Got a Virus just by clicking on a URL

[Walter R.]

How can I get a virus just by just clicking on a URL and looking at a
website???

I clicked on this URL, which seems to contain a virus:

WARNING: DO NOT CLICK ON THIS URL:
http://www.tjhsst.edu/~agupta/ecard-hijack/

When I ran AVG shortly afterwards, it reported the js/psyme virus. It was in
the Temporary Internet Files

I traced it back to the above URL. It is also known as the
ecard-hijack(1).htm virus.

AVG did not complain about it when I clicked on the URL.

Since the virus was in the Temp Internet Files, it probably did not do any
damage. I just cleared the Temp Int Files. Was it ever a danger to my
computer while it was in the Temp Int. Files?

How can I avoid getting a virus just by viviting a website?

 

[Beauregard T. Shagnasty]

Quoth the raven Walter R.:

How can I get a virus just by just clicking on a URL and looking at a
website???

I clicked on this URL, which seems to contain a virus:

WARNING: DO NOT CLICK ON THIS URL:
http://www.tjhsst.edu/~agupta/ecard-hijack/

...if you use IE. Note that the page is /describing/ a hijack, and the
code is there for all to view (a good thing), and your a-v is reading
it as something you executed.

"The page opened in my browser, but nothing happened. Lucky for me, I
wasn't using Internet Explorer so I was saved. A closer look at the
email and URL revealed an attempt to use IE exploits to hijack the
computer and install a trojan that steals sensitive information
including passwords and bank account numbers."

When I ran AVG shortly afterwards, it reported the js/psyme virus. It was in
the Temporary Internet Files

I traced it back to the above URL. It is also known as the
ecard-hijack(1).htm virus.

AVG did not complain about it when I clicked on the URL.

Since the virus was in the Temp Internet Files, it probably did not do any
damage. I just cleared the Temp Int Files. Was it ever a danger to my
computer while it was in the Temp Int. Files?

You should be in no danger from this link. However...

How can I avoid getting a virus just by viviting a website?

Stop using IE.
http://home.rochester.rr.com/bshagnasty/tips.html#browsers

 

[brushes]

Quoth the raven Walter R.:


Stop using IE.
http://home.rochester.rr.com/bshagnasty/tips.html#browsers

--

In support of the above, IE is deadly even if you spend silly amounts of
time keeping protection up to date. Switch to firefox
http://www.mozilla.org/products/firefox/

it's a better browser, it's safer and is easy to keep secure. Apart from
anything else I have found that if I get any hitches with it I can go to
add/remove programs, hoik the thing out, run the setup again and get a fresh
install with all my settings & extensions in place!

Try doing that with IE!

B

 

[null]

How can I get a virus just by just clicking on a URL and looking at a
website???

As has been pointed out, by using IE with security settings less than
high (maximum). Malicious web sites take advantage of several
different IE vulnerabilities. Use a different browser such as Mozilla,
Firefox, K-Meleon or Opera. Read this for a link to info on how to set
your My Computer zone to max security as well. It's under item 3:

http://www.claymania.com/safe-hex.html#3


Art
http://www.epix.net/~artnpeg

 

[Duane Arnold]

How can I get a virus just by just clicking on a URL and looking at a
website???

I clicked on this URL, which seems to contain a virus:

WARNING: DO NOT CLICK ON THIS URL:
http://www.tjhsst.edu/~agupta/ecard-hijack/

When I ran AVG shortly afterwards, it reported the js/psyme virus. It
was in the Temporary Internet Files

I traced it back to the above URL. It is also known as the
ecard-hijack(1).htm virus.

AVG did not complain about it when I clicked on the URL.

Since the virus was in the Temp Internet Files, it probably did not do
any damage. I just cleared the Temp Int Files. Was it ever a danger to
my computer while it was in the Temp Int. Files?

How can I avoid getting a virus just by viviting a website?

I went to the link with XP's SP2 IE and IE certainly sounded off about the
situation. In addition, NOD32's IMON (Internet Monitor), which checks the
TCP/IP connection for anomalies, detected the virus and allowed me to
terminate the connection with the Web site and the virus never made it to
the machine.

Duane

 

[Walter R.]

That's interesting because I also use IE6 with SP2, but it did not complain
at all. What message did you get from Int. Expl.?

Walter
The Happy Iconoclast www.rationality.net
-

 

[Duane Arnold]

That's interesting because I also use IE6 with SP2, but it did not
complain at all. What message did you get from Int. Expl.?

That message with the yellow shield and IE tells you it has blocked access
by this file in it's new Tool Bar Message area. Between that and NOD32
stopping it, I never saw the page and got the Page Not Found by IE
displayed.

Duane

 

[Beauregard T. Shagnasty]

Quoth the raven Duane Arnold:

That message with the yellow shield and IE tells you it has blocked
access by this file in it's new Tool Bar Message area. Between that
and NOD32 stopping it, I never saw the page and got the Page Not
Found by IE displayed.

With Mozilla, the page displayed as normal. Perhaps this is because
the "problem" is the textual representation of a malicious script,
with which the author details the malware. There is no /real/ malice
at that page, at least none that I can see.

Apparently, your XP-SP2 IE can't tell the difference.

I also viewed the page with Opera 7.23, Firefox 0.9.2, K-Meleon 0.8.2,
and with my Win2K IE SP1 with no problem.

 

[Duane Arnold]

Quoth the raven Duane Arnold:


With Mozilla, the page displayed as normal. Perhaps this is because the
"problem" is the textual representation of a malicious script, with which
the author details the malware. There is no /real/ malice at that page, at
least none that I can see.

Apparently, your XP-SP2 IE can't tell the difference.

What stopped the page from showing is when I told NOD32's IMON to terminate
the connection and not that IE couldn't see the page. Then AMON stepped in
for the deletion.

On my desktop machine that's running XP with SP2 IE, it never even bothered
to show the message like the SP 2 IE on my laptop and they are set the same
from what I can tell. The screen showed but again NOD32's IMON detected the
virus and I terminated the connection with IMON and then AMON stepped in for
the deletion.

I want IE to do what it's doing on the laptop and I don't know why it's not
doing the same thing with the notification.. But I'll figure it out you can
bet on that.

Duane

 

[Beauregard T. Shagnasty]

Quoth the raven Duane Arnold:

On my desktop machine that's running XP with SP2 IE, it never even
bothered to show the message like the SP 2 IE on my laptop and they
are set the same from what I can tell. The screen showed but again
NOD32's IMON detected the virus and I terminated the connection
with IMON and then AMON stepped in for the deletion.

NOD32 said the page is (contains) a virus? I could understand that if
the script was executing, but it is not. It is just a listing of the
code.

Why not write to NOD32 and ask them to check the page? I use Avast!
and it doesn't complain. <g>

 

[Duane Arnold]

Quoth the raven Duane Arnold:



NOD32 said the page is (contains) a virus? I could understand that if
the script was executing, but it is not. It is just a listing of the
code.

Why not write to NOD32 and ask them to check the page? I use Avast!
and it doesn't complain. <g>

No, you don't understand NOD32's IMON that checks for anomalies in the
TCP/IP network traffic, which detected the virus in the network traffic
and did its job to notify. And then NOD32's AMON step in and indicated
that a new file containing a virus, the very file the OP indicated was
created on his machine without any notification was about to be created
and NOD32 AMON notified and stop that without me having to do a scan as
the OP did to detect it as I deleted the file right then and there on the
spot. I have no need to notify NOD32 about anything as the software did
its job with the proper notifications and allowed me to delete the file
before it was able to be created and infect the machine.

Duane

 

[Duane Arnold]

I use Avast! and it doesn't complain. <g>

And may be you need to do a scan a full scan of the HDD, like the OP.

Duane

 

[Brendan DJ Murphy]

And may be you need to do a scan a full scan of the HDD, like the OP.

Duane

Believing that I was adequately protected (Macafee with latest DAT files
4390 / 8Sep 2004) and a Kerio firewall , I thought I would visit the page.
I have SP2 and ie6

The page appeared. I didn't read the content in great depth.

I then did a full disk-scan and Macafee found nothing.

To be safe, i then emptied my Temp Internet files folder.

Was there actually a virus in the HTML code?

Brendan

 

[Roy]

NOD32 said the page is (contains) a virus? I could understand that if
the script was executing, but it is not. It is just a listing of the
code.

It does the same here too, using XP SP1 and Firefox 0.9.3

I don't see too many false alerts with NOD32 so, until proven otherwise,
I'd asssume something nasty on that page.

Cheers,

Roy

 

[Howard Harris]

No, you don't understand NOD32's IMON that checks for anomalies in the
TCP/IP network traffic, which detected the virus in the network traffic
and did its job to notify. And then NOD32's AMON step in and indicated
that a new file containing a virus, the very file the OP indicated was
created on his machine without any notification was about to be created
and NOD32 AMON notified and stop that without me having to do a scan as
the OP did to detect it as I deleted the file right then and there on the
spot. I have no need to notify NOD32 about anything as the software did
its job with the proper notifications and allowed me to delete the file
before it was able to be created and infect the machine.

Slightly different experience with NOD32 here. IMON invited me to block
access to the page. I accepted the invitation and AMON was never needed as
blocking with IMON completely ended contact, so absolutely nothing existed
for AMON to deal with, and all that appeared on my hard drive in the
internet temp folder was a copy of the IMON notice/web page:

NOD32 antivirus system alert: IMON
Infiltration detected !

Infiltration details:

Web page:
http://www.tjhsst.edu/~agupta/ecard-hijack/

Infiltration:
VBS/TrojanDropper.Zerolin.A trojan

Description:
Access to the web page was blocked by IMON.

 

[Ant]

...

[snip]

Was there actually a virus in the HTML code?

No. The page is completely harmless. It describes the exploit, and
in doing so, lists the code. It won't run by viewing the page.

AV programs have no business alerting on this.

 

[null]

...

[snip]

Was there actually a virus in the HTML code?

No. The page is completely harmless. It describes the exploit, and
in doing so, lists the code. It won't run by viewing the page.

AV programs have no business alerting on this.

I agree. I ran a test using IE on lowest possible security. I had KAV
3.5 realtime monitor active. No alert and no malware infestation.

The script does get downloaded to IE temp, and some av may alert on
this. For example, F-Prot for DOS finds VBS/Petch.A@dl (exact)
If KAV alerted (which it doesn't) it would name it Psyme rather than
Petch, as would McAfee. I checked this using Project VGREP.

I also Saved the page as a html file and scanned on demand. Both
F-Prot and F-Secure alert as VBS/Petch.A@dl

I suspect that some other scanners besides NOD32 will false alarm when
accessing the harmless web site.


Art
http://www.epix.net/~artnpeg

 

[Duane Arnold]

Believing that I was adequately protected (Macafee with latest DAT
files 4390 / 8Sep 2004) and a Kerio firewall , I thought I would
visit the page. I have SP2 and ie6

The page appeared. I didn't read the content in great depth.

I then did a full disk-scan and Macafee found nothing.

To be safe, i then emptied my Temp Internet files folder.

Was there actually a virus in the HTML code?

Brendan

NOD32 identifies the malware as VBS/TrojanDropper.Zerolin in
HTTP://www.Tjhsst.edu~AGUPTA/ecard-HIjack.

I cannot even view the source code as AMON sounds off when I try to view
it and all I can do is take the *Delete* action and then IMON steps in
again with its message.

As far as NOD32 doing some kind of false alert, I really don't care about
that. NOD32 has sounded off about it and I'll accept that. NOD32 has
never sounded off like this on any other site I have visited.

My bigger concern is why XP's SP2 IE 6 on my laptop is sounding off while
IE 6 with the same setup that I can see between the two machines in not
sounding off when I visit the site.

Duane

 

[Howard Harris]

My bigger concern is why XP's SP2 IE 6 on my laptop is sounding off while
IE 6 with the same setup that I can see between the two machines in not
sounding off when I visit the site.

FWIW, IE6 with SP2 here didn't sound off - IMON simply inserted itself, I
opted to block it, end of story.

 

[Howard Harris]

I cannot even view the source code as AMON sounds off when I try to view
it and all I can do is take the *Delete* action and then IMON steps in
again with its message.

BTW, it has occurred to me that the differences between what we see with
NOD32 are possibly rooted in the http settings in IMON. I suspect you have
IE set to higher compatibility, while I have it set to higher efficiency
(as I very rarely use IE, I do not need to concern myself with web site
compatibility with IE). Hence AMON comes into play for you, but not for me.