Warning! HTML\Trojan.Downloader.Agent.NAB

I don't know about other countries but in Romania this is a real plague for several days.

You can receive plenty of links coming from your contacts with messages in English with a link directing to this trojan: HTML\Trojan.Downloader.Agent.NAB (NOD32 name). This links appear also to their status and their PC transforms into a mass-spaming bot.

Here are the messages look like:

These links I replaced with <link> begin with:
http://nsl-school.org...
http://mytermex.com
http://soccer4us.com

Here's how the infected webpage looks like:

 

Pykko I know we're not allowed to post virustotal results anymore, but do you know if this threat is covered by most antiviruses yet or is it still largely undetected?

Regards

 

wait, I'm scaning it now. Anyway, I think we can post scanning results but not to bash other AV vendors.

Scanning result from Virus.Org because jotti's and Virustotal are busy.

~removed scan results....Bubba~

 

Thanks Pykko

Linkscanner shows the type of exploit 2 of those sites are using aswell:

 

if you think that ones bad i went to stickdeath.com and a popup came and said free cleaner i exited it another popup came saying are u sure i exited it and then one more came something was loading really fast in the top corner then it said do u want to download this program then i said no later i was checking out my norton and it said it found an SND1 virus in my temp folder

 

poles, I went to that website but nothing happened, but who knows maybe only IE is vulnerable. I suggest you to use only FF. It's much secure and blocks all pop-ups.

 

I visited stickdeath.com with IE and nothing happened, they must have removed that popup from their main page.

 

Agree

 

probably (i hope)

 

Nope....everythings there to be had if you'd like to lower your security settings and try again whether with FF or IE
Of course be prepared to spend a little time cleaning up the mess it attempts to install


.

 

The only thing I get on my screen: the site is under construction
(Opera 9.02)

Gerard

 

You're right Bubba
I've just tried again with firefox (version 1.5.0.7 with no add-ons) and IE 6 (security level medium) on a windows XP SP2 (fully patched) and nothing at all happened.

But, when I tried with firefox (might be slightly older version of firefox) on my windows 98 PC it immediatley blocked pop-ups from loading.

I don't know why it doesn't try to load the popup on my XP machine, even with firefox... But I think I'll refrain from lowering any settings, just in case.

 

Try adding www to stickdeath.com

That would be wise unless you like to play with fire

 

The first two websites are infected with malware Exploit.JS.ADODB.Stream.e as detected by Kaspersky's antivirus when i went onto the websites. The third website looks clean to Kaspersky and me!

Regards, Dawgg

 

Kaspersky allways detects these kind of exploits when surfing the internet, there are loads of sites on the internet with this kind of malware, I can find a good 10 of these in a hour if i wanted to

 

there are infected...or the third one was ..I haven't tested it again.