miCRoSCoPiC^eaRthLinG 0 Report post Posted May 11, 2006 WARNING: To all members While browsing the forums, you might face a strange pop-up asking you to download a .wmv file. DO NOT download and/or try to play this. The pop-up looks somewhat like this (provided by Dha: I believe this is being spread through one of the Ads displayed at Asta. Some guy has this worm embedded in his ads - that's the only logical explanation I can find.. Different anti-virus might identify it with different names - but essentially, it's a variant of the following worm. Most likely it's coming from an ad of taalkzforum.com. yes I confirmed it by visitng their page. If you visit taalkzforum you get flooded with this pop-up. If you inspect the forum page, you'll see an iframe containing the following code: <iframe src="http://forums.xisto.com/no_longer_exists/; width=0 height=0></iframe> When the forum page loads, it calls their URL to show in that iframe and naturally their site starts sending you this worm. Exploit.Win32.WMF-PFV Spreading: LOW Discovered : 2005 Dec 27 Damage: LOW Size: 16 KB SYMPTOMS: Automatic worm or spyware installation, without confirmation. TECHNICAL DESCRIPTION: This is a WMF (Windows Meta-File) rendering exploit. The rendering bug that is exploited lies in the Windows Picture and Fax Viewer. The WMF file could be placed on a web site that the victim visits and gets infected. The exploit may create a shell on the victim computer, or may download and install a worm or a spyware trojan. The exploits 'works' on Internet Explorer and some versions of Mozilla. However some browsers may display a confirmation dialog about it. Source: http://forums.xisto.com/no_longer_exists/ For a realtime report on how this worm is spreading and how many systems it has infected, check this:Real-time Virus Reporting - Last 24 hours Nothing to be really scared of - as long as you donot execute/try to play that file. If you click cancel you won't be infected and can carry on browsing the forums normally. I'm trying to get in touch with OpaQue and get this ad blocked ASAP. Share this post Link to post Share on other sites
miCRoSCoPiC^eaRthLinG 0 Report post Posted May 11, 2006 Follow-up.. this is the domain registration info on Taalkzaforum Registration Service Provided By: EZ Web HostingContact: billingsys@ez-web-hosting.comVisit: [url="http://forums.xisto.com/no_longer_exists/ name: TAALKZFORUM.COMRegistrant Contact:homeCarl Humphrey (carl_monster@yahoo.com)+1.4028803915Fax: +1.40288039152000 Broadway Ave, #404San Francisco, CA 94115USAdministrative Contact:homeCarl Humphrey (carl_monster@yahoo.com)+1.4028803915Fax: +1.40288039152000 Broadway Ave, #404San Francisco, CA 94115USTechnical Contact:Ez Web HostingEz Web Hosting Support (support@ez-web-hosting.com)1-877-ezwebhosting.cFax: none4633 Welborn Dr.Sherrills Ford, NC 28673USStatus: LockedName Servers:ns.ez-web-hosting.comns1.ez-web-hosting.comCreation date: 06 Oct 2005 00:00:13Expiration date: 06 Oct 2006 00:00:13 I'm contacting EZ-Webhosting.Com, with whom taalkzforum is hosted and trying to get them to intervene. Share this post Link to post Share on other sites
iGuest 3 Report post Posted May 11, 2006 Thanks for your alert m^e, just now when i was logging in, the same dialog box appeared requesting for a download, though i did not download that for easily understandable reason.Regards,Sid Share this post Link to post Share on other sites
dhanesh1405241511 0 Report post Posted May 11, 2006 Yep its all fine now .. guess they took the mail you sent seriously ThankxRegardsDhanesh. Share this post Link to post Share on other sites
nightfox1405241487 0 Report post Posted May 12, 2006 Hmm... they seem to have the domain now pointing to this one: http://forums.xisto.com/no_longer_exists/Doesn't seem to have the virus anymore...[N]F Share this post Link to post Share on other sites
