A few minutes ago I got an email from a user who believes she picked up the trojan Bloodhound 131 on this forum. I’ve asked Rich to look into it. At this point, I can’t be sure if the problem rests in the forum code. I don’t know enough about this at this point to tell you much more. I believe it may be true that this only affects Windows users using IE, but I’m not sure. In the meantime, you may want to stay off the board for awhile, or you may want to be sure you’re antivirus stuff is updated and proceed. I’ll keep you posted. As a precaution, I’m going to create a thread on the external poli board and I’ll post an update there when I learn more about it. Those of you who want to stay off this board until the possible problem is resolved can check that forum and get updates.
I may be overreacting, but given my ignorance about this, seems like a good idea.
I had to get a whole new hard drive last week and I let them explain it to me but I’m not computer-fluent, so I don’t know quite what was wrong, but basically I got a computer bug from somewhere. It makes sense now that it could have been here. I’m here all the time.
Bloodhound is a trojan that uses an exploit in Microsoft’ animated cursors. It has been all over the news this week.
I haven’t seen any use of animated cursors on this site.
Info from Symantec
"Bloodhound.Exploit.131 is a heuristic detection for a zero-day vulnerability affecting Microsoft Animated Cursor (ANI) file parsers (as described in Bugtraq ID 23194). The exploit can be triggered by viewing an HTML page referencing an ANI file in a vulnerable version of Internet Explorer.
Applies to: Internet Explorer 6, Internet Explorer 7"
Microsoft have already released a patch to cover the hole.
I had to remove that very trojan from my PC twice yesterday before I downloaded the security update from Microsoft.
I wondered where I kept picking it up, as I only visited Hotmail, CNN, TV Guide Online, and here.
Or at least a good Virus Protection software-McAfee picked the trojan up for me 3 times yesterday as I was trying to access Chiff, and my updates on Windows are automatic, so that update should have been already in place, but I guess it wasn’t.
I think it’s highly suspicious that this sort of thing should come right after everyone was discussing antivirus software . . . hmmm . . .
My Symantec blocked it three times yesterday. It attempted to enter my system every time I clicked on a new thread.
Look:
Source: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KX2V0LAJ\ifr[1].htm
Risk category: Virus
Overall Risk Impact: High
Click for more information about this risk : Downloader
Action taken: Blocked
Discovered: June 8, 2001
Updated: February 13, 2007 11:50:11 AM
Type: Trojan Horse
Infection Length: varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Downloader connects to the Internet and downloads other Trojan horses or components.
Downloader does the following:
Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
After the Trojan downloads the files, it executes them.
Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan.
ProtectionVirus Definitions (LiveUpdate™ Weekly) June 13, 2001
Virus Definitions (Intelligent Updater) June 11, 2001
Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low
Downloader does the following:
Goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms, or their components.
After the Trojan downloads the files, it executes them.
It’s all pretty odd. SOMETHING happened, for sure. The problem is that Rich, who knows phpbb thoroughly, can’t find any evidence of any changed php files. So, there’s nothing to fix. I wonder if whatever got hacked got un-hacked. I dunno.
So, you know,
I would recommend that we put the AE-35 unit back in operation and let it fail. It should then be a simple matter to track down the cause. We can certainly afford to be out of communication for the short time it will take to replace it.
