Virius alerts [merged with 11/20 updates] - CorvetteForum - Chevrolet Corvette Forum Discussion



Help Forum How To | General Corvetteforum Questions | Feedback

Virius alerts [merged with 11/20 updates]

Reply
 
 
 
Thread Tools Search this Thread
Old 11-18-2009, 06:35 PM   #1
Chevy Guy
CF Senior Member
Thread Starter
 
Chevy Guy's Avatar
 
Member Since: Jan 2004
Posts: 16,168
Thanked 29 Times in 22 Posts
Default Virius alerts [merged with 11/20 updates]

It seems the site is still under some kind of attack. I started my computer and came directly to this site, it was slow to load and I noticed on the lower left corner of my screen it was waiting on an odd URL with the F word in it, something like "www.f*ckthecrisis". As soon as the page loaded, my antivirus went nuts and caught 3 bloodhound exploit files.

The virus name is being reported as Bloodhound.Exploit.193 and it is a .swf file named inEt[1].swf.

It definitely came from a ad type of redirect from this site.

*edit*

Found it in my IE history, it is www.****thecrisis.biz, definitely a hack site stocked w/ viruses.



Domain Name: ****THECRISIS.BIZ
Domain ID: D32529972-BIZ
Sponsoring Registrar: REGTIME LTD.
Sponsoring Registrar IANA ID: 1362
Domain Status: ok
Registrant ID: CO513949-RT
Registrant Name: Anton Robin
Registrant Organization: Anton Soft
Registrant Address1: Kolitina 16-4
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 193009
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.4956788435
Registrant Email: [email protected]
Administrative Contact ID: CA513949-RT
Administrative Contact Name: Anton Robin
Administrative Contact Organization: Anton Soft
Administrative Contact Address1: Kolitina 16-4
Administrative Contact City: Moscow
Administrative Contact State/Province: Moscow
Administrative Contact Postal Code: 193009
Administrative Contact Country: Russian Federation
Administrative Contact Country Code: RU
Administrative Contact Phone Number: +7.4956788435
Administrative Contact Email: [email protected]
Billing Contact ID: CB513949-RT
Billing Contact Name: Anton Robin
Billing Contact Organization: Anton Soft
Billing Contact Address1: Kolitina 16-4
Billing Contact City: Moscow
Billing Contact State/Province: Moscow
Billing Contact Postal Code: 193009
Billing Contact Country: Russian Federation
Billing Contact Country Code: RU
Billing Contact Phone Number: +7.4956788435
Billing Contact Email: [email protected]
Technical Contact ID: CT513949-RT
Technical Contact Name: Anton Robin
Technical Contact Organization: Anton Soft
Technical Contact Address1: Kolitina 16-4
Technical Contact City: Moscow
Technical Contact State/Province: Moscow
Technical Contact Postal Code: 193009
Technical Contact Country: Russian Federation
Technical Contact Country Code: RU
Technical Contact Phone Number: +7.4956788435
Technical Contact Email: [email protected]
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Created by Registrar: REGTIME LTD.
Last Updated by Registrar: REGTIME LTD.
Domain Registration Date: Tue Jun 23 14:11:15 GMT 2009
Domain Expiration Date: Tue Jun 22 23:59:59 GMT 2010
Domain Last Updated Date: Fri Nov 13 12:11:24 GMT 2009

Last edited by Chevy Guy; 11-18-2009 at 06:44 PM.
Chevy Guy is offline   Reply With Quote
Old 11-18-2009, 07:04 PM   #2
ZPO
CF Senior Member
Support Corvetteforum!
 
ZPO's Avatar
 
Member Since: Jan 2008
Location: Woodstock GA
Posts: 458
Thanks: 0
Thanked 0 Times in 0 Posts
Default Site problems?????

I'm getting the same thing as Chevy Guy.
ZPO is offline   Reply With Quote
Old 11-18-2009, 07:09 PM   #3
J T
Administrative Contributor
 
J T's Avatar
 
Member Since: Feb 2009
Posts: 5,002
Thanks: 0
Thanked 1 Time in 1 Post
Default

Did this occur on the front/home page:
http://forums.corvetteforum.com/

Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.

Of course it's possible that it's not the above and it's something else, such as through the ad network.
J T is online now   Reply With Quote
Old 11-18-2009, 07:14 PM   #4
Chevy Guy
CF Senior Member
Thread Starter
 
Chevy Guy's Avatar
 
Member Since: Jan 2004
Posts: 16,168
Thanked 29 Times in 22 Posts
Default

Quote:
Originally Posted by J T View Post
Did this occur on the front/home page:
http://forums.corvetteforum.com/

Or while browsing a specific thread? If the later, it's possible, and has happened before, where a user can hide a "nasty" in their signature of their post. This means that it would get loaded by anyone viewing the thread where the post and signature was present. If this is the case, you'd need to inform where this thread is so the team can take necessary action, as it wouldn't be coming directly from Corvetteforum itself.

Of course it's possible that it's not the above and it's something else, such as through the ad network.
Its defanitely the ad generator, its been owned. People are getting it all over the site.
Chevy Guy is offline   Reply With Quote
Old 11-18-2009, 07:31 PM   #5
Vette_DD
CF Senior Member
Support Corvetteforum!
 
Vette_DD's Avatar
 
Member Since: May 2004
Posts: 66,837
Thanked 369 Times in 282 Posts
Default

I'm using Firefox with AdBlockerPlus and I have all signatures turned off. McAfee has not given me any warning messages and I've been on the forum off and on all day.

I do not go through the front/home page, but use a desktop shortcut to go directly to the C6 General forum or the Off Topic forum.

Don't know if this information will help with any diagnosis or not. Just thought it might.
Vette_DD is offline   Reply With Quote
Old 11-18-2009, 07:44 PM   #6
vstol
CF Senior Member
 
Member Since: Mar 2002
Location: Stafford Va
Posts: 2,266
Thanked 57 Times in 57 Posts
Default

this just happened to me, lets fix it asap
vstol is offline   Reply With Quote
Old 11-18-2009, 07:45 PM   #7
newskatercat
CF Senior Member
St. Jude Donor '06-'07-'08-'09-'10-'11-'12-'13-'14-'15-'16-'17
 
newskatercat's Avatar
 
Member Since: Dec 2005
Location: Cape Coral Fl
Posts: 1,489

Thanked 48 Times in 31 Posts
Default

AVG detected Javascript Obfuscation (type 714) www.f*ckthecrisis

as I just came on this site http://forums.corvetteforum.com/!
newskatercat is offline   Reply With Quote
Old 11-18-2009, 07:45 PM   #8
X-ZZ4
CF Senior Member
Support Corvetteforum!
Cruise-In II Veteran
St. Jude Donor '03-'04-'05-'06-'07-'08-'09-'10-'11-'12-'13-'14-'15-'16-'17
 
X-ZZ4's Avatar
 
Member Since: Feb 2001
Location: Pacific Wonderland, Oregon
Posts: 51,803

Thanked 8 Times in 6 Posts
Default

Google Chrome is telling me this......

Warning: Visiting this site may harm your computer!
The website at forums.corvetteforum.com contains elements from the site *******.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for *******.com.
Learn more about how to protect yourself from harmful software online.


I'm using FireFox now and it let's me through (although I'm scared to be here)......
X-ZZ4 is offline   Reply With Quote
Old 11-18-2009, 07:52 PM   #9
CHASLS2
CF Senior Member
St. Jude Donor '13
 
Member Since: Aug 2006
Location: Portrichey FL
Posts: 57,807
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have no fire wall at all and i don't seem to be having any probs.
CHASLS2 is offline   Reply With Quote
Old 11-18-2009, 08:01 PM   #10
savewave
Administrator
CI 2-3-4-5-6-7-8-9-10-11-12
Wounded Warrior Escort '11
St. Jude Donor '03 thru '16
NCM Lifetime Member
NCM Sinkhole Donor
 
savewave's Avatar
 
Member Since: Aug 1999
Location: Lakeland TN
Posts: 52,489

Thanked 180 Times in 71 Posts
Default

Not sure what's up with the messages some of you are getting, but I'll report the issue to the tech team at IB. I'm not getting any warning messages.
savewave is offline   Reply With Quote
Old 11-18-2009, 08:04 PM   #11
X-ZZ4
CF Senior Member
Support Corvetteforum!
Cruise-In II Veteran
St. Jude Donor '03-'04-'05-'06-'07-'08-'09-'10-'11-'12-'13-'14-'15-'16-'17
 
X-ZZ4's Avatar
 
Member Since: Feb 2001
Location: Pacific Wonderland, Oregon
Posts: 51,803

Thanked 8 Times in 6 Posts
Default

Here's more from Google......

Quote:
Safe Browsing
Diagnostic page for *******.com

What is the current listing status for *******.com?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-18, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 30 trojan(s).

This site was hosted on 1 network(s) including AS39150 (VLTELECOM).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, *******.com appeared to function as an intermediary for the infection of 5 site(s) including turkforum.net/, webhatti.com/, maktoob.com/.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 17 hours ago
©2008 Google - Google Home
http://safebrowsing.clients.google.c...hrome&hl=en-US
X-ZZ4 is offline   Reply With Quote
Old 11-18-2009, 08:41 PM   #12
Datawiz
CF Senior Member
Support Corvetteforum!
CI-7-8-9-10 Veteran
Cruise-In IX AutoX Winner
St. Jude Donor '05-'06-'07-'08-'09-'10-'11
St. Jude/CI Name Tag Designer
 
Datawiz's Avatar
 
Member Since: Feb 2005
Posts: 39,907
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Forum has slowed down SIGNIFICANTLY in the last 10 minutes. I got the virus warning 2 hours ago. These clowns are hitting us again.
Datawiz is offline   Reply With Quote
Old 11-18-2009, 08:41 PM   #13
C2Driver
CF Senior Member
 
C2Driver's Avatar
 
Member Since: Feb 2008
Location: Toronto Ontario
Posts: 7,864
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I came into OT with I.E.8 at 6:27PM and was immediately greeted by 4 notices of viruses by the Antivirus software provided by my ISP. 2 viruses were immediately deleted by my software. 1 was quarantined and 1 was deleted on reboot. I deleted the quarantined item after reboot. I have since scanned twice and appear to be virus free. Here's the log from my Antivirus software:

C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache15463225937101245 36.tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:04 PM
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache68610812648445384 .tmp Trojan-Downloader.Java.Agent.ab Deleted 18/11/2009 6:27:16 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9R7CAC9X\index[1].htm Trojan-Downloader.JS.Agent.esm Delete at restart 18/11/2009 6:27:24 PM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KDG22NRC\manyWord[1].pdf Exploit.JS.Pdfka.anx Quarantined 18/11/2009 6:27:28 PM



File generated by Rogers Online Protection Anti-Virus
C2Driver is offline   Reply With Quote
Old 11-18-2009, 08:56 PM   #14
mbowers13
CF Senior Member
 
mbowers13's Avatar
 
Member Since: Jul 2009
Location: https://www.facebook.com/groups/OrangeCorvettes/
Posts: 1,267
Thanked 12 Times in 11 Posts
Default

I don't know if it helps but I use the HOSTS file here and I have no warnings from Chrome. I also use FF w/AdBlock Plus.
mbowers13 is offline   Reply With Quote
Old 11-18-2009, 09:02 PM   #15
leghumper
CF Senior Member
 
leghumper's Avatar
 
Member Since: Aug 2006
Location: This post copyright, TLH Inc. All rights reserved.
Posts: 1,203
Thanks: 0
Thanked 0 Times in 0 Posts
Default



[IMG][/IMG]
leghumper is offline   Reply With Quote
Old 11-18-2009, 09:03 PM   #16
daddy'svette
CF Senior Member
 
daddy'svette's Avatar
 
Member Since: Jul 2009
Location: Surprise AZ
Posts: 1,116
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Got the bug here too.

What antivirus program will get rid of it? I use McAfee, ran a full scan and found nothing. Can't get rid of what you can't find!
daddy'svette is offline   Reply With Quote
Old 11-18-2009, 09:06 PM   #17
Scoob
CF Senior Member
 
Scoob's Avatar
 
Member Since: Mar 1999
Location: Life's tough, wear a helmet.
Posts: 87,060
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by Chevy Guy View Post

The virus name is being reported as Bloodhound.Exploit.193 and it is a .swf file named inEt[1].swf.
Yep. My Symantec quarrantined it right away.
Scoob is offline   Reply With Quote
Old 11-18-2009, 09:18 PM   #18
OnyxC6
CF Senior Member
 
OnyxC6's Avatar
 
Member Since: Aug 2005
Posts: 1,068
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I had to use Malware bytes

see my post on the main C6%2

Last edited by OnyxC6; 11-18-2009 at 09:39 PM.
OnyxC6 is offline   Reply With Quote
Old 11-18-2009, 09:39 PM   #19
GS Ragtop
CF Senior Member
St. Jude Donor '08-'09-'11
 
GS Ragtop's Avatar
 
Member Since: Nov 1999
Location: Central Florida and West Michigan
Posts: 11,164
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here's a screen capture of the event - AVG v9, Windows 7, IE8.

GS Ragtop is offline   Reply With Quote
Old 11-18-2009, 09:44 PM   #20
ddecart
CF Senior Member
SPARTAN
CI 3-4-5-6-8-9-10 Vet
CI-9 AutoX Winner
CI-3 Go Kart Champ
St. Jude '03-'04-'05-'06-'07-'08-'09-'10-'11
 
ddecart's Avatar
 
Member Since: Aug 1999
Posts: 42,394
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Why am I NOT getting anything like this? I'm browsing the forum with google chrome, firefox, and IE7 right now. None of them are getting anything.

I'm also browsing through a proxy server/firewall. Maybe that has something to do with it??
ddecart is offline   Reply With Quote
Go Back   CorvetteForum - Chevrolet Corvette Forum Discussion >
Reload this Page
  • Virius alerts [merged with 11/20 updates]
  •  
     
    Reply

    Related Topics
    Thread Thread Starter Forum Replies Last Post
    Russia agrees that they had contacts with Trump prior to elections PeterK Politics, Religion & Controversy 19 02-15-2017 12:40 PM
    ‘Hard to expect a better start’: Russian lawmakers & economists optimistic after CALL Darkman00 Politics, Religion & Controversy 0 01-29-2017 08:55 AM
    US ‘protects’ Nusra terrorists, ‘punishes’ Moscow for Assad support – Russian FM Darkman00 Politics, Religion & Controversy 3 12-25-2016 01:51 PM
    Russia opposition politician Boris Nemtsov shot dead Grumpy Politics, Religion & Controversy 11 02-28-2015 11:21 AM
    Spam e-mail routed from CF Vendor? c4cruiser Help Forum 2 11-26-2009 05:41 PM


    Tags
    714, bloodhoundexploit193, centiyo, centiyocom, exploit, firefox, javascript, norton, obfuscation, profiles, trojandownloaderjavaagentab, type, vbseo, vbulletin, wwwcentiyocom

    Thread Tools Search this Thread
    Search this Thread:

    Click for Advanced Search

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts

    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Trackbacks are Off
    Pingbacks are Off
    Refbacks are Off

    Forum Jump


    All times are GMT -4. The time now is 12:33 PM.


     
    • Ask a Question
      Get answers from community experts
    Question Title:
    Description:
    Your question will be posted in: