Hey b0yz check out this, its hilariouz

Thing · April 05, 2004, 09:38 PM

C'mon Zakath. Check to see what processes are running. The ones that you don't recognize, look at the executable and check the time stamp on the file. If it corresponds to the time when you clickety clicked that link, kill the process and delete the file. You might want to look at other files that were created at the same time. The keystroke log will be one of them.

Or you could do what I do when I purposefully install other peoples keylogger and monitor the traffic to find out where the mother ship is. Then you can really have some fun.

Zakath · April 05, 2004, 09:49 PM

I did check for files created and/or modified today and found nothing suspicious, nor was there anything unreasonable in the process list or any of the Run registry keys. However, since people seem to be indicating that there is a virus or trojan associated with the above link, I'm asking looking for certainty.

Newby · April 05, 2004, 10:00 PM

Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened.

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)

Naem · April 05, 2004, 10:08 PM

Why has the original post been left untouched? People who think it's Joy posting a link, without reading the replies first, are getting their machines infected.. should at least put a warning in there.

Thankfully, logic told me to not click the link of someone who spelled boys "b0yz" and hilarious "hilariouz."

iago · April 05, 2004, 10:16 PM

Quote from: Naem on April 05, 2004, 10:08 PM
Why has the original post been left untouched? People who think it's Joy posting a link, without reading the replies first, are getting their machines infected.. should at least put a warning in there.

Thankfully, logic told me to not click the link of someone who spelled boys "b0yz" and hilarious "hilariouz."

I would have right away, but I don't moderate this forum.

Zakath · April 05, 2004, 10:19 PM

Quote from: Newby on April 05, 2004, 10:00 PM
Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened.

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)

That link uses that exploit. However, the exploit is rather generic and could be used for almost anything. It most definitely was not that Tarno thingy.

iago informs me that it some sort of trojan that affects people who use IRC. I do not seem to have contracted it...so either it doesn't affect Avant Browser, or it didn't affect me because I don't use mIRC (unlikely).

P.S. If someone hadn't removed everybody from being able to moderate this forum, I'd have removed it myself. Get rid of that link already!

iago · April 05, 2004, 10:32 PM

Quote from: Zakath on April 05, 2004, 10:19 PM
Quote from: Newby on April 05, 2004, 10:00 PM
Google lead me to this: http://sarc.com/avcenter/venc/data/pwsteal.tarno.b.html

(After Symantic said it was Bloodhound.Exploit.6, I searched google for that, first thing that came up)

But if you're running Opera/Firefox, I don't think anything happened.

EDIT -- I also ran two anti-viruses after clicking the link with Firefox, and nothing came up. (Symantic and Pestpatrol)

That link uses that exploit. However, the exploit is rather generic and could be used for almost anything. It most definitely was not that Tarno thingy.

iago informs me that it some sort of trojan that affects people who use IRC. I do not seem to have contracted it...so either it doesn't affect Avant Browser, or it didn't affect me because I don't use mIRC (unlikely).

P.S. If someone hadn't removed everybody from being able to moderate this forum, I'd have removed it myself. Get rid of that link already!

I scanned myself with TrendMicro and found 3 files infected with a trojan that lets people evesdrop on irc conversations.
The files were:
c:\windows\system32\notepad.exe
c:\windows\system32\taskmngr.exe - note, it's not taskmgr.exe
And the third was a .exe file that got saved in Temporary Internet Files. If you clicked on the link, I would recommend finding and deleting those files.

I sent a message to Skywing, and Grok/Adron are offline. Hopefully he'll get it and kill the link quickly.

Incidentally, why didn't Thing remove it?

Newby · April 05, 2004, 11:02 PM

Heh. I didn't find any of those files.

I think it only did something on I.E

EDIT -- My friend said he visited the page on Firefox and got a warning to allow Javascripts to run.

++

Noodlez · April 06, 2004, 12:01 AM

It created notepad in system32, and changed it so that text files run with the new notepad. Took 5 minutes to fix.

Mitosis · April 06, 2004, 05:57 AM

iago I found the same thing, but after I scanned it still pops up randonmly saying I have a virus. "Blood.Hound packed" or something like that.

iago · April 06, 2004, 06:25 AM

I don't run textfiles with notepad anyway, I use UltraEdit