Jump to content

AACA Virus?

Scotts_DG8

By Scotts_DG8
in General Discussion

 Share

Recommended Posts

Scotts_DG8 2,500+ Points

Scotts_DG8

Posted
Posted

While not trying to alarm anyone here, while scanning my PC for virus it has encountered a virus most every day the past several days. And as I only visit a 4 or 5 sites each day I decided to spend the last 2 hours and try to narrow down where I might be picking this virus up. As it turns out the virus that my scan analysis turns up appears to be from this site, AACA.org.

The Scan after entering the AACA Forums returns the following info: HEUR:Trojan-Downloader.Script.Generic was found in C:\Documents and Settings\SS\Local Settings\Temporary Internet Files\Content.IE5\PSEMNX7S\DR_v4[1].js on 12/12/2010 11:29:12

Again, this occurs just after selecting the Forums from the main AACA page. This really surprised me. In doing my analysis I’d visited each site that I visit each day and step through my normal activity performing a scan of my temporary internet files after signing on or selecting a new page. The actual object that is being called out as the virus being produced from this sight is the DR_4[1].js noted in the above scan info line and appears to be loaded when I open up into the Forums.

What I’ve elected to do and will do so at least for now going forward is to perform a scan after entering the Forums here on the AACA.org site as it is then put into Quarantine.

Peter, is there a way that this be checked out? Scott…

Link to comment
Share on other sites
stealthbob 5,000+ Points

stealthbob

Posted
Posted

Likely a false positive...

When is says "generic" it means that it sees something that it doesn't know if it is good or bad so it says it is bad.

HEUR: Trojan.Win32.Generic – What is it and how to get rid of it? (Kaspersky detection) | malwarecrawler.com

URGENT! Kaspersky Antivirus 2010 Alert "HEUR:Trojan-Downloader.Script.Generic" in LiveContent - No Access to my Site - Mandeeps.com - Mandeeps.com > Innovative DNN Modules & Gear > Forum - Modules - Live Content

Link to comment
Share on other sites
Guest Jim_Edwards

Guest Jim_Edwards

Posted
Posted

What version of Windows and what anti-virus software are being ran and just how recent are the virus files it is comparing to? I've not gotten any indication of anything and the somewhat heavy duty anti-virus software I run updates me typically 4 times in a 24 hour period.

I think I'd be clearing all the cookies out your browser and deleting all internet temp files.

Link to comment
Share on other sites
Scotts_DG8 2,500+ Points

Scotts_DG8

Posted
  • Author
Posted

Hopefully I’m going to answer all questions and respond to all comments made.

First on the computer; I run Windows XP Pro and am current on all Windows patches. I use Zone Alarm Internet Security Suite which is an Internet Firewall and Virus package along with e-mail protection and my Virus updates are current. Just for some additional info, my background is well over 20 years in IT and computers are not foreign to me. I acknowledge that there will always be strong Mac vs PC opinions out there and am ok with it. Personally in all my years within the IT field I’ve not ever found myself challenged or exposed with Windows.

Could there be an issue with the virus list that I received from Zone Labs? Sure, couldn’t and wouldn’t argue that possibility. I do know that the virus being called out started to appear just within the last two weeks and although the scans always quarantine it I finally decided to identify where it was originating from hence this posting.

Peter to answer your question, I hope. I have the AACA.org bookmarked as most probably do and when I go to the AACA site I can run a scan on my Temporary Internet files and find nothing. After I press the button to select and enter the Forums and right after the main Forums page appears I can run a scan on my Temporary Internet files it will always return the identified virus mentioned at the front of my post. This occurs every time I enter the main forum page. I’ve scanned after going other sub forums or reading and posting to threads without the supposed virus appearing.

I hope that this covers everyone’s comments and questions. Scott…

Link to comment
Share on other sites
Guest Jim_Edwards

Guest Jim_Edwards

Posted
Posted
Hopefully I’m going to answer all questions and respond to all comments made.

First on the computer; I run Windows XP Pro and am current on all Windows patches. I use Zone Alarm Internet Security Suite which is an Internet Firewall and Virus package along with e-mail protection and my Virus updates are current. Just for some additional info, my background is well over 20 years in IT and computers are not foreign to me. I acknowledge that there will always be strong Mac vs PC opinions out there and am ok with it. Personally in all my years within the IT field I’ve not ever found myself challenged or exposed with Windows.

Could there be an issue with the virus list that I received from Zone Labs? Sure, couldn’t and wouldn’t argue that possibility. I do know that the virus being called out started to appear just within the last two weeks and although the scans always quarantine it I finally decided to identify where it was originating from hence this posting.

Peter to answer your question, I hope. I have the AACA.org bookmarked as most probably do and when I go to the AACA site I can run a scan on my Temporary Internet files and find nothing. After I press the button to select and enter the Forums and right after the main Forums page appears I can run a scan on my Temporary Internet files it will always return the identified virus mentioned at the front of my post. This occurs every time I enter the main forum page. I’ve scanned after going other sub forums or reading and posting to threads without the supposed virus appearing.

I hope that this covers everyone’s comments and questions. Scott…

From Network World, March 29, 2010

ZoneAlarm Internet Security Suite

ZoneAlarm's software performed worse than any other suite we tested in using behavioral scanning (that is, detecting malware based solely on how it behaves on a PC). ZoneAlarm's suite found only 13 percent of our test samples, and blocked just 7 percent; it was unable to completely remove any of the samples in this test. As this is a very good test for judging how well a suite can respond to brand-new malware threats, ZoneAlarm's showing is problematic.

'nough said!

Jim

Link to comment
Share on other sites
Guest Silverghost

Guest Silverghost

Posted
Posted (edited)

I guess we can't blame this possible virus attack on those pesky Chinese govermnent internet spies ! ;-)

Beware of ANY unknown email & attachments you may open~

If you don't know the sender ~~~ Do not open~~~Deleate !

Edited by Silverghost (see edit history)
Link to comment
Share on other sites
Scotts_DG8 2,500+ Points

Scotts_DG8

Posted
  • Author
Posted

Again, I originally started this thread out of curiosity and concern with a potential problem. I’m not a closed minded person, most of the time :D, and am always open to differing opinions and ideas. Zone Alarm had received high marks in past years although I admit that in the last year or two I’ve not followed the yearly reviews of security products. So I spent a bit of time this morning doing some reading and Zone Alarm it appears has slipped and takes a hit for not always detecting all new malware that enters the www in a timely manner although they also report that the firewall can make up for it. In that there are more expert individuals than I out there I’ll concede that it does appear that I obviously use an inferior security product according to today’s ranking. That being said and I’ll close any further comments on this thread and address the problem being detected/reported on my side.

Just one last update for what it is worth on my analysis. I’d identified that the script that is being loaded is from a third party site attached to the AACA page(s) and is referenced to the following www address: http://http.cndlayer.com/drivingreveneue/DR_v4.js.

Thanks to those that have participated/responded. Scott…

Link to comment
Share on other sites
Shop Rat 25,000+ Points

Shop Rat

Posted
Posted
.....If you don't know the sender ~~~ Do not open~~~Deleate !

Even then folks should be careful. Another AACA member, a friend that stays with us in our RV at AACA events, has had virus issues with his computer and laptop computer and they have sent e-mails out to us and others that he didn't send himself. But they looked wrong so I sent an e-mail to him to ask if he had sent it and he had not. I didn't open the reply even, we can see it on a preview screen without opening the actual message. It has happened at least twice.

Link to comment
Share on other sites
stealthbob 5,000+ Points

stealthbob

Posted
Posted

Looks to me like a typical data miner...

Driving Revenue - How It Works

Google lobbies hard to many of these security companies to not include their intrusive stuff.

We are being watched and tracked at all times on the net....which was why using alternative systems was endorsed in this thread.

I doubt AACA installed this on their own or even if it really did actually originate from them.

Link to comment
Share on other sites
Guest Jim_Edwards

Guest Jim_Edwards

Posted
Posted
Even then folks should be careful. Another AACA member, a friend that stays with us in our RV at AACA events, has had virus issues with his computer and laptop computer and they have sent e-mails out to us and others that he didn't send himself. But they looked wrong so I sent an e-mail to him to ask if he had sent it and he had not. I didn't open the reply even, we can see it on a preview screen without opening the actual message. It has happened at least twice.

E-Mail "miners" are common all over the web. Unfortunately very legitimate sites one may frequent may have ads that "Mine" your E-mail file and may even be extended into mining of various Forum software packages around. Also unfortunate is the fact that many Forum software packages are written in PHP script language which means those programs are typically very easily broken into by hackers. Data/E-Mail "miners" can be easily embedded into a photo file as well as text files. Ain't that just ducky to know? You'll know for sure you have been victimized or some forum site has been victimized when you start receiving bogus E-Mails seemingly from yourself. Examining the full header file will reveal the address it came from, unfortunately the spammers may be using a throw-away cell phone to dump their garbage.

Not all security software is good at detecting "Miners" a decent freebie is available from Lavasoft, which will catch many "Miners" that are missed by often thought of as being excellent security programs.

Jim

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...