Warning about this link

[AndrewJ]

I need to put a urgent warning out to everyone.

Earlier tonight my gf was using her laptop on her msn list and this link was sent by her friends with lmao is this you? Like most people in msn you click the link expecting joke this is no joke and no spamming matter.

http://pictures.templates4friends.com/pictures.php?email=xxxxxx@hotmail.com

Was the link and I am serious now do not click it, it opens loads of msn windows spams its self stupid, and then it disabled my sygate personal firewall and my avast! home system, i had to reenable via services in control panel, also my network which runs via ethernet is down so my new pc is offline right now.

I have no idea how to stop this other then formatting both systems I have scanned scanned and even more scanned this HD and found nothing.

All I know is some program runs this called project1 and its making a mockery of this laptop right now.

Edit: Link modified (Paul).

[Graham M]

Might be an idea to edit the link so noone clicks it, IE remove the http://

[AndrewJ]

True, right I have narrowed it to this c:\Windows\System32\System.exe aka Helz Little Angel according to a spyware scan ( found out gf never kept her spybot upto date didnt see a point in it)

Removed on next reboot am seeing how it works.

[Paul M]

Posting a clickable link was not a very bright move - edited.

[AndrewJ]

Finally fixed the little sod and the posting of the link was unintechable although stupid and I do apologise.

Basically it is some clever little virus.

It disabled the following services as well as mess up my msn on my gfs computer.

Windows Firewall/IC Sharing
Sygate
Avast

All the above services was gone and it caused havoc until spybot runs on next boot and removed.

C:\windows\system32\system.exe listed on spybot as Helz little angel.

thats all i know right now I am off to bed.

[marco0840]

Quote:

Originally Posted by AndrewJames

I need to put a urgent warning out to everyone.

Earlier tonight my gf was using her laptop on her msn list and this link was sent by her friends with lmao is this you? Like most people in msn you click the link expecting joke this is no joke and no spamming matter.

http://pictures.templates4friends.co...xx@hotmail.com

Was the link and I am serious now do not click it, it opens loads of msn windows spams its self stupid, and then it disabled my sygate personal firewall and my avast! home system, i had to reenable via services in control panel, also my network which runs via ethernet is down so my new pc is offline right now.

I have no idea how to stop this other then formatting both systems I have scanned scanned and even more scanned this HD and found nothing.

All I know is some program runs this called project1 and its making a mockery of this laptop right now.

Edit: Link modified (Paul).

Dear people,
My name is Marco Hesselink, owner of www.templates4friends.com, and I have no idea how a virus can go around with above mentioned link.
I have no physical hosting, and a redirect only to an other website, also templates.
I really do hope anybody can explain to me, if I can do something to resolve this problem, or that somebody else is just missusing my domainname.
Marco Hesselink
Germany

[Hom3r]

to the forum

It is possible that someone is using your site to send spam. You need to check the security to see if there are ant holes or open ports.

[AndrewJ]

After discussion I found out my gf stupidly clicked on a download link, seemingly the url was spoofed rather well from Yahoo photo's, sadly once down and opened this thing ran havoc.

Taught her to update her AV and Firewall much more often.

[Richard M]

Quote:

Originally Posted by marco0840

Quote:

Dear people,
My name is Marco Hesselink, owner of www.templates4friends.com, and I have no idea how a virus can go around with above mentioned link.
I have no physical hosting, and a redirect only to an other website, also templates.
I really do hope anybody can explain to me, if I can do something to resolve this problem, or that somebody else is just missusing my domainname.
Marco Hesselink
Germany

I suggest you look at your website, visiting in the (safe) Firefox I get the following screenshot, which is a binary application download.
I might disassemble the code properly if I want but for now I'll just let you know that you have the following errors within it.

Quote:

Warning: fopen(cnt): failed to open stream: Permission denied in /var/www/html/pictures.php on line 15

Warning: fwrite(): supplied argument is not a valid stream resource in /var/www/html/pictures.php on line 16

Warning: fclose(): supplied argument is not a valid stream resource in /var/www/html/pictures.php on line 17

The site is using PHP to write out a binary stream directly to the browser, in IE it will probably run the code automatically although I'm not going to bother trying.
__________________

Update: This is an IRC backdoor trojan.
What will this do?
Basically it recruits your PC as a "bot", and can then be used to conduct DDOS attacks or spread Spam via commands issued to it in the IRC channel it connects to.
I'm going to get the entire domain blocked at my company firewall in a minute.

[marco0840]

Quote:

Originally Posted by Richard M

I suggest you look at your website, visiting in the (safe) Firefox I get the following screenshot, which is a binary application download.
I might disassemble the code properly if I want but for now I'll just let you know that you have the following errors within it.


The site is using PHP to write out a binary stream directly to the browser, in IE it will probably run the code automatically although I'm not going to bother trying.

Thank you for your reaction, although I must admit I do not really understand.
I do know I have a virtuel server, based in USA. In my PLESK I click on Setup and I can see
"Hosting (Domain has frame forwarding to the URL http://www.boxedart.com/cgi-bin/affi...i?id=marco3bib)"
no physical hosting, no Email accounts open, I even have no Webmail available now.

Can you see from which IP Adress this is coming, because my domain has a perment IP adress, and if that is different from the link, someone is cheating on my outside my domain.

Sorry if my englisch is sometimes difficult to understand.

[Richard M]

Quote:

Originally Posted by marco0840

Quote:

Thank you for your reaction, although I must admit I do not really understand.
I do know I have a virtuel server, based in USA. In my PLESK I click on Setup and I can see
"Hosting (Domain has frame forwarding to the URL http://www.boxedart.com/cgi-bin/affi...i?id=marco3bib)"
no physical hosting, no Email accounts open, I even have no Webmail available now.

Can you see from which IP Adress this is coming, because my domain has a perment IP adress, and if that is different from the link, someone is cheating on my outside my domain.

Sorry if my englisch is sometimes difficult to understand.

There are 2:
> www.templates4friends.com
Server: *.*.*.net
Address: *.*.*.*

Non-authoritative answer:
Name: templates4friends.com
Address: 69.57.138.4
Aliases: www.templates4friends.com

> pictures.templates4friends.com
Server: *.*.*.net
Address: *.*.*.*

Non-authoritative answer:
Name: pictures.templates4friends.com
Address: 64.246.16.76

EDIT: It also resolves to boxedart.com which is:
66.225.226.199
This server is located in Chicago and managed from an address in Florida.
The compromised IP is the one in bold above.

[marco0840]

Quote:

Originally Posted by Richard M

There are 2:
> www.templates4friends.com
Server: *.*.*.net
Address: *.*.*.*

Non-authoritative answer:
Name: templates4friends.com
Address: 69.57.138.4
Aliases: www.templates4friends.com

> pictures.templates4friends.com
Server: *.*.*.net
Address: *.*.*.*

Non-authoritative answer:
Name: pictures.templates4friends.com
Address: 64.246.16.76

EDIT: It also resolves to boxedart.com which is:
66.225.226.199
This server is located in Chicago and managed from an address in Florida.
The compromised IP is the one in bold above.

Thank you, the IP mentioned for the authorized users, is mine, the

66.225.226.199 does not belong to me.

I think my important question: how can I find out who this person is?

[Stephen]

I got infected last month through msn by a virus similar to this, it disabled all security services and really messed things up, eventually Norton managed an update and got rid of it, but I had to edit the registry to completly remove all traces and restore the services in windows.

[Richard M]

http://samspade.org/t/whois?a=66.225...99;server=auto

[marco0840]

Quote:

Originally Posted by Richard M

http://samspade.org/t/whois?a=66.225...99;server=auto

Dear people,

I deleted the site for now, later maybe I will activate again.
Maybe you can look one more time to see if on my site there is still some activity!

I am really sorry that my domain was indirect the reason of many troubles, but please believe me, I did not have any clue at all.

Marco