NOTICE: Possible trojan on C&F

Post by **Dale** » Sat Apr 07, 2007 8:49 am

A few minutes ago I got an email from a user who believes she picked up the trojan Bloodhound 131 on this forum. I've asked Rich to look into it. At this point, I can't be sure if the problem rests in the forum code. I don't know enough about this at this point to tell you much more. I believe it may be true that this only affects Windows users using IE, but I'm not sure. In the meantime, you may want to stay off the board for awhile, or you may want to be sure you're antivirus stuff is updated and proceed. I'll keep you posted. As a precaution, I'm going to create a thread on the external poli board and I'll post an update there when I learn more about it. Those of you who want to stay off this board until the possible problem is resolved can check that forum and get updates.

I may be overreacting, but given my ignorance about this, seems like a good idea.

http://cnfpoli.informe.com/

crookedtune · Post by **crookedtune** » Sat Apr 07, 2007 8:54 am

I'm confused. Everything I was taught growing up indicated that Trojans were a good way to keep OUT of trouble.

Sorry...... yeah, thanks, Dale. You can't be too careful.

Jack · Post by **Jack** » Sat Apr 07, 2007 8:56 am

Dale,

I had to get a whole new hard drive last week and I let them explain it to me but I'm not computer-fluent, so I don't know quite what was wrong, but basically I got a computer bug from somewhere. It makes sense now that it could have been here. I'm here all the time.

Jack · Post by **Jack** » Sat Apr 07, 2007 9:07 am

Also Dale, you might want to post this warning on other forums too.

Joseph E. Smith · Post by **Joseph E. Smith** » Sat Apr 07, 2007 9:12 am

Yes, I too have had similar behavior. My A-Hole-L warned me and provided me with a means to block and remove it... let's see if it works.

gonzo914 · Post by **gonzo914** » Sat Apr 07, 2007 9:14 am

Trend Micro Office scan says it's EXPL_EXECOD.A I get a virus alert when I bring up a chiff page.

Post by **Dale** » Sat Apr 07, 2007 9:15 am

Well, we still don't know if it came from here. I don't want to over- or under-react.

Post by **Dale** » Sat Apr 07, 2007 9:16 am

In the meantime, Firefox is probably a good idea.

rhulsey · Post by **rhulsey** » Sat Apr 07, 2007 9:17 am

But isn't this forum hosted on a UNIX server?

reg

mukade · Post by **mukade** » Sat Apr 07, 2007 9:32 am

Bloodhound is a trojan that uses an exploit in Microsoft' animated cursors. It has been all over the news this week.

I haven't seen any use of animated cursors on this site.

Info from Symantec

"Bloodhound.Exploit.131 is a heuristic detection for a zero-day vulnerability affecting Microsoft Animated Cursor (ANI) file parsers (as described in Bugtraq ID 23194). The exploit can be triggered by viewing an HTML page referencing an ANI file in a vulnerable version of Internet Explorer.

Applies to: Internet Explorer 6, Internet Explorer 7"

Microsoft have already released a patch to cover the hole.

Mukade

Denny · Post by **Denny** » Sat Apr 07, 2007 6:19 pm

hi rich,

...was there really anything wrong?

I am old...and slow...and it just keeps getting worse!

raindog1970 · Post by **raindog1970** » Sat Apr 07, 2007 8:46 pm

I had to remove that very trojan from my PC twice yesterday before I downloaded the security update from Microsoft.
I wondered where I kept picking it up, as I only visited Hotmail, CNN, TV Guide Online, and here.

greenspiderweb · Post by **greenspiderweb** » Sat Apr 07, 2007 8:57 pm

Dale wrote:In the meantime, Firefox is probably a good idea.

Or at least a good Virus Protection software-McAfee picked the trojan up for me 3 times yesterday as I was trying to access Chiff, and my updates on Windows are automatic, so that update should have been already in place, but I guess it wasn't.

Glad to see we're back in business now!

djm · Post by **djm** » Sat Apr 07, 2007 10:14 pm

Okay, everybody, I found the Trojans. Don't worry. I think they have an Achilles heel ..... or maybe not.

djm

Lambchop · Post by **Lambchop** » Sat Apr 07, 2007 10:30 pm

I think it's highly suspicious that this sort of thing should come right after everyone was discussing antivirus software . . . hmmm . . .

My Symantec blocked it three times yesterday. It attempted to enter my system every time I clicked on a new thread.

Look:

Source: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KX2V0LAJ\ifr[1].htm
Risk category: Virus
Overall Risk Impact: High
Click for more information about this risk : Downloader
Action taken: Blocked
Discovered: June 8, 2001
Updated: February 13, 2007 11:50:11 AM
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Downloader connects to the Internet and downloads other Trojan horses or components.

Downloader does the following:
Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
After the Trojan downloads the files, it executes them.

Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan.
ProtectionVirus Definitions (LiveUpdate™ Weekly) June 13, 2001
Virus Definitions (Intelligent Updater) June 11, 2001
Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low

Downloader does the following:
Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
After the Trojan downloads the files, it executes them.