Might be a malware problem

[garenasix]

im getting this from members who belong to this forum off of facebook they dont want to come back in here for fear there getting this problem from this site .. me i run linux and free BSD so the odds of me getting it is nill just figured id pass there message along

original post found here on VAPORS LOUNGE facebook Login | Facebook

========================== snippit ==================================
Sharon Angleman Goodson Update for those interested and/or knowledgeable about these things: At this point I believe the trojan is coming in through a YUI java utility and is possibly ad-related. But it definitely came in from ECF - this last time all related files and changes occurred at 7:07 when ECF was accessed.

I'm REALLY trying to backtrack to identify something before I clean up entirely. Much quicker this time because I know where things are hiding, what reg keys are affected, etc. Alan was on my computer early Saturday morning. IE history shows two websites (FB and ECF) accessed about the time he started experiencing issues. Not knowing my computer, he didn't allow any changes and backed away (smart guy . In trouble shooting at one point I clicked the ECF link in history - BAM "Windows Recovery" shows up, Alan confirms this is the same program. I noticed just before the "program" window appeared that a java console was loading.

I eventually decided the reappearance when I clinked ECF was a coincidence, as WR was still running at the time (and I had not yet even identified it). That was yesterday about 10 a.m.

Today about 6:30 p.m., after final cleanup touches I thought I'd catch up on FB. Interested in one of Mandy's articles, I googled the title to find the original. Most links pointed to ECF, went ahead and clicked there (not thinking twice, as it was a coincidence) - BAM, java console starts again, I see a part of a web address in the status bar http://www.e-cigarette-forum.com/forum/computer-security/www.tick...something, then up pops Windows Recovery again.

Within seconds my files were hidden again, task manager disabled, yada yada. I knew how quickly get to another task manager program (even blind), and I'm in the middle of the rest of the cleanup processes now. I've saved some of the obvious js files as text. There is also a very strange index.htlm file containing script and a long series of comma separated number sets (of two and three numerals per set).

If someone wants to pass this info along to RolyGate, maybe it will be of some use. I'm not going back to ECF until I make sure all my java, etc. is up to date. It's obviously not (yes, Alan, I know, but you know how I feel about auto updates - they've broken my machine more times than trojans have).
59 minutes ago

============================= end of snippet ===============================

 

[rolygate]

Thank you for this, we are looking into it.

For now, what I suggest is updating your Java by going here:

Download Free Java Software

Then uninstall all old Java files and also delete the Java installer app by running JavaRa from here:

http://raproducts.org/wordpress/software
Choose: "Download Windows Binary (.zip file)"

Then run an online check to see if your Java installation is now secure:

OSI - Consumer - Products

You may get a warning from your browser about an Applet on this page but it's OK, it's the Secunia Online Software Inspector, or OSI.

Hit the red button in the centre of the page, "Start Scanner". You will have to approve the site's digital certificate and disable any HIPS blocking you have. The scan has two levels, brief or thorough, you can run the quick one first to see how the land lies.

This service is approved by Gizmo Richards at www.techsupportalert.com so it comes highly recommended (Gizmo's is the biggest online community for free software resources and Gizmo has a spotless reputation).

This will take care of business if in fact this malware is taking advantage of old and outdated Java on your PC.

 

[sjrily]

Ok - did java and windows updates last night and accessing ECF ok now (umm, yeah). As I suspected, it seems it was (is) a trojan exploiting a security hole in outdated java using YUI loader. I still think it's ad related, but it did hit simultaneously when going only to ECF on three different occasions within a 36 hour period (different entry points each time as well). In trying to isolate what happened, where, etc. I saved various js events, html and various files as text if you want to take a look at them. I also have some information about the trojan, the .exe files and some logs if that would help you identify anything.

Thanks for the info. It's a miserable reminder of the importance of staying updated (I loath "auto-update" everything).

 

[AngusATAT]

(I loath "auto-update" everything).

So do I. That is why I only have a select few applications auto-update, such as Java and Firefox. The rest can wait for me to manually update them.

 

[rolygate]

@sjrily
Thanks for the offer of relevant files, this is useful as it is hard to replicate the issue for our tech guys (you need a PC with outdated software to get the problem, so they can't see it with their normal PCs).

Please create a zip file with the info and either attach it here or email to admin@ecf - please see the Contacts page linked at the top and bottom of every page. Many thanks.

 

[sjrily]

@sjrily
Thanks for the offer of relevant files, this is useful as it is hard to replicate the issue for our tech guys (you need a PC with outdated software to get the problem, so they can't see it with their normal PCs).

Please create a zip file with the info and either attach it here or email to admin@ecf - please see the Contacts page linked at the top and bottom of every page. Many thanks.

You're most welcome. I knew it was unique to environment, or everybody would have been having issues. I noted java was involved right off, and got this horrid sinking feeling when I realized I couldn't remember when I'd updated last. Email and attachment sent. Hopefully there's something of use, but that's way out of my ballpark. Thanks!!

 

[Alex]

Just a note...

YUI Loader is a *javascript* component which loads *javascript* files. We are on the latest version of YUI, v 2.8.2

Java is not the same as javascript.

Just to clarify the differences between Javascript and Java:
Javascript is used to make your browser experience easier. It may only interact with the current page, it can not operate outside of the browser. It may not read your system files, etc.
Java is a programming language that is used for applications, but it has a ton of other purposes. It may run in the browser and also interact with anything on your computer.

*** ECF does not use Java at all. ***

Feel free to disable java:

Firefox: How to turn off Java applets | How to | Firefox Help
Chrome: about : plugins < remove the spaces

 

[sjrily]

Just a note...

YUI Loader is a *javascript* component which loads *javascript* files. We are on the latest version of YUI, v 2.8.2

Java is not the same as javascript.

Just to clarify the differences between Javascript and Java:
Javascript is used to make your browser experience easier. It may only interact with the current page, it can not operate outside of the browser. It may not read your system files, etc.
Java is a programming language that is used for applications, but it has a ton of other purposes. It may run in the browser and also interact with anything on your computer.

*** ECF does not use Java at all. ***

Feel free to disable java:

Firefox: How to turn off Java applets | How to | Firefox Help
Chrome: about : plugins < remove the spaces

I'm sorry - I should have said YUI javascript utility and javascript files - I believe it was my outdated java allowed the problem.

 

[Sdh]

im getting this from members who belong to this forum off of facebook they dont want to come back in here for fear there getting this problem from this site .. me i run linux and free BSD so the odds of me getting it is nill just figured id pass there message along

original post found here on VAPORS LOUNGE facebook Login | Facebook

========================== snippit ==================================
Sharon Angleman Goodson Update for those interested and/or knowledgeable about these things: At this point I believe the trojan is coming in through a YUI java utility and is possibly ad-related. But it definitely came in from ECF - this last time all related files and changes occurred at 7:07 when ECF was accessed.

I'm REALLY trying to backtrack to identify something before I clean up entirely. Much quicker this time because I know where things are hiding, what reg keys are affected, etc. Alan was on my computer early Saturday morning. IE history shows two websites (FB and ECF) accessed about the time he started experiencing issues. Not knowing my computer, he didn't allow any changes and backed away (smart guy . In trouble shooting at one point I clicked the ECF link in history - BAM "Windows Recovery" shows up, Alan confirms this is the same program. I noticed just before the "program" window appeared that a java console was loading.

I eventually decided the reappearance when I clinked ECF was a coincidence, as WR was still running at the time (and I had not yet even identified it). That was yesterday about 10 a.m.

Today about 6:30 p.m., after final cleanup touches I thought I'd catch up on FB. Interested in one of Mandy's articles, I googled the title to find the original. Most links pointed to ECF, went ahead and clicked there (not thinking twice, as it was a coincidence) - BAM, java console starts again, I see a part of a web address in the status bar http://www.e-cigarette-forum.com/forum/computer-security/computer-security/www.tick...something, then up pops Windows Recovery again.

Within seconds my files were hidden again, task manager disabled, yada yada. I knew how quickly get to another task manager program (even blind), and I'm in the middle of the rest of the cleanup processes now. I've saved some of the obvious js files as text. There is also a very strange index.htlm file containing script and a long series of comma separated number sets (of two and three numerals per set).

If someone wants to pass this info along to RolyGate, maybe it will be of some use. I'm not going back to ECF until I make sure all my java, etc. is up to date. It's obviously not (yes, Alan, I know, but you know how I feel about auto updates - they've broken my machine more times than trojans have).
59 minutes ago

============================= end of snippet ===============================

Up until last Friday I was on that facebook forum...guess what. That particular Facebook vaporsforum (vapors lounge) is where their is a security problem. I obtained the windows restore virus from that particular group.

Never had a problem with ecf thus far. No more facebook for me. I am looking into a better antivirus program. My computers are being repaired and debugged. I tried my limited knowledge of manually debugging and it did not work... However, with what information from computer stores and online..this particular virus is harder to track. IDK I am not a computer geek...

 

[rolygate]

This turned out to be a Facebook trojan, nothing to do with ECF although it seemed to have been designed to kick in if an ECF link was clicked on Facebook.

As far as we are aware, only those who use Facebook and perhaps go to a particular group there were affected.

 

[sjrily]

Wow! Awesome work, and t6hanks for the update!

That's some stuff, there - So you mean I actually got the trojan from FB, but it would only show it's head when I went to ECF? The very first incident was when my husband was on my computer (I didn't witness it). When I asked him what sites he went to, he said the FB forum and one other. I told him he must have been mistaken because history showed ECF, not FB. He kept saying he was sure it was FB, but "obviously it was ECF. (He'll be glad it know he's not losing his mind, at least as far as this issue went *lol)

After that twice I came to ECF, but NOT through FB. Once through history, and once through Google. How odd is that - infected through the FB group with something that activates when you go to ECF...hmmm

 

[garenasix]

good i was kind of figuring that it was a facebook thing to .... being its more out to get crap like that then this forum .. all i was doing was passing along what was being posted in that group on facebook .. i dont use windows so i would not know what problems they where getting .. i was just passing it along .... glad yous got it worked out

 

[sjrily]

Yeah, but I still find this curious. This apparently erased it's FB tracks (in the browsers' history display, anyway) and somehow associated itself with any link from my computer to ECF. What really bothers me is the idea that is may not be simply a FB issue, but a FB group issue. Not cool at all.

Are you at liberty to comment on that, rolygate?

 

[Strigol]

just had my virus scan pop up while visiting the site here, had about 6 tabs open (all forum threads here) and then bam virus warning.

Web Attack: Blackhole Toolkit Website detected.
Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

also gave me the remote host IP, if that info's usefull I can send the log to whomever

 

[rolygate]

All we know is that this issue is not on ECF, it is on Facebook. We think it is related to a group there but that is something we can't get involved with.

As far as we know, you can't get infected unless you have been to Facebook, also run Internet Exploder, and have poor security on your PC. That is why it has only hit a few people, <10 it seems.

Please do not use IE as it gets 99% of the infections out there. That may be because it is inherently vulnerable or because malware writers attack it more, or both. They attack it because statistically IE users are likely to have the weakest security set-ups. Statistics are important as otherwise they would attack Linux PCs, Macs, or Firefox users etc.

There are of course viruses for everything - but as there are many fewer Linux and Mac users it isn't worth the trouble. It's not worth attacking Firefox users even if there are more of them than IE users now, because if people know enough to get Firefox they probably know enough not to use those trial antivirus apps that come on new PCs, or the big name anti-malware apps that are capable in inverse proportion to the volume of their advertising. DO NOT use Windows firewall because it cannot stop 50% of the attack, that is, the malware phoning home. Can't even see that.

Anything remotely related to computers is benchmarked - check the tests and get stuff that is proven to work well - for example:

Results and comments - www.matousec.com
[this is a test for ultimate firewall / HIPS security suite efficiency and shows the absolute best 1-stop solutions for add-on security as against a layered security or sandbox approach - it is neither an AV test nor an AS test, so disregard the test results for Avast, which is a good AV assuming you have a capable firewall such as Online Armor]

Admittedly you need to be an expert to understand what the tests actually mean - but at least the data is out there.

Security tip
Block ftp.exe in your firewall. Malware uses it to phone home, and as this is a console FTP app used by a tiny number of people in preference to a GUI (normal) FTP app, it is useless to 99.9recurring% of users. Those who need it will know the score anyway. I would never use console FTP as a standard app is much faster, easier and safer to use. You might have to use it for bulk server admin tasks - but that's 0.00000000000000001% of the population.

 

[rolygate]

@Strigol
Sure - email the IP to me, admin@ecf (see Contacts page) please, and I will report it.

 

[Tinki]

I got it on my laptop and desktop. After IE boot up I have a facebook and ecf tabs on both computers. I always first check my fb than go to ecf. Within 3 days both were/still are infected. I have a bad habit of putting off updates to everything-I know that is not a good habit. I have tried several things to rid the trojans but have not succeeded. Do you know the name of the trojan/virus? This would help me to narrow it down to running the appropiate fix. Thanks in advance for any help. And I have learned a big lesson. Update!!!

 

[Sdh]

It is called the Windows restore virus/worm. I got it on Facebook and was not running ecf...

 

[Tinki]

Thanks Sdh, I will work on it tomorrow and post the fix.

 

[Zelphie]

Interesting. I visited this forum 2 days ago and my antivirus popped up a warning of a threat on this site. The warning popped up as soon as the page loaded, sure enough I was infected. I dont have a facebook account nor do I visit FB. So if its a FB thing, Im at a loss.