JS.Trojan.Blinder

Discussion in 'malware problems & news' started by sno, Apr 6, 2005.

Thread Status:
Not open for further replies.
  1. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    Hello,

    just got a virus "JS.Trojan.Blinder"
    I'm a fairly new pc user, please bare with me :)

    It seems the Lavasoft websight is down due to software upgrades, I did email them this morning but no response yet, so I humbly present my problem here:

    I received an email from Paypal telling me my acct was temp-blocked; "Our logs indicate that your account received 2935 authentication failures" -so I went to re-authenticate the Paypal account through the email link (it was a valid email I believe) and at some point thereafter I got the NAV pop-up which said NAV has found the JS.Trojan.Blinder and it "could not be removed".

    Then, after reading all the documentation pertaining to this situation, I used the LiveUpdate and downloaded from that, (my NAV is set to accept live-updates automatically) I turned off sys-restore and ran a FullSysScan twice and no virus "was detected". (I may have disabled sys-restore after the update downloads and before the scan)

    Still not sure about things, I read and re-read further into the situation and I realized I may need to use the "IntellegentUpdater".
    -so I used IntelligentUpdater to the best of my understanding;
    I went down the list of download-links one at a time and saved-saved-saved... (not the "64 bit" stuff)
    now my desktop is full of icons, some zipped and some not and have no idea what to do with them, if or how they have helped...
    I am still unsure that the JS.Trojan.Blinder is completely gone from my computer, there is no "what to do now that you have downloaded all those things on your desktop" info, (lol, but I hope you understand)

    A: -did I follow the correct procedures? -miss something?
    B: -how does one "know" that a virus is removed?
    C: -am I supposed to "set" another restore-point myself? (I simply re-checked "monitor my computer" and applied/OK'd -out) ..
    D: -can I safely delete these things that I've saved to my desktop?

    I will not even try to re-enable my Paypal account until I get this resolved,

    WinXP/Home/Sp2 (using Win firewall only)
    DSL
    IE 6
    NAV2003ProEdition (ver) 9.05.15
    Ad-Aware SE 1.05
    SpywareBlaster 3.3

    my IE settings are secure, and everything is kept updated.

    Thank you for any help,
    sno
     
  2. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    errm... reading about, and printing instructions for removal of viruses and trojans now ..
    sno
     
  3. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Sno
    I think you have a major problem here, the email from paypal was probably fake as there are hundreds of these phishes doing the rounds, and when you clicked on the link in the email, you got infected then. Important - did you fill in any personal details when you clicked on the link? I think that you have to consider the strong possibility that your paypall account has been hijacked if you did. I personally would contact my bank immediately and take steps to ensure that any losses you experience are minimised and also change all my passwords asap.

    Jock
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Isn't it absolutely wonderful how Symantec manages to confuse the issue with its confusing documentation! I assume you have looked here:- http://securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html

    which mentions intelligent updater; in fact all you need to do is manually click on 'Live Update' to run it before you do your scan. That way you are using the latest available full batch of updates, which should be good enough.

    To make sure everything is OK please do the following:-

    A) To start with you should disable system restore as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

    B) Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

    C) Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    and do a full system scan with your NAV.

    Assuming that is clear, it is a good idea to get a second opinion by doing an online scan, and a good one is available here:- http://support.f-secure.com/enu/home/ols.shtml

    If you find no problems you can switch system restore back on again and consider yourself good to go. If the scans pick up malware then you should take note of the exact file name and full file path, together with the precise name of the bug as given by the AV, and post the result here.
     
  5. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    Ok guys, first of all a huge Thank You for the responses :))

    I DID go back to the Paypal email and click on the link, which imediately brought up a new NAV pop-up with the same message about the JS.Trojan.Blinder, (it also said access was denied) Thank goodness for Norton!! -and its email security measures.

    I was able to get a hold of my nephew, who was an IT/engineer and he explained to me that Norton had indeed blocked access to the account,that it was a "script bug" and that the trojan was not placed in my pc, but to be safe I now need to go in and run a scan again, the way I did before.
    And he agreed that the Intelligent (har har) Updater was basically worthless, to just use Liveupdate, and that I could delete all the new icons on my desktop.
    He said the online scanning was a good idea also, and the CCcleaner.
    He also had me forward the email to abuse@paypal.


    He did say however, that it is NOT a good thing to go into safe mode Topper,
    because if there WAS a virus, (sorry about caps -no time to learn how to italicise here) it would be embedded with the files that go into hiding while in "safe mode" -( or something to that effect) and then I'd be in trouble..
    his words were "never go into safe mode unless you REALLY know what your doing" -of course those sentiments are a common flavor in this excellent forum.

    HDrider, I think I'm safe since "access was denied", but I will look into it further with the bank, (and Paypal too)
    -and LOL at "old bikers..." we're ones ourselves :)

    Again, Thank You!!
    sno
     
    Last edited: Apr 7, 2005
  6. Mikey BL

    Mikey BL Registered Member

    Joined:
    Aug 4, 2005
    Posts:
    2
    Location:
    Lancashire, UK
    Hi. I'm completely new to this forum and hope you won't mind me returning to this particular topic. I had the misfortune to come across this trojan yesterday when I (foolishly I accept) opened an email supposedly from PayPal (requesting that I update my details or else my account would be suspended on Aug 15) and clicked the link. My Norton Anti-virus (NAV) immediately activated warning me that I had a trojan and, consequently, I didn't proceed and didn't enter any personal details on the (no doubt) fake website. The NAV Activity Log refers to the episode and states "Access Denied - Repair Failed". I've run my regularly-updated NAV several times (including in safe mode) and nothing at all comes up. I've also used some on-line virus checking utilities and I can't see anything that resembles this trojan. Am I right that NAV effectively prevented me making an even bigger fool of myself than I was in clicking the link? Do I need to take other precautions? Any help much appreciated.
     
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Yes, you should be ok since Norton blocked it, it's always a good idea to get a second opinion with some of the free online scanners every couple of weeks, there are some in my signature if you wish to try some other vendors. :)
     
  8. Mikey BL

    Mikey BL Registered Member

    Joined:
    Aug 4, 2005
    Posts:
    2
    Location:
    Lancashire, UK
    Thanks Don for your very quick reply. I'll do as you suggest.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    These messages from Norton always seem to worry people; they are badly phrased.

    In fact you never repair trojan, or other pure malware files, because there is nothing to repair. What you do is deny access to the file and delete it, which is what Norton seems to have done.

    The only time you attempt to repair a file is when you have a virus that has inserted code into an important system file, and you need to disinfect the file to continue using it.

    This is because viruses exist within the files on a system, while trojans and worms exist in seperate files of their own.
     
  10. KevinP43

    KevinP43 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    3
    OK, I had this same problem, but it's not clear to me whether NAV actually deleted the file. My NAV Log only lists "Access Denied" and "Repair Failed" as the Actions Taken, and I'm not sure whether "Access Denied" means NAV couldn't get at the file, or that it kept the file from getting at anything else. A regular NAV scan didn't pick it up anywhere.

    Also, in the Activity Log, it said this about the file in question: "Source: C:\Documents and Settings\[MY NAME HERE]\Local Settings\Temporary Internet Files\Content.IE5\AJUD0JAJ\pp[1].htm"

    To make things even more confusing, I found two "Temporary Internet Files" folders, both of them hidden I think -- one under Default User and one under my name. Unfortunately, I didn't search for the pp[1].htm file as thoroughly and systematically as I could have (I can explain what I did do at greater length if it would help), and I ended up deleting everything in both Temporary Internet Files folders. So now I'm in the same boat if not knowing for sure if I got it since NAV couldn't pick it up in the first place. And, for some reason, NAV wouldn't run in Safe Mode on my computer.

    Anyone have any advice here as to whether the thing is really and truly gone? Also, does this virus do anything other than assist the spoof e-mails, as it were, and can it be transmitted through normal e-mail and Internet traffic?

    Thanks for any feedback anyone may have. I'm new to the PC world, so this is all kind of confusing for me.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The "Repair Failed" message means that the file could not be repaired - but as I have said, it is impossible to 'repair' an exploit or trojan file picked up in your temp internet files; you just deny access and delete it.
    It means it kept the file from getting at anything else. 'Access denied' means Norton refused to allow your system to have access to the file, so the file could do no damage. Even if Norton did not delete the file, it will be gone the moment you delete your TIFs, which you should do on a regular basis. Either use a cache cleaner (like CleanUp or CCleaner) or run the Disk Space Cleanup Manager (by clicking Start/Run and typing cleanmgr, then click O.K.).

    There are temporary locations all over your machine where 'nasties' may lurk, that is why it is sensible to use a cache cleaner after each surfing session and before you run an AV scan (so the scan does not pick up unnecessary objects).
    If you are referring to JS.Trojan.Blinder specifically, then you can see the details here:- http://securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html

    It is a Java Script bug that you pick up in your TIFs while surfing, it is not something you would expect within an email itself, though the email may have a link in it taking you to a web site where you do pick it up.

    NAV should certainly be able to run in safe mode so I'm not quite sure what the problem is, unless you are running on different accounts or something of that sort.
     
    Last edited: Aug 26, 2005
  12. KevinP43

    KevinP43 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    3
    This is probably a tremendously ignorant question, but does it actually do anything on the computer other than displaying this fake URL? What I'm getting at is, is it likely to have damaged anything on my computer and/or hidden itself somewhere that I could still end up spreading it even after running NAV and deleting all the TIFs? (I did download and run CCleaner, for what it's worth.)

    Thanks.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Well it certainly won't be spreading, because trojans don't spread at all - that is one of the differences between a trojan and a virus (which does self replicate).

    There is absolutely no possibility that this thing is hiding on your machine waiting to pounce! In any case, all it does is display an 'official' looking URL to try and kid you that you are at a genuine banking site when really you have followed a link to a spoof site which will try and rip you off.

    But even if it was a much more 'serious' trojan/exploit, in terms of what it could do, once your AV has intercepted and blocked the file, it will be neutered and can be disposed of permanently by the AV or by you clearing your TIFs and Java cache out (which CCleaner does).

    If you had any relic of it left in another location your AV would find it there. The time to worry is when you pick up a real trojan that gets installed and cannot be cleared out by your AV - but that is not the case here.

    The people who get hammered are typically those who surf with an unpatched (and hence vulnerable) system with inadequate, out of date, AV cover and those who who invite a trojan onboard by imprudently downloading something from an unsafe site.

    If you surf 'risky' sites then tight browser settings are a valuable defence, since there is little an exploit can do if you have all your vulnerable functionality (such as Active X, Java and Scripting) switched off.
     
  14. KevinP43

    KevinP43 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    3
    Topper, thanks for all your help. I'm new to the PC world and thus relatively unschooled in the ways of virus protection.
     
Thread Status:
Not open for further replies.