mallicious code in weblink/webpage

[name]

Hello.

I got a weblink (*) through Trillian and passed it on to a newsgroup
where people notified me that the webpage it refers to contains
malicious code (according to NOD32 a signature of the VBS script virus
VBS/Phel.AV).
Personally I only use AVG (free edition) as protection against virusses
but it didn't provide any protection in this case as far as I can see.

(*)
http://www.econologie.com/forum/index.php?act=ST&f=40&t=1139&s=81b0e6c940eafae913a7cf7356da2cd7

Does anyone know what this malicious code does exactly and whether it
has messed up anything in my computer (since I did open the weblink
myself in IE under XP PRO SP2)?

Is there any online website where you can check weblinks to see if the
page it refers to contains malicious code, or is there perhaps an
additional or alternative freeware anti-virus solution that is likely
to detect these sorts of threats?

Kind regards, thx in advance for any freeback on this issue, Niek

 

[David H. Lipman]

From: "name" <[email protected]>

|
| Hello.
|
| I got a weblink (*) through Trillian and passed it on to a newsgroup
| where people notified me that the webpage it refers to contains
| malicious code (according to NOD32 a signature of the VBS script virus
| VBS/Phel.AV).
| Personally I only use AVG (free edition) as protection against virusses
| but it didn't provide any protection in this case as far as I can see.
|
| (*)
|
hxxp://www.econologie.com/forum/index.php?act=ST&f=40&t=1139&s=81b0e6c940eafae913a7cf7356da2
cd7
|
| Does anyone know what this malicious code does exactly and whether it
| has messed up anything in my computer (since I did open the weblink
| myself in IE under XP PRO SP2)?
|
| Is there any online website where you can check weblinks to see if the
| page it refers to contains malicious code, or is there perhaps an
| additional or alternative freeware anti-virus solution that is likely
| to detect these sorts of threats?
|
| Kind regards, thx in advance for any freeback on this issue, Niek

Yepper a Java Script Exploit ! The following is an excetrpt from my McAfee log ...

D:\temp\IE6\Temporary Internet Files\Content.IE5\WCZFECUD\index[1].php\INDEX[1]
JS/Exploit-HelpXSite

JS/Exploit-HelpXSite -- http://vil.nai.com/vil/content/v_130610.htm

Exploits MS05-001 -- http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
Vulnerability in HTML Help Could Allow Code Execution (890175)

If you have the patch KB890175 installed on your PC then you are protected. If you have all
MS Critical Updates installed then I am sure that this is one and you are protected.

If you are not sure, you can use the following tool to scan your computer and use the Mcafee
module.


1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

3) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

4) Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Snowsquall]

Hello.

I got a weblink (*) through Trillian and passed it on to a newsgroup
where people notified me that the webpage it refers to contains
malicious code (according to NOD32 a signature of the VBS script virus
VBS/Phel.AV).
Personally I only use AVG (free edition) as protection against virusses
but it didn't provide any protection in this case as far as I can see.

(*)
http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update" on
the very top.
Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.
AntiVir 6.33.0.61 12.16.2005 EXP/VBS.Phel.AV
Avast 4.6.695.0 12.16.2005 no virus found
AVG 718 12.15.2005 no virus found
Avira 6.33.0.61 12.16.2005 EXP/VBS.Phel.AV
BitDefender 7.2 12.17.2005 no virus found
CAT-QuickHeal 8.00 12.16.2005 no virus found
ClamAV devel-20051108 12.16.2005 no virus found
DrWeb 4.33 12.16.2005 Exploit.Helpxsite
eTrust-Iris 7.1.194.0 12.17.2005 no virus found
eTrust-Vet 12.3.3.0 12.16.2005 HTML/HelpControl!exploit
Fortinet 2.54.0.0 12.17.2005 no virus found
F-Prot 3.16c 12.15.2005 no virus found
Ikarus 0.2.59.0 12.17.2005 no virus found
Kaspersky 4.0.2.24 12.17.2005 Exploit.VBS.Phel.av
McAfee 4652 12.16.2005 JS/Exploit-HelpXSite
NOD32v2 1.1326 12.16.2005 probably a variant of VBS/Exploit.Phel.AV
Norman 5.70.10 12.16.2005 no virus found
Panda 8.02.00 12.16.2005 no virus found
Sophos 4.01.0 12.16.2005 no virus found
Symantec 8.0 12.17.2005 no virus found
TheHacker 5.9.1.057 12.16.2005 no virus found
VBA32 3.10.5 12.16.2005 no virus found

 

[name]

Hello.

I got a weblink (*) through Trillian and passed it on to a newsgroup
where people notified me that the webpage it refers to contains
malicious code (according to NOD32 a signature of the VBS script virus
VBS/Phel.AV).
Personally I only use AVG (free edition) as protection against virusses
but it didn't provide any protection in this case as far as I can see.

(*)
http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update" on
the very top.

Yep, noticed that later on and thought it was kinda weird.

Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.

How do you obtain the code and what is the exact address of VirusTotal
to send virusses to for analysis (or is this a kind of subscription
service)?

 

[Art]

How do you obtain the code

Use a browser such as Firefox or Mozilla and simply use the "Save page
as" selection under the File menu. You will be saving a .htm file.

and what is the exact address of VirusTotal
to send virusses to for analysis (or is this a kind of subscription
service)?

http://www.virustotal.com/flash/index_en.html

Just upload the file per the instructions there. You won't get
a analysis, you'll see what malware names various av products
produce, if they detect the malware.

Art

http://home.epix.net/~artnpeg

 

[Max Wachtel]

(e-mail address removed) AKA name on 12/17/2005 in

snip <
what is the exact address of VirusTotal
to send virusses to for analysis (or is this a kind of subscription
service)?

Many vendors have free online scanners-I have some listed on my site.
http://home.neo.rr.com/manna4u/tools.html

max
PS-how many S's does it take to make "virus" plural? The world may
never know........
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

 

[Snowsquall]

http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update"
on
the very top.

Yep, noticed that later on and thought it was kinda weird.

Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.

If you want the code of any website that is suspicious but are stuck with an
unpatched Internet Explorer, type "view-source:" and then paste the url. Do
not use quotes. Then press enter and the code comes up in notepad. As a
matter of fact that is the safest way no matter what kind of Internet you
use.

 

[Hoosier Daddy]

Is there any online website where you can check weblinks to see if the
page it refers to contains malicious code, or is there perhaps an
additional or alternative freeware anti-virus solution that is likely
to detect these sorts of threats?

Kind regards, thx in advance for any freeback on this issue, Niek

The Strider HoneyMonkey project. Maybe not what you're looking
for, but it is interesting.

 

[name]

From: "name" <[email protected]>

|
| Hello.
|
| I got a weblink (*) through Trillian and passed it on to a newsgroup
| where people notified me that the webpage it refers to contains
| malicious code (according to NOD32 a signature of the VBS script virus
| VBS/Phel.AV).
| Personally I only use AVG (free edition) as protection against virusses
| but it didn't provide any protection in this case as far as I can see.
|
| (*)
|
hxxp://www.econologie.com/forum/index.php?act=ST&f=40&t=1139&s=81b0e6c940eafae913a7cf7356da2
cd7
|
| Does anyone know what this malicious code does exactly and whether it
| has messed up anything in my computer (since I did open the weblink
| myself in IE under XP PRO SP2)?
|
| Is there any online website where you can check weblinks to see if the
| page it refers to contains malicious code, or is there perhaps an
| additional or alternative freeware anti-virus solution that is likely
| to detect these sorts of threats?
|
| Kind regards, thx in advance for any freeback on this issue, Niek

Yepper a Java Script Exploit ! The following is an excetrpt from my McAfee log ...

D:\temp\IE6\Temporary Internet Files\Content.IE5\WCZFECUD\index[1].php\INDEX[1]
JS/Exploit-HelpXSite

JS/Exploit-HelpXSite -- http://vil.nai.com/vil/content/v_130610.htm

Exploits MS05-001 -- http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
Vulnerability in HTML Help Could Allow Code Execution (890175)

If you have the patch KB890175 installed on your PC then you are protected. If you have all
MS Critical Updates installed then I am sure that this is one and you are protected.

If you are not sure, you can use the following tool to scan your computer and use the Mcafee
module.


1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

3) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

4) Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

Well, I cleared the IE temp internet files and java cache, scanned in
save mode and I
don't think any virusses came up. I'm not sure because I use Kaspersky
first on C:,
and later on again on the entire system. I subsequently read in the
..pdf help file that
I should have moved the scanreport text file to another location before
scanning again,
but it appears that the second scan only scanned C:.
Anyway, scans with mcaffee or trendmicro didn't find anything either,
but since scanning
takes pretty friggin long with a few 300 gb disks, eventually I broke
it off and I don't think
there is any point to go through the whole thing again in normal (as
opposed to safe) mode.
I did first ensure all pattern files were updated by running each in
normal mode and aborting
right after the updates were downloaded.

 

[name]

Hello.

I got a weblink (*) through Trillian and passed it on to a newsgroup
where people notified me that the webpage it refers to contains
malicious code (according to NOD32 a signature of the VBS script virus
VBS/Phel.AV).
Personally I only use AVG (free edition) as protection against virusses
but it didn't provide any protection in this case as far as I can see.

(*)
http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update" on
the very top.
Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.
AntiVir 6.33.0.61 12.16.2005 EXP/VBS.Phel.AV
Avast 4.6.695.0 12.16.2005 no virus found
AVG 718 12.15.2005 no virus found
Avira 6.33.0.61 12.16.2005 EXP/VBS.Phel.AV
BitDefender 7.2 12.17.2005 no virus found
CAT-QuickHeal 8.00 12.16.2005 no virus found
ClamAV devel-20051108 12.16.2005 no virus found
DrWeb 4.33 12.16.2005 Exploit.Helpxsite
eTrust-Iris 7.1.194.0 12.17.2005 no virus found
eTrust-Vet 12.3.3.0 12.16.2005 HTML/HelpControl!exploit
Fortinet 2.54.0.0 12.17.2005 no virus found
F-Prot 3.16c 12.15.2005 no virus found
Ikarus 0.2.59.0 12.17.2005 no virus found
Kaspersky 4.0.2.24 12.17.2005 Exploit.VBS.Phel.av
McAfee 4652 12.16.2005 JS/Exploit-HelpXSite
NOD32v2 1.1326 12.16.2005 probably a variant of VBS/Exploit.Phel.AV
Norman 5.70.10 12.16.2005 no virus found
Panda 8.02.00 12.16.2005 no virus found
Sophos 4.01.0 12.16.2005 no virus found
Symantec 8.0 12.17.2005 no virus found
TheHacker 5.9.1.057 12.16.2005 no virus found
VBA32 3.10.5 12.16.2005 no virus found

Btw, why is Trend Micro not among the scanners mentioned in that list,
or is
it included under another name?

 

[Snowsquall]

"name" wrote
"Snowsquall wrote"

Btw, why is Trend Micro not among the scanners mentioned in that list,
or is
it included under another name?

VirusTotal does not have Trend Micro. I believe there are other Antivirus
companies they may not have either.
If you need to use Trend Micro for anything try Housecall.
The link is: http://housecall.trendmicro.com/

Hope this helps.

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Well, I cleared the IE temp internet files and java cache, scanned in
| save mode and I
| don't think any virusses came up. I'm not sure because I use Kaspersky
| first on C:,
| and later on again on the entire system. I subsequently read in the
| .pdf help file that
| I should have moved the scanreport text file to another location before
| scanning again,
| but it appears that the second scan only scanned C:.
| Anyway, scans with mcaffee or trendmicro didn't find anything either,
| but since scanning
| takes pretty friggin long with a few 300 gb disks, eventually I broke
| it off and I don't think
| there is any point to go through the whole thing again in normal (as
| opposed to safe) mode.
| I did first ensure all pattern files were updated by running each in
| normal mode and aborting
| right after the updates were downloaded.
|


I am sure you are clean. By dumping the respective caches, you are ensuring that there are
no infected Java Script .CLASS files outside or .CLASS file inside Java Jars (ZIP type)
files remaining.

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Btw, why is Trend Micro not among the scanners mentioned in that list,
| or is
| it included under another name?
|

I discussed this about a week ago with a liason I have at Trend Micro. He didn't have an
answer and indicated he would pass the question to management. He has yet to proved and
answer.

Trend sysclean does not find exploit code in in a test HTML file as McAfee does.

C:\Suspect\suspect.html JS/Exploit-HelpXSite

 

[Will Dormann]

I am sure you are clean. By dumping the respective caches, you are ensuring that there are
no infected Java Script .CLASS files outside or .CLASS file inside Java Jars (ZIP type)
files remaining.

What do .CLASS files have to do with JavaScript?


-WD

 

[David H. Lipman]

From: "Will Dormann" <[email protected]>


|
| What do .CLASS files have to do with JavaScript?
|
| -WD

Everything. One a web page is processed, Java apparently caches the script in .CLASS files.

Examples extracted from a Mcafee log...

C:\Documents and
Settings\Patty\.jpi_cache\jar\1.0\archive.jar-31686245-729d3073.zip\BINNY.CLASS ... Found
the JV/Shinwow trojan !!!
C:\Documents and
Settings\Patty\.jpi_cache\jar\1.0\loaderadv295.jar-37a25aad-40142848.zip\DUMMY.CLASS ...
Found the Exploit-ByteVerify trojan !!!
C:\Documents and
Settings\Patty\.jpi_cache\jar\1.0\loaderadv295.jar-37a25aad-40142848.zip\MATRIX.CLASS ...
Found the JV/Shinwow trojan !!!

In the above cases, the Java script Trojans were all found inside Java Jars in the Java
cache.

 

[Art]

From: "Will Dormann" <[email protected]>


|
| What do .CLASS files have to do with JavaScript?
|
| -WD

Everything. One a web page is processed, Java apparently caches the script in .CLASS files.

That's Java, not JavaScript.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>


|
| That's Java, not JavaScript.
|
| Art
|
| http://home.epix.net/~artnpeg

Mea Culpa !
It's all the same to me ;-)

 

[name]

http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update"
on
the very top.

Yep, noticed that later on and thought it was kinda weird.

Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.

If you want the code of any website that is suspicious but are stuck with an
unpatched Internet Explorer, type "view-source:" and then paste the url. Do
not use quotes. Then press enter and the code comes up in notepad. As a
matter of fact that is the safest way no matter what kind of Internet you
use.

Are you sure about that? Cause when I try it out, it doesn't seem to
work for me.
(I get a "The page cannot be displayed" error when I enter, for
instance,
"view-source: http://www.m-w.com" in the IE address bar, without the
quotes.)

 

[Hoosier Daddy]

http://www.econologie.com/forum/ [removed]

I clicked on the link and the web page entitled itself "microsoft update"
on
the very top.

Yep, noticed that later on and thought it was kinda weird.

Yet the address bar says "http://www.econologie.com"
I did get the code and sent it to VirusTotal and it confirmed.

If you want the code of any website that is suspicious but are stuck with an
unpatched Internet Explorer, type "view-source:" and then paste the url. Do
not use quotes. Then press enter and the code comes up in notepad. As a
matter of fact that is the safest way no matter what kind of Internet you
use.

Are you sure about that? Cause when I try it out, it doesn't seem to
work for me.
(I get a "The page cannot be displayed" error when I enter, for
instance,
"view-source: http://www.m-w.com" in the IE address bar, without the
quotes.)

Try a right click, save target as, and change the extension to txt for the
destination of your choice.

 

[Offbreed]

There should be no space between "view-source:" and "http...".

LOL, that was my thought, too. <G>

It worked with a space in Firefox, though.