1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Greetings Guest!!

    In order to combat SPAM on the forums, all users are required to have a minimum of 2 posts before they can submit links in any post or thread.

    Dismiss Notice

Message this morning from Norton...

Discussion in 'UHall' started by Uriah Heep, Jun 29, 2009.

  1. Uriah Heep

    Uriah Heep Crazed Zealot
    Stratics Veteran Alumni

    Joined:
    May 26, 2008
    Messages:
    3,837
    Likes Received:
    2,367
    Threat Report
    Total threats found: 2


    Drive-By Downloads (what's this?)
    Threats found: 2
    Here is a complete list:

    Threat Name: Infostealer.Gampass
    File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe
    Signature (MD5): 7d772fbb3d3b8b91f75b0b109668df9e
    Location: http://wow.stratics.com/



    Direct link to: http://wow.stratics.com/index.php
    Location: http://wow.stratics.com/

    Even tho I am directing to UHall, I get a warning from WOW Stratics?
     
  2. Cloak&Dagger

    Cloak&Dagger Guest

    If you have visited Wow Stratics at all then that is why, the image comes from that web site and I am assuming that file some how got infected? not sure why only that file tho, but that is how it looks to me
     
  3. Lord Cuda

    Lord Cuda Sage
    Stratics Veteran

    Joined:
    May 13, 2008
    Messages:
    515
    Likes Received:
    16
    Traitor!!! I am telling Dev your looking at other pictures of elves from outta town good sir :p
     
  4. DevilsOwn

    DevilsOwn Stratics Legend
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Oct 27, 2003
    Messages:
    8,922
    Likes Received:
    379
    looks like it's specifically designed for jacking game accounts? nasty..... change everything right now

    and Cuda, he's just strolling.... enjoying the scenery..... and I have a rolling pin ;)
     
  5. Cloak&Dagger

    Cloak&Dagger Guest

    Oh yea good call, Didn't even pay attention to the fact that it was a keylogger

    Edit: Two posts, two deaths...somehow starting to think I should stop leaving myself in dangerous places while I post...or invis maybe.
     
  6. Black Sun

    Black Sun Grand Poobah
    Stratics Veteran Alumni

    Joined:
    Mar 19, 2003
    Messages:
    5,361
    Likes Received:
    19
    Is WoW that desperate that they hope by hacking other MMO accounts the players will quit and move to WoW instead?
     
  7. Petra Fyde

    Petra Fyde Peerless Chatterbox
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Jan 5, 2001
    Messages:
    30,889
    Likes Received:
    5,175
    We know about this, I passed all that information to Den, but if anyone can give us any more information we'd be grateful.

    All I can advise, being a total dunce at that level, is to check your pc for the file jpg[1].exe. It doesn't exist on mine I'm delighted to say.
     
  8. DevilsOwn

    DevilsOwn Stratics Legend
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Oct 27, 2003
    Messages:
    8,922
    Likes Received:
    379
    from the symantec site about this particular file:

    Discovered: June 8, 2001 Updated: February 13, 2007 11:50:11 AM
    Type: Trojan Horse

    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
    Downloader does the following:

    * Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.

    * After the Trojan downloads the files, it executes them.
     
  9. Black Sun

    Black Sun Grand Poobah
    Stratics Veteran Alumni

    Joined:
    Mar 19, 2003
    Messages:
    5,361
    Likes Received:
    19
    I run Norton on both my home and office PC's, and haven't had it pop up with anything.
     
  10. Beastmaster

    Beastmaster Guest


    The [1] in the filename is an appendage and may vary from system to system depending on how many occurrences of the file exist.
     
  11. Stupid Miner

    Stupid Miner Guest

    Yea, it seems to scan the entire site: uo.stratics.com, wow.stratics.com, etc.
    Everything with ".stratics.com"
     
  12. kelmo

    kelmo Old and in the way
    Professional Stratics Veteran Alumni Dread Lord

    Joined:
    May 12, 2008
    Messages:
    17,386
    Likes Received:
    4,709
    My Micro Trend Pro seems to have no issues with Stratics.
     
  13. Petra Fyde

    Petra Fyde Peerless Chatterbox
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Jan 5, 2001
    Messages:
    30,889
    Likes Received:
    5,175
    :( If I google 'wow.stratics' my AVG 'safe search' gives it a green tick.
     
  14. DevilsOwn

    DevilsOwn Stratics Legend
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Oct 27, 2003
    Messages:
    8,922
    Likes Received:
    379
    kay, gonna ask all the dumb questions cause I spend a fair share of my time lookin' slower than most, anyway

    is it possible for someone to post an image, or even an avatar or a signature, here on Stratics, with one of these nasties in it.... and if someone clicks on the image (which I do sometimes, to see if it will go bigger) would the trojan then have the opportunity to download to me


     
  15. Cloak&Dagger

    Cloak&Dagger Guest

    Technically, yes. But I am unaware of them being able to be downloaded to you with out you accepting the download. Might need someone else to back me up on this as I have been out of the virus loop for a good 2-3 years.
     
  16. Uriah Heep

    Uriah Heep Crazed Zealot
    Stratics Veteran Alumni

    Joined:
    May 26, 2008
    Messages:
    3,837
    Likes Received:
    2,367
    Didn't mean to start a panic :blushing:
    Just popped on for a minute before work this morning (was running late :p) and that's what happened.
    Hopefully it's resolved, at the moment no alarms or anything going off :)

    Just thought ya might wanna know.
     
  17. Beer_Cayse

    Beer_Cayse Guest

    it could be a false positive based on Norton heuristic coding. It's happened before but to be safe use 2 or more of the freebie AV proggies to see for sure.
     
  18. EnigmaMaitreya

    EnigmaMaitreya Crazed Zealot
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    3,402
    Likes Received:
    0
    By in large, it is best to assume that if you click on anything on a web site, you are enabling a JAVA script.

    JAVA scripts can do a LOT of things that are BAD for you.

    I run FireFox, with the NOSCRIPT add on. This add on blocks all Java Scripts passivly and allows you to temporarily enable scripts from the location or permanently from the location.

    Such that if I enable uo.stratics.com, I am accepting all scripts from there. IF one of those scripts goes off site, then I would be required to enable that offsite location, which I almost never do. For example, right now I have 1 (stratics.com) enabled and two disabled/forbidden.

    In conjunction with NoScript I use the AdBlockPro add on.
     
  19. Arrgh

    Arrgh Sage
    Stratics Veteran

    Joined:
    Jun 29, 2008
    Messages:
    624
    Likes Received:
    94
    Well the fact that someone changed the file extension to make it look like a jpg file isn't all that reassuring imo. Exe?? If it's in your browser cache, clear your cache. If you're not sure if it's in your cache, clear it. (To OP or anyone else that found it in a search of their machine). Control Panel, Internet options, General Tab, Browsing history, click the Delete bullet, under Temporary Internet Files click the Delete bullet and that should clear cache for anyone that doesn't know how to do so under IE. Not assuming you don't just adding it in case someone else doesn't know.

    Notice it's an .exe extension and it appears the OP has two copies one named jpg.exe and one named jpg[1].exe, most likely caught by Norton's and quarantined hopefully.

    File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe


    That has been (type of exploit) around since the wild west days of the net except it used to be you could rename an exe to a jpg and it actually worked like an exe when you opened it.


    Good catch Uriah =)
     
  20. I use the same thing as well. That way i control what scripts I want to allow.
     
  21. Alezi

    Alezi Lore Keeper
    Stratics Veteran

    Joined:
    Sep 29, 2007
    Messages:
    754
    Likes Received:
    1
    I sense the fail..
    Stop using Internet Exploder
     
  22. Uriah Heep

    Uriah Heep Crazed Zealot
    Stratics Veteran Alumni

    Joined:
    May 26, 2008
    Messages:
    3,837
    Likes Received:
    2,367
    Well, not to start a OT contest, but for 11 years of gaming, IE has worked fine for me, I've never been hacked, not even emails or anything.
    Of course I back it up, with constantly updated Norton, and ZoneAlarm Pro...
     
  23. EnigmaMaitreya

    EnigmaMaitreya Crazed Zealot
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    3,402
    Likes Received:
    0
    Are you using IE 8?

    I don't really trust Microsoft any further than I can throw, as a group every person that is an employee, contractor or intern. Meaning I have 0 trust in Microsoft to be a good Citizen. Indicating that I accept that I have partnered to some degree with a Voracious Predator that has no concept of putting the individuals rights above money. As such I am duly warned.

    Now having said the above IE 8 to the best of my knowledge stole the NoScript .... lets be kind and implemented it as "Pre View" function and give you the yellow bar at the top of the page (not screen) that tells you some things have been blocked.
     
  24. smip

    smip Slightly Crazed
    Premium Stratics Veteran Stratics Legend

    Joined:
    Dec 1, 2001
    Messages:
    1,443
    Likes Received:
    9
    I was just about to post the same thing. Here is what pops up on mine:

    General Info
    Web Site Location United States of America


    Norton Safe Web has analyzed stratics.com for safety and security problems. Below is a sample of the threats that were found.
    Threat Report
    Total threats found: 2


    Drive-By Downloads (what's this?) http://safeweb.norton.com/safety#brexp
    Threats found: 2
    Here is a complete list:

    Threat Name: Infostealer.Gampass
    File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe
    Signature (MD5): 7d772fbb3d3b8b91f75b0b109668df9e
    Location: http://wow.stratics.com/



    Direct link to: http://wow.stratics.com/index.php
    Location: http://wow.stratics.com/



    What's going on with this?
     
  25. Spellbound

    Spellbound Lore Keeper
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    810
    Likes Received:
    90
  26. Petra Fyde

    Petra Fyde Peerless Chatterbox
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Jan 5, 2001
    Messages:
    30,889
    Likes Received:
    5,175
    Trend Micro can't find it
    McAfee can't find it
    AVG can't find it
    No one has posted saying 'I get this message when *this* ad is showing'.
    It hasn't been posted on WoW boards.
    Den is looking for it, but so far, he can't find it either.
     
  27. Bomb Bloke

    Bomb Bloke Lore Keeper
    Stratics Veteran

    Joined:
    Apr 26, 2008
    Messages:
    850
    Likes Received:
    0
    @OP or anyone else who's found this file:

    Browse to this location on your drive (you might find it easier to paste the address into Windows Explorer, as the folder is hidden by default):

    C:\Documents and Settings\Your Windows Username Here\Local Settings\Temporary Internet Files

    You should be able to find the subject file in the list there, along with the exact URL it was downloaded from.

    Note that anything that's incorporated by a web page will get stored in your temp net files if using IE. Doesn't mean they actually got executed - having a virus on your computer is different to having an active virus on your computer (though one can lead to the other if your protection isn't up to scratch and you don't keep your software up to date).
     
  28. Sebrina

    Sebrina Guest

    Ditto Uriah, but all this is scarry to me...

    Norton scares me as well. It put in 7 running subroutines that no one could find or see, into my sisters computer when she put in the latest version....then could not get on the internet untill I got one of my (real) geek friends over to fix her registry and obliterate Norton subfiles.