This is more or less a rant so I didn't post into the software forums. I used to think Internet Explorer was pretty secure. I had IE 7 and all XP patches applied.
Well yesterday I get a fake spyware program pop up on my desktop called Spyware Protect 2009. My browser was also hijacked with an addon called iehelper.exe. Well after some googling I find out that this has been getting installed by the Conficker virus. There were lots of news articles on Google just within the past week talking about how Conficker was installing the Weladec virus which then installs sysguard.exe which is the Spyware Protect 2009. The whole idea was to earn some money or credit info from the huge botnet they have control of.
I had no problem getting rid of this using Malwarebytes. I then download and installed Avira because my NOD32 subscription was up as of March 26th and no longer updated and it did not catch this or anything else I was describe next.
Well Avira finds C:\Documents and Settings\Ant\Local Settings\Temp\install[1].exe and a few other copies in other locations calling it 'TR/Crypt.ZPACK.Gen Trojan'. This is after getting rid of the sysguard.exe crap. So this is not the conficker virus but what a coincidence that it installs Spyware Protect 2009 around the same time as Conficker.
So where did this come from? I've been puzzled the past three days over this. Well today, like I sometimes do, I go to my main index page on my personal domain. There is nothing on there except a php hit counter and displays a simple number on the screen and nothing else. Well just this afternoon, I get popup from Avira saying my homepage had 'HTML/Crypted.Gen - Malware'.
I log into my ftp account and view the source code on the index.php page. It has a encrypted javascript code which is a 1x1 pixel iframe that redirects to http://bitsinfoware.net (which is 404 now). This was added after the last body & html tags of the page. Google comes up with almost nothing except a forum post about this domain redirecting to a php file and force installing an install.exe through IE. The trojan Avira found was install[1].exe. So this is how it got on my computer. It's all coming together now.
On my domain, I had a subdirectory with Wordpress installed. I bought a different domain for the $1.00 special from godaddy with the intention of starting a blog about fishing in Houston. I was just testing Wordpress out to see how well it worked. Well I guess I googled the address at work instead of typing it into the address bar. I guess google cached the page and it would come up deep in search results.
All I had on the page was the default 'Hello World' post. Well someone or possibly a trojan posted a message on the blog with a weird message.
It said"
Comment:
Yo!, please, help.
Why is molly maguire's ale house closed for business?
Thenks, bro. I am vaiting for answer!!! "
Wordpress automatically sends the admin an email asking to authorize the message for posting onto the blog. I clicked the admin link and it went to my page. The wordpress page was infected with the virus redirect as well. Damn, it got me. This is pretty damn elaborate. I guess someone took advantage of an exploit in Wordpress and manage to inject the malicious javascript into every php page on my domain. I could see them doing this and leaving it be but actually sending me a message to infect me as well... well damn. I need a drink while I install Windows 7 and firefox.
/end paranoid rant
Well yesterday I get a fake spyware program pop up on my desktop called Spyware Protect 2009. My browser was also hijacked with an addon called iehelper.exe. Well after some googling I find out that this has been getting installed by the Conficker virus. There were lots of news articles on Google just within the past week talking about how Conficker was installing the Weladec virus which then installs sysguard.exe which is the Spyware Protect 2009. The whole idea was to earn some money or credit info from the huge botnet they have control of.
I had no problem getting rid of this using Malwarebytes. I then download and installed Avira because my NOD32 subscription was up as of March 26th and no longer updated and it did not catch this or anything else I was describe next.
Well Avira finds C:\Documents and Settings\Ant\Local Settings\Temp\install[1].exe and a few other copies in other locations calling it 'TR/Crypt.ZPACK.Gen Trojan'. This is after getting rid of the sysguard.exe crap. So this is not the conficker virus but what a coincidence that it installs Spyware Protect 2009 around the same time as Conficker.
So where did this come from? I've been puzzled the past three days over this. Well today, like I sometimes do, I go to my main index page on my personal domain. There is nothing on there except a php hit counter and displays a simple number on the screen and nothing else. Well just this afternoon, I get popup from Avira saying my homepage had 'HTML/Crypted.Gen - Malware'.
I log into my ftp account and view the source code on the index.php page. It has a encrypted javascript code which is a 1x1 pixel iframe that redirects to http://bitsinfoware.net (which is 404 now). This was added after the last body & html tags of the page. Google comes up with almost nothing except a forum post about this domain redirecting to a php file and force installing an install.exe through IE. The trojan Avira found was install[1].exe. So this is how it got on my computer. It's all coming together now.
On my domain, I had a subdirectory with Wordpress installed. I bought a different domain for the $1.00 special from godaddy with the intention of starting a blog about fishing in Houston. I was just testing Wordpress out to see how well it worked. Well I guess I googled the address at work instead of typing it into the address bar. I guess google cached the page and it would come up deep in search results.
All I had on the page was the default 'Hello World' post. Well someone or possibly a trojan posted a message on the blog with a weird message.
It said"
Comment:
Yo!, please, help.
Why is molly maguire's ale house closed for business?
Thenks, bro. I am vaiting for answer!!! "
Wordpress automatically sends the admin an email asking to authorize the message for posting onto the blog. I clicked the admin link and it went to my page. The wordpress page was infected with the virus redirect as well. Damn, it got me. This is pretty damn elaborate. I guess someone took advantage of an exploit in Wordpress and manage to inject the malicious javascript into every php page on my domain. I could see them doing this and leaving it be but actually sending me a message to infect me as well... well damn. I need a drink while I install Windows 7 and firefox.
/end paranoid rant