Viruses in Neopets FastClick ads
Sat Sep 09, 2006 8:47 am
It's back, folks. Twice in a few minutes right after I cleaned it off and rebooted. Satuday Sept. 9, 2006 early (1-2) AM NST. It appears to be a Java hack of some sorts. It came with that same fake ad (virus, this time called value.wmf rather than value[1].wmf), but more files to clean up (exe4jlib.jar).
See the "old" thread here, but now indeed it seems a weekendly occurence.
EDIT: Quick link to The Neopets Daily Safety Index. (Though it seems down currently.)
Sorry to the mods for reviving a recent thread, but I felt this urgent and didn't see the older thread being bumped to the front page any time soon.
See the "old" thread here, but now indeed it seems a weekendly occurence.
EDIT: Quick link to The Neopets Daily Safety Index. (Though it seems down currently.)
Sorry to the mods for reviving a recent thread, but I felt this urgent and didn't see the older thread being bumped to the front page any time soon.
Last edited by anjuna on Sun Sep 10, 2006 10:41 pm, edited 2 times in total.
Sat Sep 09, 2006 9:25 am
Eh yeah...I don't know if anything popped up, but I was going around on neopets and my Norton brought up the message saying I had a virus. Fabulous.
Sat Sep 09, 2006 11:21 am
anjuna, would it have been possible for me to get it even though ads are blocked by firefox? something seriously messed up my puter yesterday and prevented me from runnong any security scans or from installing new ones/updates. it said i didnt have admin priviledges to install them. so i had to factory restore *sigh*
and would you mind terribly if i picked your brains via pm about cookies and something unrelated to neopets? you seem to know a lot about computers and i cannot work out how something that happened was possible.
and would you mind terribly if i picked your brains via pm about cookies and something unrelated to neopets? you seem to know a lot about computers and i cannot work out how something that happened was possible.
Sat Sep 09, 2006 5:53 pm
Sucks to wake up to read that more have been infected by Neopets.com.
Possibly some of the people having log-in problems on the other thread might even be related to this? I almost hope so, as that would likely mean TNT is trying to clear this up and might have to prevent log-ins for now?
purplecatlover2003: I don't *think* it is possible to get this while using FF (basically it comes from a hole in the Trident engine (which IE uses), not the Gecko engine (which Firefox and Orca use)). But the virus has 'evolved' quite fast over the past couple weeks and I now wonder if this is an "innocent" ad company or some really malicious person trying to really really screw Neopets and all the users s/he can? I wouldn't be surprised if hacking FF were next on this person's list.
Yes of course you may PM me about this or any such semi-related stuff.
In fact your details might help, in case FF is breachable too.
Eternal Serena and any others that get this while playing on Neopets might want to post here what they experienced and the browser used, etc.
I could post more screenies but they are all pretty much similar to what I described in the other thread about this. I got the source code of the page it happened on (this time World Challenge) like allnameswereout said to but he or someone else will have to look that over. Now to brave Neo ...
EDIT: Here is all the information I could find on this so far. Like I said it is a tad different from the bl4ck.com trojan but the same .WMF virus is used. And now this Java crap. Geez.
Possibly some of the people having log-in problems on the other thread might even be related to this? I almost hope so, as that would likely mean TNT is trying to clear this up and might have to prevent log-ins for now?
purplecatlover2003: I don't *think* it is possible to get this while using FF (basically it comes from a hole in the Trident engine (which IE uses), not the Gecko engine (which Firefox and Orca use)). But the virus has 'evolved' quite fast over the past couple weeks and I now wonder if this is an "innocent" ad company or some really malicious person trying to really really screw Neopets and all the users s/he can? I wouldn't be surprised if hacking FF were next on this person's list.
Yes of course you may PM me about this or any such semi-related stuff.
In fact your details might help, in case FF is breachable too.
Eternal Serena and any others that get this while playing on Neopets might want to post here what they experienced and the browser used, etc.
I could post more screenies but they are all pretty much similar to what I described in the other thread about this. I got the source code of the page it happened on (this time World Challenge) like allnameswereout said to but he or someone else will have to look that over. Now to brave Neo ...
EDIT: Here is all the information I could find on this so far. Like I said it is a tad different from the bl4ck.com trojan but the same .WMF virus is used. And now this Java crap. Geez.
spidey wrote:I searched the Internet for any information concerning this file, an executable .jar file. According to Sophos (http://www.sophos.com/virusinfo/analyse ... idrdw.html) this is dropped by a trojan along with another file...
exe4j is an EXE creator for Java; it seems as if any program, legitimate or not, can use the library file, exe4jlib.
It seems as if it can be part of a trojan drop which is used to run the actual virus program. The .jar file is only the actuator rather than the virus.
Last edited by anjuna on Sat Sep 09, 2006 10:43 pm, edited 3 times in total.
Sat Sep 09, 2006 6:20 pm
Do you know if opera is affected? I usually don't have problems with those neopets ads either way.
Sat Sep 09, 2006 6:36 pm
I got it this morning as well, as a trojan.
Unfortunately I don't know if I got it from FF or from Avant, I use both.
I'm inclined to believe that it came from Avant.
McAfee caught it but it refused to clean, quarantine or to delete it.
I ran a virus scan and it didn't show up, did the restart thing and I haven't had anymore problems....as of yet...it could still be there.
Unfortunately I don't know if I got it from FF or from Avant, I use both.
I'm inclined to believe that it came from Avant.
McAfee caught it but it refused to clean, quarantine or to delete it.
I ran a virus scan and it didn't show up, did the restart thing and I haven't had anymore problems....as of yet...it could still be there.
Sat Sep 09, 2006 6:44 pm
I don't know how Opera handles such. Uses Presto engine is all I know.
UPDATE: Presto seems not to use ActiveX, in which a security hole (in ActiveX) is required for this Java crap to run. I suspect Opera is "safe" but then again I do not know much about this Java hack and the creator of it seems to be trying new and advanced things with this .exe creator.
My personal ActiveX settings prohibit this to run or for operation to complete. I also use Bug Off which closes some common exploits. Then my good ol' anti-v kicks in and quarantines. Then I document the infections and manually delete all related (temporary) files and reboot. All clean. Virus mutates. As an update to this I am blocking more and more manually in Avant, but again I state on a 'trusted site' like Neopets.com it should not be necessary. I can understand my being responsible for visiting 'questionable' sites (which I don't and even other 'trusted' sites have had security breaches) but for a now Viacom-owned mega-corporation this is bad publicity at the LEAST. At the WORST, many users might not feel safe and discontinue or severely limit play time (ahem, page counts.)
AVG Free will quarantine this. All related files are located in Temporary Internet Files and Temp folders. Particularly Temp. Even if your anti-virus does not catch and quarantine it, you can safely delete those files. A few leftovers will be in "use" and unremovable until reboot. Then delete them.
The leftover (inactive) files appear to be harmless, but I don't take any chances.
EDIT: Following is a list of files and folders to look out for. All will be localized in your Temp directory (one level up from Temporary Internet Files which should also be cleared). Search for similarly named items on your system, as the file names likely vary from computer and incidence.
Directories -
Temporary Internet Files
Temp
e4jD.tmp_dir7297
Files -
value[1].wmf
value.wmf
bl4ck.com
exe4jlib.jar
EDIT: Some files were removed from the list as I found them harmless and leftover from messaging apps. Keep an eye out for the other ones just in case.
UPDATE: Presto seems not to use ActiveX, in which a security hole (in ActiveX) is required for this Java crap to run. I suspect Opera is "safe" but then again I do not know much about this Java hack and the creator of it seems to be trying new and advanced things with this .exe creator.
My personal ActiveX settings prohibit this to run or for operation to complete. I also use Bug Off which closes some common exploits. Then my good ol' anti-v kicks in and quarantines. Then I document the infections and manually delete all related (temporary) files and reboot. All clean. Virus mutates. As an update to this I am blocking more and more manually in Avant, but again I state on a 'trusted site' like Neopets.com it should not be necessary. I can understand my being responsible for visiting 'questionable' sites (which I don't and even other 'trusted' sites have had security breaches) but for a now Viacom-owned mega-corporation this is bad publicity at the LEAST. At the WORST, many users might not feel safe and discontinue or severely limit play time (ahem, page counts.)
AVG Free will quarantine this. All related files are located in Temporary Internet Files and Temp folders. Particularly Temp. Even if your anti-virus does not catch and quarantine it, you can safely delete those files. A few leftovers will be in "use" and unremovable until reboot. Then delete them.
The leftover (inactive) files appear to be harmless, but I don't take any chances.
EDIT: Following is a list of files and folders to look out for. All will be localized in your Temp directory (one level up from Temporary Internet Files which should also be cleared). Search for similarly named items on your system, as the file names likely vary from computer and incidence.
Directories -
Temporary Internet Files
Temp
e4jD.tmp_dir7297
Files -
value[1].wmf
value.wmf
bl4ck.com
exe4jlib.jar
EDIT: Some files were removed from the list as I found them harmless and leftover from messaging apps. Keep an eye out for the other ones just in case.
Last edited by anjuna on Tue Sep 12, 2006 8:32 pm, edited 8 times in total.
Sat Sep 09, 2006 6:56 pm
AVG Free will quarantine this. All related files are located in Temporary Internet Files and Temp folders. Particularly Temp. Even if your anti-virus does not catch and quarantine it, you can safely delete those files. A few leftovers will be in "use" and unremovable until reboot. Then delete them.
The leftover files appear to be harmless, but I don't take any chances.
Thank you, I really don't know much about these kinds of things.
One question: If you suspect you have a trojan or virus are you suppose to clear your temp files before running a virus scan or after?
Sat Sep 09, 2006 7:27 pm
aarickman wrote:One question: If you suspect you have a trojan or virus are you suppose to clear your temp files before running a virus scan or after?
It almost doesn't matter, but that is considering your anti-virus application is thorough enough to detect all the places the intruder left files.
I would advise to anyway, since some crafty ones can load more files in more places the longer they are sitting around and allowed to run. In this case, the virus/trojan appears relatively easy to get rid of; it is more just a pain in the butt that it keeps coming back, and even in mutated forms.
AVG Free should quarantine the main virus almost immediately. From there you can remove related files manually or reboot your system like it recommends. The files should then either be deleted or at least inactive.
Sat Sep 09, 2006 7:47 pm
purplecatlover2003 wrote:anjuna, would it have been possible for me to get it even though ads are blocked by firefox? something seriously messed up my puter yesterday and prevented me from runnong any security scans or from installing new ones/updates. it said i didnt have admin priviledges to install them. so i had to factory restore *sigh*
and would you mind terribly if i picked your brains via pm about cookies and something unrelated to neopets? you seem to know a lot about computers and i cannot work out how something that happened was possible.
Hmm, unless you've gotten an message from Norton or your firewall, I dont think you were infected. o__O If there are multiple users on your computer, are you sure you were on one that had Administrator priviledges in the first place?
Sat Sep 09, 2006 8:58 pm
Thank's so much, for your help.anjuna wrote:aarickman wrote:One question: If you suspect you have a trojan or virus are you suppose to clear your temp files before running a virus scan or after?
It almost doesn't matter, but that is considering your anti-virus application is thorough enough to detect all the places the intruder left files.
I would advise to anyway, since some crafty ones can load more files in more places the longer they are sitting around and allowed to run. In this case, the virus/trojan appears relatively easy to get rid of; it is more just a pain in the butt that it keeps coming back, and even in mutated forms.
AVG Free should quarantine the main virus almost immediately. From there you can remove related files manually or reboot your system like it recommends. The files should then either be deleted or at least inactive.
Sat Sep 09, 2006 9:00 pm
Here is a link to some of my favorite personal utilities for dealing with malware. The most particularly helpful, in this case, would probably be the Internet Properties (security settings) tutorial, Bug Off, and the ATF-Cleaner for clearing all temporary files. AVG Free continues to do the best job catching most harmful entities, in my experience.
Beyond that, TNT just needs to get their act together. Simply unacceptable.
EDIT: And glad to be of help, everyone.
Beyond that, TNT just needs to get their act together. Simply unacceptable.
EDIT: And glad to be of help, everyone.
Last edited by anjuna on Sat Sep 09, 2006 9:49 pm, edited 1 time in total.
Sat Sep 09, 2006 9:16 pm
WIS wrote:[
Hmm, unless you've gotten an message from Norton or your firewall, I dont think you were infected. o__O If there are multiple users on your computer, are you sure you were on one that had Administrator priviledges in the first place?
yep im the only person who has access to my computer
Anjuna thank you
Sat Sep 09, 2006 11:21 pm
Does anyone know how this malware works? Why does it work?
It seems theres an exe app executed by java via a wrapper. I thought Java was sandboxed? So it should not be able to get outside of there. Unless the WMF uses a known flaw in Windows patched in dec 2005.
If that is true, then it doesn't matter what browser you use if you did not apply that patch from dec 2005 and you don't run some 'catch' program such as an AV (which is only 'that accurate' and 'that up to date'; limited!) then you are fried. What seems to be most secure is uninstalling Java plugin from your browser. You can uninstall the ActiveX part in IE under the plugins section and you can remove the plugin for Firefox or Opera as well. Without influencing any other Java applications. If you don't need Java at all, just uninstall it. You don't need Java to play Neopets, you need Flash.
PS: And if you don't patch, use tools such as Bugmenot to disable some known features in Windows which viruses can exploit (some can be solved by a patch, some cannot be solved as Microsoft doesn't fix the leak (!!!)).
It seems theres an exe app executed by java via a wrapper. I thought Java was sandboxed? So it should not be able to get outside of there. Unless the WMF uses a known flaw in Windows patched in dec 2005.
If that is true, then it doesn't matter what browser you use if you did not apply that patch from dec 2005 and you don't run some 'catch' program such as an AV (which is only 'that accurate' and 'that up to date'; limited!) then you are fried. What seems to be most secure is uninstalling Java plugin from your browser. You can uninstall the ActiveX part in IE under the plugins section and you can remove the plugin for Firefox or Opera as well. Without influencing any other Java applications. If you don't need Java at all, just uninstall it. You don't need Java to play Neopets, you need Flash.
PS: And if you don't patch, use tools such as Bugmenot to disable some known features in Windows which viruses can exploit (some can be solved by a patch, some cannot be solved as Microsoft doesn't fix the leak (!!!)).
Sat Sep 09, 2006 11:26 pm
Another thing you can do to help protect yourself is use a HOSTS file. This page explains what that is and has an up-to-date one for download (apparently the best one available). I don't even see most ads in IE thanks to the HOSTS file (they don't load at all).
There is no need to turn on, adjust or change any settings. Windows automatically looks for the existence of a HOSTS file and if found, checks the HOSTS file first for entries to the web page you just requested. The 127.0.0.1 is the location of your computer, so when the entry (example) "ad.doubleclick.net" is requested your computer thinks 127.0.0.1 is the location of the file. When this file is not located it skips onto the next file and thus the ad server is blocked from loading the banner, Cookie, or some unscrupulous ActiveX, or javascript file.
In case you're wondering ... this all happens in microseconds, which is much faster than trying to fetch a file from half way around the world. Another great feature of the HOSTS file is that it is a two-way file, meaning if some parasite does get into your system (usually bundled with other products) the culprit can not get out (call home) as long as the necessary entries exist. This is why it's important to keep your HOSTS file up to Date.