1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Greetings Guest!!

    In order to combat SPAM on the forums, all users are required to have a minimum of 2 posts before they can submit links in any post or thread.

    Dismiss Notice

Trojan Buried In Whispering Rose Site

Discussion in 'UHall' started by Connor_Graham, Aug 9, 2008.

Thread Status:
Not open for further replies.
  1. Last week I'd asked about additional security measures for changing the password on a UO account in the case an account got hacked in order to stop the hacker from being able to respond to a verification email. In that thread Devil's Own asked me to report what I found if I was able to discover where the virus that was found on my computer came from.

    Well....I found it.

    It seems this virus actually created a copy of itself because when I discovered it last week, it was immediately quarantined, then deleted from my hard drive. Upon running my weekly full scan of everything on my computer, the virus was found again, back in an EA Games file, linked only to KR this time instead of a copy of it in both clients. When my AV program notified me the program was still present, I went digging through the files on my computer, and found 2 instances of the virus, one that was easy to recognize, and another that sent off all the alarms.

    The virus file had the name that coincided with a website I was directed to by a Whispering Rose DJ in order to be able to listen to their station. I won't name the DJ in public, but the site that this DJ directed me to was WRAR dot com. DO NOT go to this site unless you want to spend a few hours digging through your hard drive and running your AV program a couple of times.

    When I first found this virus, I was at a loss to figure out where it might have come from, as I rarely go to any sites that I haven't been to before. Once I saw the file name that was the same as the website that the Whispering Rose DJ gave me, it all clicked. It turned out when I went to this site that it did in fact list Whispering Rose as one of the links on the site, along with a few other sites that had nothing to do with UO. I'd thought it strange at first but figured it was just low budget advertising. Since the link didn't actually take me to the radio station, I'm concluding that either the site page itself, or more likely, clicking on this link is what dumped this nasty virus on my computer.

    I've spent the past hour or so going through all of my banking and credit card accounts, as well as my UO accounts, and changed all the passwords AGAIN. I didn't get hacked, so the only thing I can figure is:

    a) The WRAR site was hacked by someone and a trojan implanted
    b) The people responsible for the WRAR site just haven't had time yet to get to my account to hack it and strip it clean.

    Either way, I'm very disappointed to discover that this entire matter started with a DJ from UO's own Whispering Rose directing me to a site with a trojan imbedded in it, when in fact the REAL website that you go to in order to listen to the radio station isn't even close to the site I was directed to, which leads me to believe it was done intentionally by this DJ, either acting for his/her own benefit, or for the Benefit of Whispering Rose itself.

    Yesterday someone I've known for a very long time in game reported that one of the radio station vendors on Pacific had a vendor with multiple heartwood runics on it in the recent past. Makes me wonder if they still have that account or if it got caught in the recent sting operation.

    Anyway, just wanted everyone to know where the virus came from, and that it came from what USED TO BE a trusted member of the UO community.

    Not any more.


    Edit- It appears the possiblity exists that a DNS bug that misdirected me to the site that dumped this virus on my computer may have been the reason I ended up on that site to begin with. I've been contacted by WRR and they are going to have their tech people look into the site to make sure nothing is there. At this point I'd like to retract the statement that the DJ or WRR itself may have done this intentionally and offer my apologies. I've just been a bit frustrated with finding this virus on my PC yet again, and after staying up very late last night manually going through the files on my hard drive, then up again early this morning ensuring the virus is indeed gone, I'm a bit frazzled this morning.
     
  2. "It seems this virus actually created a copy of itself"
    This is the very definition of a virus. A program that replicates.
     
  3. AdamD

    AdamD Guest

    Connor, you sure that's the correct URL?
    I went to that site using a virtual machine setup with multiple virus checkers and nothing came up
    The site wasn't even a radio site, it was a realtor type site.
    I did try wrrad.com and the normal whisperingroseradio.com site to, but nada.
     
  4. I went back through the the history on IE to make sure since it has been a week, and that was indeed the site I was directed to. I typed it in exactly as it was spelled on my game screen at the time it was given to me. The site I was directed to wasn't a radio site, it just happened to list WRR as one of the links on the site.
     
  5. Sean

    Sean Slightly Crazed
    Stratics Veteran Stratics Legend

    Joined:
    Jul 10, 2003
    Messages:
    1,376
    Likes Received:
    140
    Sounds like it was right about the time the DNS bug was hitting sites hard and redirecting to fake sites. It's been fairly widely reported over the last 2-3 weeks

    Just a thought.


    BTW, what was the virus name?
     
  6. Cryp - Xed was the name of the virus according to my AV. The redirect might be a possibility as my check for the history of the site I went to showed WRAR dot com and not the wrrad that Adam listed. If that's the case, then my apologies to WRR and the DJ in question. That would mean though, that someone hacked their site. I typed the web address the DJ gave me while it was still on my game screen, so I know there wasn't a misspelling.
     
  7. DevilsOwn

    DevilsOwn Stratics Legend
    Stratics Veteran Alumni Stratics Legend

    Joined:
    Oct 27, 2003
    Messages:
    8,922
    Likes Received:
    379
    thank you for getting back to us, Conner, very much appreciated

    now, two things

    had a slight deja vu while reading this.... was there a report some time ago about similar sounding website name with same issue?

    and, can you list name of virus/trojan?
    :) oooops, you guys are quick, there it is
     
  8. monnie101

    monnie101 Guest

    The site it was on was WRAR? Sounds like a fake WinRAR site. If you were trying to get WinRAR to download the songs then the real one is rarlab.com
     
  9. I wasn't trying to do any downloads. I was merely going to the WRR site itself so I could listen to the station and had asked one of the DJ's for the web address. That's when I ended up on the site in question.
     
  10. Halister Marner

    Halister Marner Lore Master
    Stratics Veteran

    Joined:
    Oct 2, 2006
    Messages:
    1,213
    Likes Received:
    11
    Connor,

    You may want to look into your browser security/system security as well, you should never be instantly infected by just visiting a webpage, if you are, that means your browser is not configured correctly, or your anti virus isn't doing its job.
     
  11. As I mentioned in my OP, I believe the dl happened when I clicked on the link for WRR on the site I was sent to. If I hadn't physically clicked it, I doubt anything would have gotten through my security setup. I've been running this machine, and before that another machine, for 4 years and never had anything hit my hard drive. It's always been stopped before it got anywhere.
     
  12. Recently the WRR house on Atlantic popped up with a LOT of questionable items and I even mentioned it on the Rares Forum. Royal Guard Knife, 5 Skeletal Mounts, 10 Paroxy Dragons and tons and tons of rares. The WRR person quickly responded that they had just been collecting a lot time... Now I'm going to have to wonder.
     
  13. TorAnn

    TorAnn Visitor
    Stratics Veteran

    Joined:
    Jun 11, 2008
    Messages:
    18
    Likes Received:
    0
    I just wanted to let everyone know That I have talked in PM's with Connor and I want to assure everyone that WRR and thier DJ's would never put a virus into our website nor try to hack anyone's accounts, and we are looking into this matter very hard to make sure that our site is as secure as possible. It has also been determined that this has happened over a week ago and our site has been checked and at this time is clean. If you have any more concerns please feel free to PM or ICQ WRR Management.
     
  14. Maplestone

    Maplestone Crazed Zealot
    Stratics Veteran

    Joined:
    Jul 26, 2008
    Messages:
    3,657
    Likes Received:
    9
    Do happen to have a filename or other identifiable mark handy that people could manually check for? (just in case people don't trust their virtus scanner to catch this variation?)
     
  15. There were 2 files. One was labeled WRAR and the other was dxnt. Both were found in the "My Downloads" folder on my computer.
     
  16. DJBearfoot

    DJBearfoot Guest

    This is DJBearfoot from Whisperingroseradio we are currently investigating this issue so far with great results we have no intentions of giving anyone a virus we aploygize if this has cause a issue but we are working hard to server the community for ultima online. so i think everything is fine at this point thank you Assist general Manager of Wrrad.com keep rockin
     
  17. Deadeye445

    Deadeye445 Guest

    With regard to this "situation", I just wanted to jump in here and say, that I worked with a number of the Whispering Rose Radio folks for quite some years now. Especially, the station owner, Sandman. Quite a number of their personnel cut their "broacasting teeth" at UO Radio, under my supervision, during the years I was General Manager there, and I know many of them well.
    I can assure you, that they would never do anything like this!! Ever!! I have always found WRR Management and personnel to be very honorable, and dedicated to the UO Community.
    For what it is worth.

    Michael "Deadeye" Perry
    Owner/General Manager
    GameCon Radio
     
  18. Surgeries

    Surgeries Grand Poobah
    Stratics Veteran Stratics Legend

    Joined:
    Mar 18, 2004
    Messages:
    6,107
    Likes Received:
    92
    The vendor I saw, at the WRR house on Pac, had an inordinate amount of Val Hammers and Runic Kits (like 25 or so). That was where I had purchased two Heartwood Runics, before I saw all the dupe threads start popping up here, and especially the comment by Jeremy about how extremely hard to get the kits were, even for a Dev that could do the quests etc. much faster than any player could, and they couldn't even get one of the kits.

    I went back at the end of July to see if I could get screenies of the vendor, but the vendor spot was empty...and now there is a new vendor selling armor suits, etc.

    Very strange, indeed.

    I did also see, back when the Legacy Marty drops first started, on of the DJs down in Lizardman level of Despise get wtfpwnaged by the Lizardmen.

    It could well be that he disconnected, and wasn't able to fight back very well, and got targetted by a LM that wasn't accessible, and couldn't get back in to defend himself from the ones right next to him, that wtfpwnaged him.

    But as he ran by, after he got rezzed somewhere, and I made the comment to him "Boy...those guys are pretty tough, eh?" as he headed back to his corpse, or what may have been left of it...he loled...

    Could all just be wild coincidence...it probably is.

    But the Val Hammers and Heartwood Kits weren't imagined, nor the vendor house they were at...that wasn't either.
     
  19. DJ Dr Lil

    DJ Dr Lil Guest

     
  20. _zigzag_

    _zigzag_ Sage
    Stratics Veteran

    Joined:
    Apr 5, 2004
    Messages:
    679
    Likes Received:
    3
    Ok...so...I have read this thread and it has gone from an alert to accusations to a retraction to accusations of illegal ingame items...
    Let me redirect some things here :)

    I'm very appreciative, as I'm sure all of us are - INCLUDING the WRR people - that this issue was brought forward. WRR is aware of it, and has posted here they are investigating.

    They have also posted regarding vendors and their policy.

    I believe we have come full circle here....

    Thank you to Connor for the report, and to the WRR staff for handling this so quickly.




    EDIT: After re-reading the thread above....I see something that I have to point out.

    I think this was an unfortunate misunderstanding....and here is why.

    I just bit the big one on my other computer...and went to wrrAR.com. I got infected.
    Please note the url....wrrar.com

    Whispering Rose is wrrAD.com

    I'm certainly not saying you are incorrect Conner - just saying it *could* have been a typo that you received :)
     
Thread Status:
Not open for further replies.