PDA

View Full Version : unexpected Trojan



win95a
12-11-2003, 09:14 AM
There are no shortage of unpleasant Viruses out there, but I got a shock recently when a Trojan managed to get on my PC and attempt to run just by visiting a Web page, without me having to open any files or attachments.

Seems the page contained some Javascript that replaced wmplayer.exe on my harddrive with a trojan, then featured a movie clip on the web-page.
As mplayer is my default media player (and my internet settings foolishly allowed such things) Windows then starts up mplayer.exe and bang.
Fortunately Norton caught the trojan when it tried to run (or perhaps when it replaced the original file) so the only damage done was loosing Mplayer, but it was a wake up call for me regarding internet security.

I've never paid much attention to my IE6 security settings, leaving them on the default (medium security) and trusting norton, zonealarm and adaware to look after my pc, but to avoid Active-Scripting like this you want to look at using the high security with Trusted-Site settings.
Walkthrough....
http://acd.ucar.edu/~fredrick/win2k/active_scripting/


Hope this helps someone avoid a nasty surprise.

ilikelinux
12-11-2003, 09:16 AM
Now you can upgrade to wmp9

or go to something like Quick time!

mark.p
12-11-2003, 09:39 AM
A bit about ASP.-http://www.coastline.com/support/faqs/ASP.asp

tweak\'e
12-11-2003, 10:10 AM
it most likly useda jvascript exploit to install the trojen. yet another reason to keep up with those patches.

i ran into one the other day, fortunatly it was a basic one and nortons found it before it ran. at a guess it use one of the holes in java which i had forgotten to update (sun java).

Jim B
12-11-2003, 10:11 AM
There are other web browsers available which are not as prone to the security issues that IE has.

IE is full of holes (http://www.zdnet.com.au/newstech/security/story/0,2000048600,20279477,00.htm)

kiwibeat
12-11-2003, 11:14 AM
I use zoomplayer as my default smaller and better also use Opera and avant or firebird as browsers plus run spybot and spyware blaster as well as a few other programs on 98SE

Oxie
12-11-2003, 12:32 PM
win95a

Thanks for the warning and the links. Great reading! I see you were using IE6 and set to medium security settings (which is probably the norm for most people). As a matter of interest was your IE6 fully patched at the time?

Oxie (Lyn)

Greg S
12-11-2003, 12:51 PM
Praise to AVG - my brother's system somehow caught the femad.b (aka tooncom.b) trojan, and it was detected by AVG, then nicely cleaned automatically

win95a
12-11-2003, 02:57 PM
Hi,
I'm pretty confident that my IE6 was/is up to date. There are no outstanding updates in windows-update for my PC at the moment.
I'm glad Norton was onto it.

Oxie
12-11-2003, 03:38 PM
win95a

Thanks for that. Since my last post here I thought it would be a good idea to change the security settings in IE6 from medium to high. I duly entered 'safe' sites into the Trusted Sites box. However, when testing certain sites I could not access the java pop-up window which is necessary to log on to my bank. So, my IE6 is now all back to Medium Security. What do other users of IE6 do? By the way I use Netscape 99.5% of the time, but Java is still enabled and obviously necessary to access banking sites.

In IE6 would it be a good idea to disable all the ActiveX controls and plug-ins, and leave the Java related ones enabled? All comments greatly received.

Oxie (Lyn_

win95a
13-11-2003, 08:28 AM
Hi Oxie,
I'm sorry I dont know enough to customise a 'safe' IE. But am interested in suggestions others may have.

Jim B
13-11-2003, 10:30 AM
This article may be of some use go here (http://www.idg.co.nz/PCWorld/PCW.nsf/0/0860a07222f01a62cc256dba000694b8?OpenDocument)

If you have entered a Trusted site which needs Java then for that zone select it to medium which will allow access or select custom level and Java high safety

For Internet Zone leave the setting on high but if a site needs Java you will need to add that site to Trusted Sites or select Internet Zone to medium

The recommended settings for the various zones are given at this link.
If you want to configure them manually select Custom Level
http://hacker-eliminator.com/safebrowsing.html

More information here (
http://www.microsoft.com/windows/ie/using/howto/privacy/config.asp) and here (http://www.microsoft.com/windows/ie/using/howto/security/settings.asp)

win95a
13-11-2003, 01:08 PM
Thanks Jim B,

those are some great links. Its reassuring to have specific details on what is out there, and what can be done to avoid it.
I especially like the browser tests off the first link.
Cheers.

Oxie
13-11-2003, 01:48 PM
Jim B

That was an excellent link - the hacker-eliminator.com one - just what I was after. I changed all the settings as suggested and it works a treat - re not accessing the bank earlier it needed the * in front of the domain name in the Trusted Sites as suggested so that the java is enabled throughout the site.

I think the info in that link should be added to Frequently Asked Questions.

Thanks win95 for sharing your woe, and thanks Jim B for the prevention.

Oxie (Lyn)