You are linked to a VIRUS on your case mod thread!

[computer]

UPDATE: Trojan code has been identified in a Burstnet.com ad banner.

Am I the only one that noticed this? On the first page of the case mods thread here, under the area:

Fan Databases

GiZzO's Fan Database Page Thanks GiZzO
CPU coolers compared!

That SECOND link CPU coolers compared! goes to some page that has the JS_FORTNIGHT Trojan on it! The site is Dansdata.com and on that page clicking the link that goes to http://www.dansdata.com/coolercomp_p2.htm#COOC gives people the Trojan! DO NOT GO TO THAT PAGE OR SITE unless you are prepared to get infected! I use PCcillin "set to the MAX" and it stopped the worm from doing anything. Some AV software, even Norton may NOT protect you! I clicked a few more pages and they are also infected! That link should be removed from that thread, or at least the mod needs to give warning to AT members that it's infected! I made a screen shot of the page and the alert, but can't attach it to this post. The alert does NOT happen at every page visit for some reason.

FMI, Here's info on the Trojan. Link

---

computer,

The infected link you note appears to have been fixed. At least, I could not find it. Please reply to us by PM if you still find it there, and include more info on what you are seeing.

TIA,

Mod

 

[Peter D]

bump to keep people warned

 

[McArra]

bump

 

[computer]

Have either of you gone to the site for yourselves?

 

[McArra]

Me not hopefully.

 

[Peter D]

Originally posted by: computer
Have either of you gone to the site for yourselves?

I'm not as dumb as I may seem.. lol

 

[computer]

Just curious...I don't blame ya.

 

[SWScorch]

DansData infects people? Not that I don't believe you do, which I do, but I just find it hard to believe that Dan would condone such a thing. Are you sure it was his page, and not some pop-up that appeared at the same time, whetehr caused by his page or not?

 

[Twista]

we WANT the ss and post it @ that pic.bzzzd site which someone will link soon.

 

[computer]

Twista, sorry I can't make out what you're saying. What is "that pic.bzzzd site"?

Swscorch, yes it could very well be from some of those 'spy' sites he's linked to/has banners for (view.adtmt.com, burstnet, adclick, etc....possibly Dealtime, but I doubt they'd do it). I didn't see any popups because of my stopper so I don't know if any of those are there, but I did check to see what cookies were blocked and he has many there from tracking websites and ads websites. (I'll send it to you off list).

I just checked again and the Trojan is STILL there, this time I got the alert by clicking the homepage for the coolers http://www.dansdata.com/coolercomp.htm . I made a shot of it also.

 

[computer]

I only now noticed a mod replied on my original post. I emailed you the screenshots (and also to you SWScorch). Twista I don't know your email addy. I didn't want to upload these to my website for fear of some retaliation from the one that put the Trojan there (if word gets back to them). I guess I should (at least temporarily) modify my profile. :Q

BTW, I don't think it was view.adtmt.com that's doing it since that is also here on this forum on some of the pages.

 

[lchyi]

It could be something misread. I agree, I also have gotten the JS_Fortnight message. However, this is only on my anally firewalled, blocked-off, work computer and network. At home, I get no such warning or virus. I don't know, it could be a virus, but I tried on two different computers and one didn't get one at all.

 

[GiZzO]

You scared me i thought this had to do soemthing with my page

GiZzO's Fan Database Page

 

[Davegod]

I presume yourself or the mod concerned here has taken the obvious step and emailed dansdata?

FWIW nobody else seems to be having any issue with the site. dansdata is a highly regarded and well respected site, and the coolercomparison in particular is a gem in an area where >90% of roundups are nothng short of farcical.

 

[computer]

I sent the screen shots to the mod that replied on my original post, and another member on this thread, SWScorch. I have heard back from NEITHER of them acknowledging they received them. So, did you guys see them??

Yes, the website owner AND their webhosts were notified anonymously and I have heard from NEITHER of them as well!

That's not my problem if "nobody else seems to be having any issue with the site". I can't send screen shots to everyone. I'm open for a method of posting the screen shots HERE, on this thread. It's also not my problem if some are using an inferior AV program or does not have it set correctly to scan ALL files on BOTH a "real time scan" and "manual scan". I suggest that anyone that has gone to that site scan your PC here because you could possibly be infected if you got no warning and happen to be "hit" by it at that time. (A while back I did some EXTENSIVE tests of 12 AV programs and I was shocked at how many failed, NORTON being among those that failed! PCcillin was only one of two that past ALL tests. The other was Kaspersky). Like I've stated, the Trojan does not seem to appear at EVERY page visit. I just checked again @6AM CST time this page http://www.dansdata.com/coolercomp.htm and the Trojan is still there.

Whether someone is "highly regarded" or has a "well respected site" is irrelevant. Useful accurate content at the site is also irrelevant, beside the point, and is not in question. The point is; someone is doing something illegal at that site and as a courtesy to AT members I posted this to inform you. If you or someone wants to continue to visit that site and risk infection, that's your own prerogative.

The infected link is still on the first page of the Cases thread here, and it still does not even at least have a warning next to it warning any potential "clickers".

 

[SWScorch]

computer, I recieved the email. Sorry for not responding. My only thought is that since there are a lot of ads on DansData, perhaps some tricksy ad company inserted it into one of their ads. I must say I don't get any warning here at work, using Norton, but later tonight I will check it at home using AVG and let you know if I get anything. Thanks for the heads up! And please, let us know if Dan responds to your email.

 

[dansdata]

> That SECOND link CPU coolers compared! goes to some a$$hole's page that has the JS_FORTNIGHT Trojan on it!

"Some a$$hole", reporting for duty .

A reader told me about this thread. I presume "computer" here is the guy who, yesterday, sent hysterical mail to various people, some of whom cared, about it. Without a damn reply address (I don't think "ucereporting@justice.com" is actually his...) so I couldn't contact him.

This problem is not new. I talk about it at the end of http://www.dansdata.com/danletters053.htm .

Here's what I sent to my Web hosts in reply to the complaint yesterday:

Some anti-virus software thinks that some ad or other that's currently being served by Burst, on my site, looks like the JS_Fortnight virus. That's an Outlook mail Trojan, so obviously (well, not obviously enough for this guy, clearly) this is a bogus alert. But maybe there _is_ some ad that's trying to run some dumb executable or something, and there's actually something more to this than a mere coincidental signature match.

I don't know; Burst haven't replied to my mail on the subject, and none of the people who've reported the problem to me (most of them politely, unlike this guy) have been able to tell me which ad triggers the warning (because, of course, their virus checkers always nuke the file .

Figuring it out by a process of elimination would take a long, long time, so I've just been waiting for whatever it is to leave the ad cycle.

[quoted from his mail:]
> The alert does NOT happen at every page visit for some
> reason.

No sh!t, Sherlock . Only when whatever ad it is that has code that looks like JS_Fortnight is displayed does the bogus warning appear.

If you [the SecureWebs guys I was sending this to] have a clue about this (presumably you host some other sites that run Burst ads; maybe you've heard about it), feel free to enlighten me. [They couldn't help, by the way; turns out either nobody else they host does run Burst ads, or (more plausibly) nobody else has reported this problem to them. They have, however, disregarded this obviously invalid complaint. SecureWebs have their act together, and always reply promptly to, and act promptly upon, support mail. Advertisement concludes .]

If not, then just consider this a courtesy e-mail on my part to point out that I'm aware of this issue, but can't do much about it, regardless of the poorly aimed foaming of our mysterious screen-shooting correspondent. I am also not, to my knowledge, sending UCE or committing fraud, since my existing prostitution and assassination rackets occupy all of my available time.

[End quote.]

What addresses did "computer" send his complaint to? Glad you asked. UCE@cyberspace-security.net (despite the fact that he's not actually complaining about unsolicited commercial e-mail...), two addresses of mine, two addresses at my web hosts, InternetFraud@ifccfbi.gov (because he apparently thinks I'm committing fraud, though exactly what monetary gain I'd reap by putting JS_Fortnight on people's computers I'm not sure), postmaster@ifccfbi.gov (I'm sure the mail admin at The Internet Fraud Complaint Center will be very interested in what he has to say), UCE@FTC.gov (twice, presumably because he thinks that'll persuade them that this actually does have something to do with spam) and "ucereporting@justice.com" (mail.justice.com was the free e-mail provider he used to send the message).

I apologise if I'm attributing to "computer" a complaint actually sent by someone else, but it seems like a _big_ coincidence otherwise; the text is mostly different but the date and content matches, and I think the fact that he talks about using "PCcillin MAX'd OUT" in both messages clinches it.

To "computer": The next time you think someone's doing something like this, have a little think about it, and try asking them politely about it first.

 

[Lizardman]

Pimp smacked by Dan... ouch!

 

[computer]

If you have a "problem" with my post, THEN I SUGGEST YOU TAKE IT UP WITH TRENDMICRO, as well as EVERY OTHER AV software maker that ALSO identifies the code at YOUR website as a malicious code!!!! There is NOTHING "bogus" about it!!!!! It is not "some" AV companies but ALL OF THEM!! I already posted the Symantec link. Here is the Trend Micro link. You'll find this at all of them!

You're the one that needs to learn about viruses!! FYI, any kind of malicious code DOES NOT have to be an executable to be a malicious code or harmful!! Just because something is an email client Trojan, DOES NOT mean you can't get it from a damn website!! How do you think they are most commonly propagated????? If you go to many h*cking or cr*ck type websites THEY will attempt to infect one with Trojan Horse codes!!

...Also on the prowl was the malicious Java script. It spreads through Web traffic or infected links, and executes automatically on systems if Internet Explorer security settings are set on low. The most recent example, JS_Fortnight.E, is more annoying and embarrassing than destructive. It resets the IE home page and redirects the victim's browser to adult Web sites, such as "Favorite Porn Links."

As I stated, I GOT NO POPUPS AT YOUR WEBSITE, SO IT IS NOT A POPUP!! There was NO audible alert signifying ANY popup activity when the virus alert appeared!! So you CANNOT blame popups!

Perhaps you missed this where I said it could possibly be from your ad supporters: "Swscorch, yes it could very well be from some of those 'spy' sites he's linked to/has banners for (view.adtmt.com, burstnet, adclick, etc....possibly Dealtime, but I doubt they'd do it). I didn't see any popups because of my stopper so I don't know if any of those are there [forgetting about my audible alert], but I did check to see what cookies were blocked and he has many there from tracking websites and ads websites.

And to you jerk Lizardman.........

Pimp smacked by Dan... ouch!

Not quite, and one can tell from your microcephalic comment that you apparently CONDONE "questionable activity", and the ones that try to warn others about said activity is the "bad guy".

I make NO apologies and stand behind what I said here: "The point is; someone is doing something illegal at that site and as a courtesy to AT members I posted this to inform you. ". THAT is the bottom line!!!!!!! Also note I said "SOMEONE" and NOT "YOU"!!!!!!!!!

....let the ad run it's course??????? All the while letting your visitors get infected by a virus that is at YOUR website???? If you admit the problem is not new, then you admit to having it, had an obligation to remove it, yet did not!! That is just total irresponsibility and makes you as guilty as whomever is responsible for it's placement if not you, and you SURE AS HELL CANNOT BLAME PEOPLE FOR REPORTING IT!!! If I was to happen to find a virus at any of my sites, I could not remove it fast enough!! And no, the email you describe is not a result of me.

I suggest you go through your HTML code of the infected pages to investigate this matter.

 

[dansdata]

I suggest you go through your HTML code of the infected pages to investigate this matter.

There are no "infected pages"; it's some ad or other, served by Burst. The Burst ad code on all of my pages is the same. The code says to Burst "Here I am, site 4889a, asking for whatever ad you want to display in this spot on this page for this pageload".

Presumably it's some dumb "rich media" thing or other. I don't know what it is, though, because Burst haven't replied to my mail, and I do not have the time to disable one ad, wait a week to see if anyone reports the problem (which I've never, myself, seen...), disable one other ad, et cetera. There are dozens and dozens of ads in rotation on Dan's Data.

"Computer", if you've got any interest in giving it a rest with the multiple !s and ?s and actually helping me find the ad that causes the problem, I'd be grateful, and disable it. It's the work of a moment to turn off any ad on the site; I just need to know which one is actually the problem. I've never encountered the problem myself, though, so I don't know which one to zap.

 

[computer]

Ok, I just now got it on this page again, http://www.dansdata.com/coolercomp.htm and I'm looking at the source code again. What I think you should do, is find a page where YOU get the warning so you can look at the source code, save it and study it a bit. Many of the ads appear to be dynamically generated with no definite URL, like this:

<script language="JavaScript">
<!-- /* Copyright 1997-2003 BURST! Media, LLC. All Rights Reserved.
(Version 1.0J) */
function ShowBurstAd(adcode, width, height, sizes, intrusive, bgcolor,
background) {
var bN = navigator.appName;
var bV = parseInt(navigator.appVersion);
var base='http://www.burstnet.com/';
var Tv=''; var Itr='';
var sz=''; var bkgd='';
var bgc=''; var rfr='';
var vr='v=1.0J';
var agt=navigator.userAgent.toLowerCase();
if (sizes.length!=0) {sz='/sz='+sizes;} else {sz='';}
if (bgcolor.length!=0) {bgc='/zg' + bgcolor;} else {bgc='';}
if (background.length!=0) {bkgd='/bgi='+(escape(escape(background
))).replace(/\//gi,'%252F');} else {bkgd='';}
rfr='/r='+(escape(escape(top.location.href))).replace(/\//gi,'%252F');
if (bV>=4) {
ts=window.location.pathname+window.location.search;
i=0; Tv=0; while (i< ts.length)
{ Tv=Tv+ts.charCodeAt(i); i=i+1; } Tv="/"+Tv;
} else {Tv=escape(window.location.pathname);
if( Tv.charAt(0)!='/' ) Tv="/"+Tv;
else if (Tv.charAt(1)=="/")
Tv="";
if( Tv.charAt(Tv.length-1) == "/")
Tv = Tv + "_";
}
var fCode='<ifr'+'ame id="BURST" src="'+base+
'cgi-bin/ads/'+adcode+'.cgi/NI/if/'+vr+bgc+sz+bkgd+
rfr+Tv+'/RETURN-CODE" width="'+width+'" height="'+
height+'"'+'marginwidth="0" marginheight="0"'+
'hspace="0" vspace="0" frameborder="0" '+
'scrolling="no">';
var gCode = '<'+'a href="'+base+'ads/'+adcode+'-map.cgi/'+
vr+sz+rfr+Tv+'" target=_top><im'+'g src="'+base+
'cgi-bin/ads/'+adcode+'.cgi/'+vr+sz+rfr+Tv+
'" border="0" alt="Click Here"></a>';
var fCodeEnd = '</ifr'+'ame>';
if ((adcode.charAt(0)=="a")&&(intrusive=="1")) {
Itr='<di'+'v><scr'+'ipt src="'+base+'cgi-bin/ads/'+adcode+
'.cgi/sz=0X0MN/'+vr+rfr+Tv+'/RETURN-CODE/JS/"></scr'+'ipt></d'+'iv>';
}

if (agt.indexOf("mac")==-1) {
document.write(fCode+gCode+fCodeEnd+Itr);
} else {
document.write(gCode);
}
}
//-->
</script>


but some are; http://www.burstnet.com/ads/ad4889a-map.cgi/ns/v=1.0J/sz=468x60A|728x90A/ for example, which is NOT a valid URL. The code for that is...

<noscript><a href="http://www.burstnet.com/ads/ad4889a-map.cgi/ns/v=1.0J/sz=468x60A|728x90A/" target="_top">
<img src="http://www.burstnet.com/cgi-bin/ads/ad4889a.cgi/ns/v=1.0J/sz=468x60A|728x90A/" border="0" alt="Click Here"></a>
</noscript>

I tried modifying the URL and it's still not a valid URL. I did not "click here" so I just went back to find that specific "click here" link and no alert this time. So, what I did was paste that smaller snip of code......

<noscript><a href="http://www.burstnet.com/ads/ad4889a-map.cgi/ns/v=1.0J/sz=468x60A|728x90A/" target="_top">
<img src="http://www.burstnet.com/cgi-bin/ads/ad4889a.cgi/ns/v=1.0J/sz=468x60A|728x90A/" border="0" alt="Click Here"></a>
</noscript>

...into the source tab on a HTML formatted email, then looked at it, and it was the Lowe's Back To School ad, or at least the top portion of it. Oddly though clicking it gave the same erroneous URL http://www.burstnet.com/ads/ad4889a-map.cgi/ns/v=1.0J/sz=468x60A|728x90A/ . While trying to modify that URL to get to page, I saw this address webguru@burstmedia.com so you should probably contact them. But if they are the ones reasonable for it, I seriously doubt you'll get any info from them, or any admission to the fact.

Going with the assumption that this is the responsibility of one of your ads, it's going to be very difficult to find the root of it if it lies with a dynamically generated ad. However I would first start to eliminate them one by one until the virus disappears. You may not be able to find the EXACT ad, but you'll be able to find whom is responsible for it.

(For what it's worth, that long tag I pasted above has a lot of errors in it, such as: </scr'+'ipt> or </d'+'iv> in which of course the '+' symbols do not belong. I've seen this before, it has happened to me with scripts and is the result of some incompatibility with a website server Vs. the server that is serving the generated script, but I've never been able to determine which one exactly is the cause of it. Although I don't see any obvious errors in the smaller tag, this anomaly still could be what is giving the invalid URL by adding/removing a character, or modifying one to an erroneous state).

Are these Burst ads even necessary?

 

[computer]

I'll see if I can paste the entire HTML code for that page where I just got the alert below. This may save you some time in trying to find a page that's infected. I would search through this code for every add, then do what I did with it in an HTML email, and possibly see if you get a virus warning from that. BTW, I did not from that Lowe's ad I mentioned.

Edit: [since removed]

 

[computer]

This isn't going to work, the code is just too long. Let me know when you have that code above copied so I can edit it out of the post because I don't want to take up such a huge area on this thread. ALL of the remainder of the code probably is not necessary, so I'll edit out YOUR PERSONAL text and leave in any ad info, then I paste that here shortly.

 

[computer]

Ok, here is the remainder of the code, without the bulk of YOUR images and YOUR text. This picks up again where the basic page text stops. I think it's safe to say none of your images are causing it since they are of a fixed tag nature, nor any of your personal text since it appears benign. Going with that assumption; the Trojan (or perhaps more accurately) the tag to the Trojan lies within this code below, or the code I previously pasted above. Again, if it's from a dynamically generated tag, and that tag does indeed display images and or text code "on the fly", it's going to be very hard to ferret it out. What I would do is (if you must use the banners) to get or create static banners and put them on your pages. That would probably be the quickest/easiest thing to do. But (at least I) would be MORE than curious as to find out whom is responsible for putting malicious codes at a site of mine, and I would have them prosecuted for doing it.

Edit:
[since removed]

 

[dansdata]

What I think you should do, is find a page where YOU get the warning

I'll tell you if it ever happens .

Many of the ads appear to be dynamically generated with no definite URL, like this:

What you posted there is Burst's standard top-of-page code, which must appear on all pages where any Burst ads are to appear. It defines all the stuff that the other ads' code uses. This is why the weird CGI-URLs you looked at later didn't work right for you; if they were on a Web page with this code above them, they would.

There's nothing dynamically generated in the snippets you posted; they're exactly the same (well, barring a bit of line formatting) as the version in the static files in the copy of the site on my hard drive. What needs to be done by you, or by someone else hunting this problem, is to figure out which ad(s) are being displayed when your virus checker thinks it sees JS_Fortnight. It's quite possible, I suppose, that the virus checker's intervention will make it impossible for anyone with the best will in the world to tell what ad creates the problem. But maybe it'll leave you with a busted ad that you can still click on to see where it goes. That'd be enough for me to figure out the culprit.

Are these Burst ads even necessary?

Oh, hell no! Just send me several hundred dollars a month and I'll get rid of the lot of them !

Dan's Data isn't a hobby site for me, and the annoying ads pay better than pocket money. That's why I run the darn things.

If you can't stand the sight of them, then allow me to suggest the addition of

127.0.0.1 www.burstnet.com
127.0.0.1 www2.burstnet.com
127.0.0.1 ads.burstnet.com

to your hosts file .