Warning! HTML\Trojan.Downloader.Agent.NAB

Discussion in 'malware problems & news' started by pykko, Oct 3, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I don't know about other countries but in Romania this is a real plague for several days. :(

    You can receive plenty of links coming from your contacts with messages in English with a link directing to this trojan: HTML\Trojan.Downloader.Agent.NAB (NOD32 name). This links appear also to their status and their PC transforms into a mass-spaming bot. :D

    Here are the messages look like:

    These links I replaced with <link> begin with:
    http://nsl-school.org...
    http://mytermex.com
    http://soccer4us.com

    Here's how the infected webpage looks like:
     

    Attached Files:

    Last edited: Oct 3, 2006
  2. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Pykko I know we're not allowed to post virustotal results anymore, but do you know if this threat is covered by most antiviruses yet or is it still largely undetected?

    Regards
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    wait, I'm scaning it now. ;) Anyway, I think we can post scanning results but not to bash other AV vendors. :)

    Scanning result from Virus.Org because jotti's and Virustotal are busy. :(

    ~removed scan results....Bubba~
     
    Last edited by a moderator: Oct 3, 2006
  4. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Thanks Pykko :D

    Linkscanner shows the type of exploit 2 of those sites are using aswell:
     

    Attached Files:

  5. poles18

    poles18 Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    15
    if you think that ones bad i went to stickdeath.com and a popup came and said free cleaner i exited it another popup came saying are u sure i exited it and then one more came something was loading really fast in the top corner then it said do u want to download this program then i said no later i was checking out my norton and it said it found an SND1 virus in my temp folder
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    poles, I went to that website but nothing happened, but who knows maybe only IE is vulnerable. :) I suggest you to use only FF. It's much secure and blocks all pop-ups. ;)
     
  7. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I visited stickdeath.com with IE and nothing happened, they must have removed that popup from their main page.
     
  8. ASpace

    ASpace Guest

    Agree :thumb:
     
  9. poles18

    poles18 Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    15
    probably (i hope)
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Nope....everythings there to be had if you'd like to lower your security settings and try again whether with FF or IE :eek:
    Of course be prepared to spend a little time cleaning up the mess it attempts to install :blink:


    .
     

    Attached Files:

  11. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    The only thing I get on my screen: the site is under construction :oops: :)
    (Opera 9.02)

    Gerard
     
  12. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    You're right Bubba ;)
    I've just tried again with firefox (version 1.5.0.7 with no add-ons) and IE 6 (security level medium) on a windows XP SP2 (fully patched) and nothing at all happened.

    But, when I tried with firefox (might be slightly older version of firefox) on my windows 98 PC it immediatley blocked pop-ups from loading.

    I don't know why it doesn't try to load the popup on my XP machine, even with firefox...o_O But I think I'll refrain from lowering any settings, just in case. ;)
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Try adding www to stickdeath.com ;)

    That would be wise unless you like to play with fire :)
     
  14. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    The first two websites are infected with malware Exploit.JS.ADODB.Stream.e as detected by Kaspersky's antivirus when i went onto the websites. The third website looks clean to Kaspersky and me!

    Regards, Dawgg *puppy*
     
  15. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Kaspersky allways detects these kind of exploits when surfing the internet, there are loads of sites on the internet with this kind of malware, I can find a good 10 of these in a hour if i wanted to
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    there are infected...or the third one was ..I haven't tested it again. :)
     
Loading...
Thread Status:
Not open for further replies.