12 replies to this topic

[Mysterious Stranger]

See screendump. Wasn't log'd in at the time. Syntax struck me as odd. Upon clicking 'no' it tried downloading anyway but my firewall stopped it....

IE6, fully patched, doing a full scan just in case :-(

Nowhere's safe on the t'interweb eh?

M.S

Attached Files

•  modaco.JPG   191.31K   112 downloads

[Mysterious Stranger]

More info:

The setTimeout function tells the browser to run the function ‘vparivatel’ in 60 seconds. This function will then redirect the browser to the page vparivatel.php on the same website. This then asks the user to download the file 1.exe.

This adds an element to the current page containing a pdf object. The pdf file that is loaded by this object attempts to exploit a vulnerability in Adobe Acrobat and Acrobat reader. This vulnerability affects versions prior to 8.1.2. If the exploit is successful it will download and execute the 1.exe file without requiring any interaction from the user.

The 1.exe file downloads and installs the rouge antivirus program Spyware Guard 2008. This program pretends to scan the system and falsely reports that the system is infected. In order to remove these ‘threats’ the users must pay for the full version. One clue for the user that this is not legitimate security software is the misspelling of 'security' in the tab on the left hand side.

[TheDrizzle]

Yea my AVG is going nuts each time I visit the forum. It is saying "Exploit Link to known exploit site (type 502)" each time I view any MoDaCo page.... is this a false positive or is there something here?

EDIT:
Just saw your second post. I did notice it asked me download a PDF! Luckily I use FoxIt not Adobe Reader so hopefully I'm ok.

Gonna do a MalwareBytes scan just in case.

Thanks!

Edited by TheDrizzle, 21 February 2009 - 11:32 PM.

[PaulOBrien]

Investigating...

P

[PaulOBrien]

Should be gone now, continuing diagnosis...

P

[awarner]

On the lappy Kaspersky found it as soon as I clicked on the site

Windows Onecare did not even flinch and let the little beatie screw up my main PC.

[Mysterious Stranger]

awarner (MVP), on Feb 22 2009, 01:06, said:

Windows Onecare did not even flinch and let the little beatie screw up my main PC.

Should only be an issue if you allow the re-direct and file install by clicking on it, although *any* action in the dialogue box ( even clicking 'no') prompts for the download. I'd suggest you reset your browser security settings to default?  My laptop has a corporate norton on there but I use onecare on other machine and it's usually very good.

M.S

[awarner]

Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.
I've found Onecare to be good in the past but then again after this just how good has it really been?
Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...

[Mysterious Stranger]

awarner (MVP), on Feb 22 2009, 11:41, said:

Did not get that far, the whole hard drive went in to overtime and the pc went as fast as an Orange ROM

Using FF and all security settings will be the default as I generally do not touch them, the same applies to Onecare.
I've found Onecare to be good in the past but then again after this just how good has it really been?
Some guys I know in the security business will only touch Kaspersky but as they say most threats will technically get though until someone reports them.

Now the pc seems to hang on a virus check, third time lucky...

Check the pop up blocker settings in firefox.

http://support.mozil.../Pop-up blocker

There are options to handle different file types differently. As this exploit uses a .pdf file it may be you have settings that allow downloads of pdfs ( which are usually safe and inert....)

Also from older posts on t'interweb (June 08) firefox automatically downloads stuff into a cache:

http://alanedwardes....-security-flaw/

"WTF? So does Firefox download stuff for you now? So it turns out it does. When I looked in the OneCare quarantine it displayed the path that the virus was found in. So, I was a bit worried when it turned out that the file was found in the Firefox cache folder. Interesting."

Which version firefox is it? There are/were multiple mutterings about incompatability with onecare for older versions. As onecare has now been discontinued (as some aspects are going to be incorporated in future free offerings from M$) I wouldn't expect too much development with the latest version of firefox etc. Shame as some of the advanced functions with onecare are very good.

I've always given Kaspersky a bit of a wide berth based on F-secure using their engine and being so poor at doing pretty much anything. Everyone has their own favourite and there will be fans and haters of every solution. Norton's 2009 suite has been re-written to improve system performance and is supposedly quite good now.

Kaspersky also uninstalls the very good, free, spybot s&d for no real reason...

http://forum.kaspers...mp;#entry768506

M.S

[Mysterious Stranger]

Paul (MVP), on Feb 22 2009, 00:21, said:

Should be gone now, continuing diagnosis...

P

Still doing it - look at the URL it's trying to open, same as the last one, crashed my browser window this time though.  

More diagnosis needed methinks?

M.S

Attached Files

•  modaco2.JPG   185.54K   36 downloads

[Monolithix]

OK, looks like the owner of caribfinancing has found out about their security issue and is now redirecting calls to that page to google....which means due to the iframe remaining on every page footer every modaco page is being redirected to google! (unless you hit stop in time...).

Virus issue appears to have been resolved but obviously the site just needs tweaking back, watch this space...

[PaulOBrien]

Should be all sorted now, nasty hackers...

P

[markmcfc]

hi there i have this same problem on my site, ive deleted it many times from skins but it keeps coming back, please can you tell me how to get rid of it altogether

many thanks