JS.Trojan.Seeker-based

Paul Vebber · Post by **Paul Vebber** » Wed Sep 26, 2001 1:38 am

What was deleted by your anti-virus program...??

Trojans don't typically delete anything but in effect can give control of your PC to a remote operator, just like PC anywhere does.

I just DL'd the Wir 3.1 Win and scanned it for viruses and it had none.

Big Bill · Post by **Big Bill** » Wed Sep 26, 2001 2:53 am

After I was infected with a trojin horse I downloaded Zone Alarm's free firewall, after a year I haven't had any problems with this type of attack. This Trogin horse problem is more prevelent with someone using a high speed connection. The hackers use a bot program to scan the internet for these connections and then place the Trojin, Zone Alarm makes your computer invisable to this kind of attack. It's free and it works.

nexus · Post by **nexus** » Wed Sep 26, 2001 8:21 pm

Originally posted by Big Bill:
After I was infected with a trojin horse I downloaded Zone Alarm's free firewall, after a year I haven't had any problems with this type of attack. This Trogin horse problem is more prevelent with someone using a high speed connection. The hackers use a bot program to scan the internet for these connections and then place the Trojin, Zone Alarm makes your computer invisable to this kind of attack. It's free and it works.

hello and thanx.

can you give me the website adress please??

majama · Post by **majama** » Mon Oct 01, 2001 11:01 pm

I have comunicat by my AVP Monitor :
Virus : JS.Trojan.Seeker-based in C:\Windows\temporary internet...content.IE5\CP6VCT2Z\default(1).js

AVP cannot remove this virus :
dangerous situacion

i MUST LESS TRUST MATRIX SITES ?

majama

Paul Vebber · Post by **Paul Vebber** » Mon Oct 01, 2001 11:13 pm

No, We have and continue to monitor the site for viruses, this appears to be a flase alarm caused by Macromedia SHockwave. Neither Norton nor mcAfee says there are any virus present.

majama · Post by **majama** » Wed Oct 03, 2001 1:38 am

OK, thanks

Halgary · Post by **Halgary** » Fri Oct 05, 2001 3:20 pm

Originally posted by Paul Vebber:
No, We have and continue to monitor the site for viruses, this appears to be a flase alarm caused by Macromedia SHockwave. Neither Norton nor mcAfee says there are any virus present.

Hope so. This troyan jumped on me when I went to see info about Combat Leader. Strangely enough, it didn't happen when I used Opera, but when I switched to IExplorer... WHAM!

I feel a bit nervous, since my anti-virus -program says it can't be removed.

I'm using F-Secure anti-virus software, if that helps.

Paul Vebber · Post by **Paul Vebber** » Fri Oct 05, 2001 6:40 pm

Script based viruses are generally pretty obvious if you "view source" of the web page. If you "view source" and there is a block of code that calls registry edits, creating or renaming files etc, then you have to watch out.

Unfortunately in an attempt to get "protection" out there many products just block all scripts period. Once they get a bit more sohisticated, there will "false alarm" less often.

We take site security very seriously, but the script threat is one that a coule minutes of investigation of the source can clear up as a valid concern, or a false alarm.

We need the specific page link that caused teh problem, the virus checker and version, and a copy of any suspicious script you find for a report of web virus to be helpful.

Halgary · Post by **Halgary** » Sat Oct 06, 2001 4:57 pm

Hmm. Every page on your server that has some kind of Flash-animation causes this.

I think I'll report this to F-secure. Propably a bug in the anti-virus -software.

I'm using F-Secure Anti-Virus 5.30 build 7262

[ October 07, 2001: Message edited by: Halgary ]</p>

Galahad · Post by **Galahad** » Sun Oct 07, 2001 3:13 am

I encountered the virus alert as well. Hopefully, this information will help.

It seems to be most prevelant on the link to the new napoleon game page. I use Norton Anti Virus, and just updated the virus definitons two or three days before finding the alert here.

The alert is a was a registry edit script.

Norton gave me the option of ending the script, which I did. That shut down all open windows of Internet Explorer.

I tried again on a different and expendable platform. I ran a virus check, and it was virus free. I went to the Nap game page, and allowed the script to run. No apparaent effects, BUT

A virus scan then showed an infection with the WScript.KakWorm virus.

Hope this helps.

Galahad
(Formerly Repo Man, with all of 6 posts)

Marc von Martial · Post by **Marc von Martial** » Tue Oct 09, 2001 8:59 pm

Hi,

the Worm you´re reffering too is an explicit Outlook Express / Outlook / IE Newsreader Worm. It has nothing to do with JS or Webistes:

http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html

Marc

[ October 09, 2001: Message edited by: Marc Schwanebeck [GS_Marcks] ]</p>

Marc von Martial · Post by **Marc von Martial** » Tue Oct 09, 2001 9:07 pm

Despite from the "problem" we´re facing here:

A suggestion from an IT professional:
Can you guys move the whole web to an Apache-based webserver?

Apache (which runs on WindowsNT, Linux, FreeBSD, AIX, Solaris...) is known for its solidity and securiy. Qwest carries Apache as well.

MS-IIS + Windows2000 , unfortunately are not very secure nor reliable.

How difficult it would be to do move the whole site? Apache supports .asp and things usualy considered "Microsoft only".

You would get better reliability (uptime), if managed in a usual way, no security issues, is less expensive (if you have to pay for the software, like Qwest. So I do not know if this actualy translates to the "end users", like MatrixGames), better handling of heavy traffic loads, less resource-intensive (so the same machine can do more work)... and no users complaining about a worm gotten from your site.

I agree 100% <img src="wink.gif" border="0">

Galahad · Post by **Galahad** » Tue Oct 09, 2001 9:24 pm

Im aware that the worm is related to OE, but I did go from virus free (according to Norton) to being infected after letting the script run (according to Norton).

I still get the alert of a script.

As my grandmother used to say, something isn't kosher in denmark.

Galahad

JTGEN · Post by **JTGEN** » Fri Oct 19, 2001 9:06 pm

I get a warning ocasionally from McAfee too. It just says that I should delete a certain file manually, because it can not do it automatically or something like that. But that file is nowhere to be found on the computer.

Charles2222 · Post by **Charles2222** » Sat Oct 20, 2001 12:24 am

If I recall correctly, it doesn't say it cannot delete it, it says it cannot 'repair' it. There's also an option to quarantine it. It don't seem to have a problem deleted it, as your not being able to find it shows.

(Updated after I got on at home and dared get on this website with the trojan irritatingly still hammering away)- Actually I was incorrect, it doesn't say it cannot 'repair' the trojan, it says it cannot 'clean' it. Those dirty trojans!

[ October 19, 2001: Message edited by: Charles_22 ]</p>

Charles2222 · Post by **Charles2222** » Sun Oct 21, 2001 8:26 pm

Yay! The Trojans wannabes have beat a hasty retreat. Thanks guys!

Marc von Martial · Post by **Marc von Martial** » Sun Oct 21, 2001 11:54 pm

We just took the script offline untill we find time to implement a new one to spy on you folks <img src="biggrin.gif" border="0"> , just kidding of course.