• Welcome to Valhalla Legends Archive.
 

Hey b0yz check out this, its hilariouz

Started by j0ykillah, April 05, 2004, 05:34 AM

Previous topic - Next topic

Thing

C'mon Zakath.  Check to see what processes are running.  The ones that you don't recognize, look at the executable and check the time stamp on the file.  If it corresponds to the time when you clickety clicked that link, kill the process and delete the file.  You might want to look at other files that were created at the same time.  The keystroke log will be one of them.

Or you could do what I do when I purposefully install other peoples keylogger and monitor the traffic to find out where the mother ship is.  Then you can really have some fun. >:D
That sucking sound you hear is my bandwidth.

Zakath

#16
I did check for files created and/or modified today and found nothing suspicious, nor was there anything unreasonable in the process list or any of the Run registry keys. However, since people seem to be indicating that there is a virus or trojan associated with the above link, I'm asking looking for certainty.
Quote from: iago on February 02, 2005, 03:07 PM
Yes, you can't have everybody...contributing to the main source repository.  That would be stupid and create chaos.

Opensource projects...would be dumb.

Newby

#17
Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened. :(

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Naem

Why has the original post been left untouched? People who think it's Joy posting a link, without reading the replies first, are getting their machines infected.. should at least put a warning in there.

Thankfully, logic told me to not click the link of someone who spelled boys "b0yz" and hilarious "hilariouz."
اگر بتوانید این را بهخوابید ، من را "پی ام" کنید

iago

Quote from: Naem on April 05, 2004, 10:08 PM
Why has the original post been left untouched? People who think it's Joy posting a link, without reading the replies first, are getting their machines infected.. should at least put a warning in there.

Thankfully, logic told me to not click the link of someone who spelled boys "b0yz" and hilarious "hilariouz."

I would have right away, but I don't moderate this forum.  
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Zakath

#20
Quote from: Newby on April 05, 2004, 10:00 PM
Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened. :(

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)

That link uses that exploit. However, the exploit is rather generic and could be used for almost anything. It most definitely was not that Tarno thingy.

iago informs me that it some sort of trojan that affects people who use IRC. I do not seem to have contracted it...so either it doesn't affect Avant Browser, or it didn't affect me because I don't use mIRC (unlikely).

P.S. If someone hadn't removed everybody from being able to moderate this forum, I'd have removed it myself. Get rid of that link already!
Quote from: iago on February 02, 2005, 03:07 PM
Yes, you can't have everybody...contributing to the main source repository.  That would be stupid and create chaos.

Opensource projects...would be dumb.

iago

Quote from: Zakath on April 05, 2004, 10:19 PM
Quote from: Newby on April 05, 2004, 10:00 PM
Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened. :(

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)

That link uses that exploit. However, the exploit is rather generic and could be used for almost anything. It most definitely was not that Tarno thingy.

iago informs me that it some sort of trojan that affects people who use IRC. I do not seem to have contracted it...so either it doesn't affect Avant Browser, or it didn't affect me because I don't use mIRC (unlikely).

P.S. If someone hadn't removed everybody from being able to moderate this forum, I'd have removed it myself. Get rid of that link already!

I scanned myself with TrendMicro and found 3 files infected with a trojan that lets people evesdrop on irc conversations.
The files were:
c:\windows\system32\notepad.exe
c:\windows\system32\taskmngr.exe - note, it's not taskmgr.exe
And the third was a .exe file that got saved in Temporary Internet Files.  If you clicked on the link, I would recommend finding and deleting those files.

I sent a message to Skywing, and Grok/Adron are offline.  Hopefully he'll get it and kill the link quickly.  

Incidentally, why didn't Thing remove it?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Newby

#22
Heh. I didn't find any of those files.

I think it only did something on I.E :(

EDIT -- My friend said he visited the page on Firefox and got a warning to allow Javascripts to run. :(++
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Noodlez

It created notepad in system32, and changed it so that text files run with the new notepad. Took 5 minutes to fix.

Mitosis

iago I found the same thing, but after I scanned it still pops up randonmly saying I have a virus. "Blood.Hound packed" or something like that.

iago

I don't run textfiles with notepad anyway, I use UltraEdit :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*