Virus/Popup

Remove all ads!

I went to a website called wildbillsatlanta.com and i think that it installed one of the popup things on my computer. Or it might have been a virus. Everytime I get on the internet it gives me a weird homepage, usually about womens health. Then, a popup comes that covers the whole screen, task bar and all, and there is no way to get out of it besides Alt, Ctrl, Delete, then end the task. It usually comes up with a virus alert or this message will self distruct in x seconds. With the virus alert one, it looks like a written script, obviously not a real virus alert, but it says, "If you have a virus you CDROM Drive will eject, then press enter." Another full-screener comes up thats blank except saying press enter, when you do, the CDROM drive pops open and this really freaky laugh is sounded.

I know that there have been similar posts about popups and viruses, but I would like to know if anyone else has experienced this and also I would like to know how to check for the stuff on my computer files. THe reason I posted in SS is because the first full-screen virus alert thing came up when i was in SP and the SP chatroom, not mIRC. I didn't know if one of the advertisers did it or if i did get it from the Wild Bills website.

 

Question #1: Do you have a firewall? You know, without it any program can eject your CD drive... thingie... via internet.

Question #2: Do you have a virus scanner? If not, install a free one (like F-PROT), scan, and uninstall it if you wish.

Question #3: Are you sure you don't have a trojan? To me it sounds like one (hijacking your homepage, showing pop-ups...) Visited pron sites lately?

 

1. Yes, I am in the utmost certainty that I have a firewall, considering my brother and I configured this computer.

2. Yes, we have Norton antiviru, which I'm pretty sure is the latest version, if not, second latest version, which could mean problems.

3. No, I haven't visited any porn sites on this computer considering i am usually only here for two days every two weeks. But a Trojan might be a likely answer. I have scanned but it picked up nothing, besides the odd "Got out of quarantine virus" which i have deleted.

WHat I think happened was it just changed my hompepage, which i have changed back, and the homepage was causing the weird pop ups, I will keep scanning for viruses and keep checking my system so keep the advice coming.

 

Short answer, go here
http://www.microsoft.com/downloads/details.aspx?FamilyId=36814221-8194-4492-BB29-94DB3D4CB682&displaylang=en


I've said it before and I'll say it again;

Don't ever tell your priest, don't ever tell your doctor and don't ever tell a living soul, that you like country music.

Wild Bill's site is OK, it doesn't even try to download an ad-tracking cookie. (Its claim to have the prettiest girls this side of the Mississippi might be stretching the truth a bit, but hey, it's all just healthy thigh slapping farm boy fun, yeeha!)

For the webpage to play sounds it needs either Java or ActiveX operational on your machine (it's what allows the swirling cursor follower on Boss Hoggs, sorry, I mean Wild Bill's site to work), which is fine as both are 'almost completely sandboxed' so that they can only manipulate the files on your machine that have been downloaded from the same source site that the executable came from.

What is altogether more sinister is the cd drive opening. In truth it is normally just built in ActiveX functionality being abused.


Techno, techno, techno,

An ActiveX control included with Windows Media Player 9 Series allows Web page authors to create Web pages that can play media and provide a user interface by which the user can control playback. When a user visits a Web page with embedded media, the ActiveX control provides a user interface that allows the user to take such actions as pausing or rewinding the media.

'Its worse than that, he's dead Jim.'

A flaw exists in the way in which the ActiveX control provides access to information on the user’s computer. A vulnerability exists because an attacker could invoke the ActiveX control from script code, which would allow the attacker to view and manipulate metadata contained in the media library on the user’s computer. (From Microsoft Technet)


What the exploit hacker has probably done with your CD-Rom is insignificant when compared to the true capabilities of this vulnerability .


There is a safe example here. Use it to check the final cure worked. It should eventually report 'Error On Page' on the status bar.

http://jscript.dk/2001/3/cdrom.jpg

It's From
http://lists.netsys.com/pipermail/full-disclosure/2003-June/006079.html

Full thread
http://lists.netsys.com/pipermail/full-disclosure/2003-June/006074.html

And the 1.9MB Microsoft Patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-021.asp

Or the hand holding, patch everything in sight regardless of the time needed page.( Valid CD Key required for each machine on your network for SP1a patch)

http://www.microsoft.com/security/security_bulletins/ms03-021.asp


Please note Trojans also can open your CD. Use a virus checker(AVG trialware from Grisoft is free, and only slightly restricted) to make sure your computer is clean, and don't indulge in unprotected textual intercourse with strange computers.

Standard list of checks to stay safe.
Operating system updates.
Application updates.
Virus scan.
Ad-Aware scan.
Zonealarm server restrictions
No unnecessary folder shares enabled

You can also turn off Java and ActiveX and restrict cookies, but the internet will suddenly become a much more frustrating place. Its a risk that most people are still safe enough to take, just don't leave personal details on your computer.

 

Yea, thanks Bluin. But I figured out that it was something my mom's boyfriend went to that changed the homepage and the homepage was causing it. I think i just kinda got scared that night becaus emy mom's hardrive crashed a month ago, and two weeks ago she got the Blaster_Worm, and it was midnight and my cat was chasing what i now realize was a lizad and i was just over all freked out when my computer laughed at me. So its all good now.

 

Actually it may have been SP's fault. I got the same thing and it changed my home page also.

 

Actually, it can't be 'SP's fault' because Tal has already said he's got no power over what pop-ups feature on the site. Sure, it could be the pop-ups' fault, but not SP's.