Message this morning from Norton...

[Uriah Heep]

Threat Report
Total threats found: 2


Drive-By Downloads (what's this?)
Threats found: 2
Here is a complete list:

Threat Name: Infostealer.Gampass
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe
Signature (MD5): 7d772fbb3d3b8b91f75b0b109668df9e
Location: http://wow.stratics.com/



Direct link to: http://wow.stratics.com/index.php
Location: http://wow.stratics.com/

Even tho I am directing to UHall, I get a warning from WOW Stratics?

 

[Cloak&Dagger]

If you have visited Wow Stratics at all then that is why, the image comes from that web site and I am assuming that file some how got infected? not sure why only that file tho, but that is how it looks to me

 

[Lord Cuda]

Traitor!!! I am telling Dev your looking at other pictures of elves from outta town good sir

 

[DevilsOwn]

looks like it's specifically designed for jacking game accounts? nasty..... change everything right now

and Cuda, he's just strolling.... enjoying the scenery..... and I have a rolling pin

 

[Cloak&Dagger]

looks like it's specifically designed for jacking game accounts? nasty..... change everything right now

and Cuda, he's just strolling.... enjoying the scenery..... and I have a rolling pin

Oh yea good call, Didn't even pay attention to the fact that it was a keylogger

Edit: Two posts, two deaths...somehow starting to think I should stop leaving myself in dangerous places while I post...or invis maybe.

 

[Black Sun]

Is WoW that desperate that they hope by hacking other MMO accounts the players will quit and move to WoW instead?

 

[Petra Fyde]

We know about this, I passed all that information to Den, but if anyone can give us any more information we'd be grateful.

All I can advise, being a total dunce at that level, is to check your pc for the file jpg[1].exe. It doesn't exist on mine I'm delighted to say.

 

[DevilsOwn]

from the symantec site about this particular file:

Discovered: June 8, 2001 Updated: February 13, 2007 11:50:11 AM
Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Downloader does the following:

* Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.

* After the Trojan downloads the files, it executes them.

 

[Black Sun]

I run Norton on both my home and office PC's, and haven't had it pop up with anything.

 

[Beastmaster]

We know about this, I passed all that information to Den, but if anyone can give us any more information we'd be grateful.

All I can advise, being a total dunce at that level, is to check your pc for the file jpg[1].exe. It doesn't exist on mine I'm delighted to say.

The [1] in the filename is an appendage and may vary from system to system depending on how many occurrences of the file exist.

 

[Stupid Miner]

Even tho I am directing to UHall, I get a warning from WOW Stratics?

Yea, it seems to scan the entire site: uo.stratics.com, wow.stratics.com, etc.
Everything with ".stratics.com"

 

[kelmo]

My Micro Trend Pro seems to have no issues with Stratics.

 

[Petra Fyde]

If I google 'wow.stratics' my AVG 'safe search' gives it a green tick.

 

[DevilsOwn]

kay, gonna ask all the dumb questions cause I spend a fair share of my time lookin' slower than most, anyway

is it possible for someone to post an image, or even an avatar or a signature, here on Stratics, with one of these nasties in it.... and if someone clicks on the image (which I do sometimes, to see if it will go bigger) would the trojan then have the opportunity to download to me

 

[Cloak&Dagger]

kay, gonna ask all the dumb questions cause I spend a fair share of my time lookin' slower than most, anyway

is it possible for someone to post an image, or even an avatar or a signature, here on Stratics, with one of these nasties in it.... and if someone clicks on the image (which I do sometimes, to see if it will go bigger) would the trojan then have the opportunity to download to me

Technically, yes. But I am unaware of them being able to be downloaded to you with out you accepting the download. Might need someone else to back me up on this as I have been out of the virus loop for a good 2-3 years.

 

[Uriah Heep]

My Micro Trend Pro seems to have no issues with Stratics.

Didn't mean to start a panic
Just popped on for a minute before work this morning (was running late ) and that's what happened.
Hopefully it's resolved, at the moment no alarms or anything going off

Just thought ya might wanna know.

 

[Beer_Cayse]

it could be a false positive based on Norton heuristic coding. It's happened before but to be safe use 2 or more of the freebie AV proggies to see for sure.

 

[EnigmaMaitreya]

kay, gonna ask all the dumb questions cause I spend a fair share of my time lookin' slower than most, anyway

is it possible for someone to post an image, or even an avatar or a signature, here on Stratics, with one of these nasties in it.... and if someone clicks on the image (which I do sometimes, to see if it will go bigger) would the trojan then have the opportunity to download to me

By in large, it is best to assume that if you click on anything on a web site, you are enabling a JAVA script.

JAVA scripts can do a LOT of things that are BAD for you.

I run FireFox, with the NOSCRIPT add on. This add on blocks all Java Scripts passivly and allows you to temporarily enable scripts from the location or permanently from the location.

Such that if I enable uo.stratics.com, I am accepting all scripts from there. IF one of those scripts goes off site, then I would be required to enable that offsite location, which I almost never do. For example, right now I have 1 (stratics.com) enabled and two disabled/forbidden.

In conjunction with NoScript I use the AdBlockPro add on.

 

[Arrgh]

Well the fact that someone changed the file extension to make it look like a jpg file isn't all that reassuring imo. Exe?? If it's in your browser cache, clear your cache. If you're not sure if it's in your cache, clear it. (To OP or anyone else that found it in a search of their machine). Control Panel, Internet options, General Tab, Browsing history, click the Delete bullet, under Temporary Internet Files click the Delete bullet and that should clear cache for anyone that doesn't know how to do so under IE. Not assuming you don't just adding it in case someone else doesn't know.

Notice it's an .exe extension and it appears the OP has two copies one named jpg.exe and one named jpg[1].exe, most likely caught by Norton's and quarantined hopefully.

File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe


That has been (type of exploit) around since the wild west days of the net except it used to be you could rename an exe to a jpg and it actually worked like an exe when you opened it.


Good catch Uriah =)

 

[Nyte Doombringer]

By in large, it is best to assume that if you click on anything on a web site, you are enabling a JAVA script.

JAVA scripts can do a LOT of things that are BAD for you.

I run FireFox, with the NOSCRIPT add on. This add on blocks all Java Scripts passivly and allows you to temporarily enable scripts from the location or permanently from the location.

Such that if I enable uo.stratics.com, I am accepting all scripts from there. IF one of those scripts goes off site, then I would be required to enable that offsite location, which I almost never do. For example, right now I have 1 (stratics.com) enabled and two disabled/forbidden.

In conjunction with NoScript I use the AdBlockPro add on.

I use the same thing as well. That way i control what scripts I want to allow.

 

[Alezi]

Threat Report
Total threats found: 2


Drive-By Downloads (what's this?)
Threats found: 2
Here is a complete list:

Threat Name: Infostealer.Gampass
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe
Signature (MD5): 7d772fbb3d3b8b91f75b0b109668df9e
Location: http://wow.stratics.com/



Direct link to: http://wow.stratics.com/index.php
Location: http://wow.stratics.com/

Even tho I am directing to UHall, I get a warning from WOW Stratics?

I sense the fail..

Spoiler

Stop using Internet Exploder

 

[Uriah Heep]

Well, not to start a OT contest, but for 11 years of gaming, IE has worked fine for me, I've never been hacked, not even emails or anything.
Of course I back it up, with constantly updated Norton, and ZoneAlarm Pro...

 

[EnigmaMaitreya]

Well, not to start a OT contest, but for 11 years of gaming, IE has worked fine for me, I've never been hacked, not even emails or anything.
Of course I back it up, with constantly updated Norton, and ZoneAlarm Pro...

Are you using IE 8?

I don't really trust Microsoft any further than I can throw, as a group every person that is an employee, contractor or intern. Meaning I have 0 trust in Microsoft to be a good Citizen. Indicating that I accept that I have partnered to some degree with a Voracious Predator that has no concept of putting the individuals rights above money. As such I am duly warned.

Now having said the above IE 8 to the best of my knowledge stole the NoScript .... lets be kind and implemented it as "Pre View" function and give you the yellow bar at the top of the page (not screen) that tells you some things have been blocked.

 

[smip]

I was just about to post the same thing. Here is what pops up on mine:

General Info
Web Site Location United States of America


Norton Safe Web has analyzed stratics.com for safety and security problems. Below is a sample of the threats that were found.
Threat Report
Total threats found: 2


Drive-By Downloads (what's this?) http://safeweb.norton.com/safety#brexp
Threats found: 2
Here is a complete list:

Threat Name: Infostealer.Gampass
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MH25YLE5\jpg[1].exe
Signature (MD5): 7d772fbb3d3b8b91f75b0b109668df9e
Location: http://wow.stratics.com/



Direct link to: http://wow.stratics.com/index.php
Location: http://wow.stratics.com/



What's going on with this?

 

[Spellbound]

Found this same issue on the 19th. What's scary is it still isn't resolved.http://vboards.stratics.com/showthread.php?t=145359

 

[Petra Fyde]

Trend Micro can't find it
McAfee can't find it
AVG can't find it
No one has posted saying 'I get this message when *this* ad is showing'.
It hasn't been posted on WoW boards.
Den is looking for it, but so far, he can't find it either.

 

[Bomb Bloke]

@OP or anyone else who's found this file:

Browse to this location on your drive (you might find it easier to paste the address into Windows Explorer, as the folder is hidden by default):

C:\Documents and Settings\Your Windows Username Here\Local Settings\Temporary Internet Files

You should be able to find the subject file in the list there, along with the exact URL it was downloaded from.

Note that anything that's incorporated by a web page will get stored in your temp net files if using IE. Doesn't mean they actually got executed - having a virus on your computer is different to having an active virus on your computer (though one can lead to the other if your protection isn't up to scratch and you don't keep your software up to date).

 

[Sebrina]

Well, not to start a OT contest, but for 11 years of gaming, IE has worked fine for me, I've never been hacked, not even emails or anything.
Of course I back it up, with constantly updated Norton, and ZoneAlarm Pro...

Ditto Uriah, but all this is scarry to me...

Norton scares me as well. It put in 7 running subroutines that no one could find or see, into my sisters computer when she put in the latest version....then could not get on the internet untill I got one of my (real) geek friends over to fix her registry and obliterate Norton subfiles.