My virus program blocks a malicious program on this page?

A place to hang out and discuss all things Porsche.

My virus program blocks a malicious program on this page?

Postby Curt on Tue Nov 23, 2004 9:59 am

I'm not computer savvy at all, but my PC-Cillin virus program blocks a malicious program everytime it comes to the message board. I get a malicious program blocked pop up. What's up with that?
User avatar
Curt
Time Trialer
 
Posts: 462
Joined: Fri Jul 02, 2004 11:15 pm

Postby Jad on Tue Nov 23, 2004 10:03 am

It is trying to save the rest of us from your malicious posts :D

My Norton Antivirus doesn't find anything (though I think it sucks, certainly failed as a spam blocker).

Happy Thanksgiving
Jad Duncan
997 S Cab - Sold
996 "not a cup car" Sold
Tesla Model S
Porsche Taycan
https://www.goldfishconsulting.com/
User avatar
Jad
Pro Racer
 
Posts: 1788
Joined: Wed Jun 30, 2004 11:03 am
Location: Del Mar

Postby Kim Crosser on Tue Nov 23, 2004 10:19 am

Did PC-Cillin identify the malicious code by name or type?

In some tests, PC-Cillin had several "false positive" responses (falsely claimed it detected viruses) where other products did not. This could be one of those cases.
User avatar
Kim Crosser
Club Racer
 
Posts: 791
Joined: Fri Jul 02, 2004 9:37 am
Location: Rancho Santa Fe, CA

Postby MikeD on Tue Nov 23, 2004 10:27 am

Hmm... Don't know what to tell ya Curt. There are no malicious programs on this site. As a matter of fact there is very little Javascript (i.e. client-side programming) at all.

I'm assuming this just started happening recently? Did you recently update PC-Cillin?

Also, check the settings. In some virus software you can have settings ranging form "ultra-paranoid" to "go-ahead-and-take-it". Maybe a recent update reset your settings?

I've never heard of PC-Cillin, so I can't really help with specifics. But you may want to consider sending them an email about this. Include the page you are trying to access and the exact error message you are receiving.

HTH.
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby Curt on Tue Nov 23, 2004 10:52 am

It gives a Source URL: http: //195.225.177.13/100006/ar3.jar

And the virus name is JAVA BYTEVER.A-1

I did just update the virus program, I'll check the settings.

Thanks
User avatar
Curt
Time Trialer
 
Posts: 462
Joined: Fri Jul 02, 2004 11:15 pm

Postby MikeD on Tue Nov 23, 2004 11:24 am

Curt wrote:It gives a Source URL: http: //195.225.177.13/100006/ar3.jar

And the virus name is JAVA BYTEVER.A-1

I did just update the virus program, I'll check the settings.

Thanks


That's not from this site. Does the AV software warn you when you go to other sites?

The research I've done indicates that clearing your browsers cache will solve the problem.

In IE: Tools -> Internet Options: In the box called "Temporary Internet Files" press the "Delete Files" button. In the popup dialog check the "Delete all offline content" and press "OK".

Firefox: Tools -> Options: Select the "Privacy" box, then in the box on the right press the "Clear' button next to "Cache".

Mozilla/Netscape: Edit -> Preferences -> Advanced -> Cache: The click the "Clear Cache" button.

I'll keep looking into this, but let me know if this doesn't resolve the issue.
Last edited by MikeD on Tue Nov 23, 2004 7:02 pm, edited 1 time in total.
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby Chris Moon on Tue Nov 23, 2004 11:46 am

McAfee detects an "Exploit-MhtRedir.gen" trojan every time I go to the Forum home page (http://web2.pcasdr.org/phpBB2/). I tried clearing my cache and it makes no difference.

CM
'88 951 More Boost!
User avatar
Chris Moon
Member
 
Posts: 26
Joined: Fri Jul 16, 2004 11:24 am
Location: Mission Viejo

Postby MikeD on Tue Nov 23, 2004 12:18 pm

Chris Moon wrote:McAfee detects an "Exploit-MhtRedir.gen" trojan every time I go to the Forum home page (http://web2.pcasdr.org/phpBB2/). I tried clearing my cache and it makes no difference.

CM


Chris,

That's a different issue. Here's what I found about that virus:

http://vil.nai.com/vil/content/v_101033.htm

McAfee Inc. wrote:
-- Update June 24, 2004--
It has recently been made known that some IIS servers have been remotely hacked. This exploit was utilized to redirect the client's browser to the location http://217.107.218.147 containing an infected webpage causing unsolicited files to be downloaded and executed.

Certain downloaded files are detected as BackDoor-AXJ.dll , JS/Exploit-DialogArg.b , and VBS/Psyme with the current DAT files.

For further details concerning this threat, and details of available Microsoft patches see:
http://www.microsoft.com/security/incid ... _ject.mspx

-- Update June 10, 2004 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Pop-up+toolbar+spre ... g=nefd.top

A new attack vector was discovered recently, which by passes the MS04-013 patch. Generic detection of this new exploit code will be included in the 4366 DAT release.

This detection covers code designed to exploit an Internet Explorer vulnerability.

The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

The end result is the execution of arbitrary code at the permission level of the current user.

Microsoft has released a patch for this vulnerability.
See: http://www.microsoft.com/technet/securi ... 4-013.mspx



And, FWIW web2.pcasdr.org is running Apache on FreeBSD NOT IIS on Windows. So while there may be something that is triggering McAfee it was NOT the source of the virus.

Edit reason: Inadvertanly pasted quoted text twice
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby glenn_993 on Tue Nov 23, 2004 5:03 pm

I have also been getting the same message as Chris. The virus software that is used where I work, detects the trojan virus and then deletes the files.
Glenn Marlin #24
96 993 C2 track
User avatar
glenn_993
Autocrosser
 
Posts: 110
Joined: Tue Jul 06, 2004 8:00 am
Location: Ramona

Postby Kim Crosser on Tue Nov 23, 2004 6:29 pm

MikeD (or other admin) - perhaps you might want to modify the address of the "hostile" site, (put underscores instead of the periods? or maybe just delete the link) so that forum browsers don't accidentally click on the link and infect themselves?

Clicking on the other links gets you to good information, but if a user accidentally clicks on the site identified as the problem, they are probably going to get infected.

Can you edit/remove that link from the posted message?
User avatar
Kim Crosser
Club Racer
 
Posts: 791
Joined: Fri Jul 02, 2004 9:37 am
Location: Rancho Santa Fe, CA

Postby MikeD on Tue Nov 23, 2004 7:09 pm

OK Kim. I'm not sure why someone would click on a link that is obvious trouble, but I've edited the urls in Curt's and my posts.

FWIW, I am looking into this as best I can. However, you should know that as of right now there is nothing to indicate that either PCA SDR web site has been hacked or is infected with any sort of virus.
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby Steve Grosekemper on Tue Nov 23, 2004 9:39 pm

I have done a little research on this since I noticed it last week. The forum redirects from pcasdr to a host server. When we all got our virus scan updates last week a new fix was installed for this exploit virus. Because the forum redirects, all our virus scan programs thinks this is a virus. It is not. It is an over reacting virus-scan program. I have McAffee and had the same problem with another technical site I use that redirects. These are the only two sites that I use that are like this. It also only does this on Internet Explorer. I am currently using Mozilla Firefox browzer for forum use and have no issues.

I imagine we will all get a fix for this fix in a few weeks through our virus scan update engine. So do like I have and use a non I.E. browser for the forum. (Mozilla-Netscape or other) I am sure Mike has real problems to deal with instead of this over sensitive virus scan issue.

Remember! Better over sensitive virus protection than under sensitive!
Steve Grosekemper #97
http://www.911SG.com
https://www.facebook.com/911steveg/
https://www.instagram.com/steve911sg/
PCA-SDR Tech Advisor/Scrutineer/Forum-Admin
1997 993S & 986S street cars & 911SC track car.
User avatar
Steve Grosekemper
Admin
 
Posts: 1381
Joined: Thu Jul 01, 2004 6:15 pm
Location: San Diego

Postby MikeD on Tue Nov 23, 2004 10:06 pm

Thanks for the insight Steve, I appreciate you doing the legwork for me. Don't know if I would have been able to figure that one out as it would not have occured to me.

For my clarification and understanding. When you go to http://www.pcasdr.org and click on "Forum" you will get linked directly to this site, no redirection. However, if someone is using an old bookmark too http://www.pcasdr.org/forum they will get redirected. So are you saying that you were going to http://www.pcasdr.org/forum and getting redirected, thereby triggering the virus software? Or are you saying that you clicked on the "Forum" link from http://www.pcasdr.org?

If I am understanding what you are saying correctly people can just update their bookmark to point to http://web2.pcasdr.org/phpBB2 and it should be fine. Of course Mozilla/Firefox is a far better alternative in my opinion, but I know how much people LOVE their Microcrap... I mean Microsoft software so I tought I would throw it out there. :wink:

P.S. What could be more important that taking care of the PCA SDR forum and my fellow Porschefiles? :shock:
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby MikeD on Tue Nov 23, 2004 10:09 pm

Oh also... I would like to hear from some of you that are having this issue. Can you do some experimentation to confim or deny Steve's (and now my) suspicions. Let me know either way so I can/don't stay up all night trying to fix this.

Thanks!
Mike Dougherty
'02 986 S - Arctic Silver/Black - #757 -- gone but not forgotten
User avatar
MikeD
Club Racer
 
Posts: 777
Joined: Mon Jun 28, 2004 8:31 pm
Location: Davidson, NC

Postby Curt on Tue Nov 23, 2004 11:10 pm

MikeD wrote:Oh also... I would like to hear from some of you that are having this issue. Can you do some experimentation to confim or deny Steve's (and now my) suspicions. Let me know either way so I can/don't stay up all night trying to fix this.

Thanks!


My work computer has no issues when I come to this page. I am using Zone Alarm's virus program at work.
User avatar
Curt
Time Trialer
 
Posts: 462
Joined: Fri Jul 02, 2004 11:15 pm

Next

Return to General Discussions

Who is online

Users browsing this forum: No registered users and 44 guests

cron