of 5 site(s) including turkforum.net/, webhatti.com/, maktoob.com/.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 17 hours ago
©2008 Google - Google Home
11-18-2009, 08:41 PM
#12
Team Owner
Member Since: Feb 2005
Location: FL
Posts: 40,970
Received 320 Likes
on
152 Posts
CI-7-8-9-10 Veteran
Cruise-In IX AutoX Winner
St. Jude Donor '05-'06-'07-'08-'09-'10-'11,'19,'22
St. Jude/CI Name Tag Designer
Forum has slowed down SIGNIFICANTLY in the last 10 minutes. I got the virus warning 2 hours ago. These clowns are hitting us again. 
11-18-2009, 08:41 PM
#13
Le Mans Master
I came into OT with I.E.8 at 6:27PM and was immediately greeted by 4 notices of viruses by the Antivirus software provided by my ISP. 2 viruses were immediately deleted by my software. 1 was quarantined and 1 was deleted on reboot. I deleted the quarantined item after reboot. I have since scanned twice and appear to be virus free. Here's the log from my Antivirus software:
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache15463225937101245 36.tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:04 PM
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache68610812648445384 .tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:16 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9R7CAC9X\index[1].htm Trojan-Downloader.JS.Agent.esm Delete at restart 18/11/2009 6:27:24 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KDG22NRC\manyWord[1].pdf Exploit.JS.Pdfka.anx Quarantined 18/11/2009 6:27:28 PM
File generated by Rogers Online Protection Anti-Virus
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache15463225937101245 36.tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:04 PM
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache68610812648445384 .tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:16 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9R7CAC9X\index[1].htm Trojan-Downloader.JS.Agent.esm Delete at restart 18/11/2009 6:27:24 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KDG22NRC\manyWord[1].pdf Exploit.JS.Pdfka.anx Quarantined 18/11/2009 6:27:28 PM
File generated by Rogers Online Protection Anti-Virus
[/IMG]
11-18-2009, 09:44 PM
#20
Team Owner
Why am I NOT getting anything like this? I'm browsing the forum with google chrome, firefox, and IE7 right now. None of them are getting anything.
I'm also browsing through a proxy server/firewall. Maybe that has something to do with it??
I'm also browsing through a proxy server/firewall. Maybe that has something to do with it??