Something strange?

[Brian F.]

I don't know enough about computers to know if this is a problem on the board or just my computer but I noticed that every time I access the Forum Index on this site, I get a warning from my MacAfee virus program that a Trojan is detected and quarantined. It looks like it re-directs or something like that. Doesn't happen with this particular Reel Talk section but only the one which shows you the three different boards (the "ORCA Online Forum Index" link to the above left on this page). If you used that link to get here, you might have had the same thing happen too (unless you are not running an updated virus program?). I hope it's not a huge problem but you might want to update your virus definitions and programs.

[Steve]

Using VirusScan 8, updated as of a day or two ago, I get no such message at that index. You should be able to ID whatever VirusScan quarantined, then learn something about the worm at the McAfee site.

[Jim Schottenham]

Brian, I don't think it's just you. My DAT and virus is up to date, yet I get the same, and this is what I found:

Virus Profile: Exploit-MhtRedir.gen
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 2/13/2004
Date Added: 2/17/2004
Origin: Unknown
Length: Varies
Type: Trojan
SubType: Exploit
DAT Required: 4326

Virus Characteristics
-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the location *removed* containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incid ... _ject.mspx

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spre ... g=nefd.top

A new attack vector was discovered recently, which by passes the MS04-013 patch. Generic detection of this new exploit code will be included in the 4366 DAT release.



--------------------------------------------------------------------------------


This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/securi ... 4-013.mspx

Indications of Infection
This exploit code could be used to execute a variety of different programs/malware. Therefore it is not possible to give specific details about how to recognize

Virus Profile: Exploit-ByteVerify
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 4/9/2003
Date Added: 4/22/2003
Origin: Unknown
Length: Varies
Type: Trojan
SubType: Exploit
DAT Required: 4258

Virus Characteristics
This detection covers Java applets that attempt to exploit the Microsoft Security Bulletin MS03-011 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.
All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

Indications of Infection
There are no obvious signs of infection. AVERT has received field samples that use this exploit to create a registry script file, and merge it into the system registry. This script simply altered the default start page of Internet Explorer.
Method of Infection
This exploit makes use of a security vulnerability affecting Internet Explorer and certain email clients, such as Outlook and Outlook Express.

Removal Instructions
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Additional Windows ME/XP removal considerations

We may need Paul or whomever is running the server to take a look.
Jim

[Brian F.]

Thanks Jim, that's exactly what I'm getting. Paul is looking into it. I was beginning to think it was just my computer but I get the same warning every time I go back after scanning and removing what it finds.

Hope this doesn't take up too much of everyone's time because I want to talk about reels!

[Harvey]

My Norton detected it too. I have been getting it for a week now. I have noticed that some of our new members that have signed in are search engine web sites and I woukd bet that one of them is the source. Go to the members list and sort by dated joined then look at the ones that have joined in Sept, Oct. and Nov of 2004 that have web sites, They will ttake you to a search engine or some other place not related to us at all.

[Steve]

Jim, what happens to such a worm if you're using a browser other than IE? Does it hang around your HD waiting for you to open IE? Does it get downloaded to your computer at all? Does the correct "patch" prevent its execution, remove the code, or what?

Since I don't use IE, I'm just concerned that the thing may be lurking on the HD, waiting to infect if IE is opened. Using XP Pro with all relevant updates.

Now, to justify posting this kind of message here and to keep Brian happy:

[Fred]

Twice in 24 hours this has happened to me. Nothing hapens until I go to "Reel Talk"--and then my virus software kicks in saying it has detected and removed a virus. I run XP Pro as well as IE. Keep your microsoft updates current--as well as your virus protection.[/b]

I am on the internet a few hours a day--and this is the first time this has happened on any visited site in almost a year.

The following may help & thanks for the discussion board.

Trojan.ByteVerify
Discovered on: September 05, 2003
Last Updated on: October 21, 2003 06:59:13 PM








Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system.


Also Known As: Exploit-ByteVerify [McAfee], Exploit.Java.Bytverify [KAV], JAVA_BYTVERIFY.A [Trend]

Type: Trojan Horse
Infection Length: various



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0111





Virus Definitions (Intelligent Updater) *
September 08, 2003


Virus Definitions (LiveUpdate™) **
September 10, 2003


*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

[Harvey]

I just found it on my computer. It is a hijacker and takes me to a search engine page. It won't let me go to M-Soft to get the patch to fix it. I got it from www.phpbb.com/20211 which was a log on to this site and it installed a .vdx file in my systems folder. The virus came from a web site www.zango.com and is very dangrous as per Norton. I have a computer geek coming over to help me remove it.
"H"

[Brian F.]

I don't get the virus warning anymore when accessing the ORCA Online Forum Index. Good going Paul, Thanks!

[mortepa]

Is anyone else still getting the virus/trojan warning? I was able to replicate the virus from work (using McCafee), but not from home (using Norton). Now I hear reports that the problem is gone. I hope so, but I can't verify it since my Norton doesn't report the problem.

Rumor has it that Ipowerweb fixed the virus issues...or at least is working on fixing them at the moment. Their databases were being infiltrated by a virus, moving from website to website. There was quite a stir last night on the PHPBB support board. Everyone, including me, was trying to figure exactly where the virus was embedded. Ipowerweb denied that it was even an issue that they needed to fix, until the PHP tech support got in touch with them. So hopefully that was the last of this virus! Thanks Brian for the heads-up!

I hope this thing did not hit too many of you all.

- Paul

[clinton_beeler]

Hi Guys,

Sometimes it's convenient to work with computers for a living. I'm going to assume that you're using XP. You can do the same with 2000 except that the controls are in a different place.

There are two parts to spyware/malware, the files that it pokes onto your hard drive and the registry "hacks" that it puts in to take control of your machine. Here's what you need to do (in XP).

Start
All Programs
Administrative tools
Computer management
Services

There's a service called "Remote Registry" (it should be the last of the Rs.) Highlight that and right click on it to bring up the menu. Select "Properties". In the middle of the tab it will say that it starts automatically. Change that to "Disabled". There is a button that stops the service. Click on that.

Remote registry is to allow a network administrator to remotely install software on your workstation but we don't need that. It also allows a hacker/spyware/malware to do the same. By turning this "feature" off only the person logged into the computer can change the registry.

Then get some anti-spyware software. I use spybot and adaware, both of which I downloaded (free) from download.com (they are available from several sites). Make sure that their definitions are up to date as well. That should get rid of the rest of it. Spyware sometimes shows up as a virus, but not always.

Regards,
Clinton Beeler

[Brian F.]

Clinton,

Thanks for the help. How do you get rid of it if you are running Windows 2000?

Like Paul, my MacAfee at work caught it but not Norton at my home computer. Don't know if it was previously disposed of because my updates were current. Up until the point where I think the service supposedly deleted the virus on their server, I was seeing that it was attempting to redirect my computer to the alternate website. It never actually got there but I don't know if my files were changed, etc..

I also deleted my old Norton and got a 2005 version downloaded. Did a scan and it tells me the machine is clean.

[clinton_beeler]

Brian,
I'm not at the college (work) right now, but if I remember correctly it will be under control panel. Look for "services" in control panel and when you find it kill "remote registry" (don't just stop the service, disable it so that it won't restart next time you reboot). If you can't find it let me know and I'll find a 2000 box at work next monday.

(hmmm) So Mcaffee saw it but Norton didn't... When I was consulting at the police dept. and before that at Amoco we always used Mcaffee...

Regards,
Clinton

[Brian F.]

Clinton,

Thanks for the info - that was a great help. I found the Remote Registry panel in my Windows 2000 by going to Start, then Settings, then Control Panel, then Administrative Services. Clicked on Remote Registry and disabled it.

[hgmeyerunlogged]

Start>Control Panel>Administrative Tools>Computer Administration>Services and Applications>Services or Start>Control Panels>Administratiove Tools>Services Select Remote Registry and double click... Then in "Startup Type" open up the drop down window and select "Disabled"... Then hit the "apply" Radio Button... THen hit Okay