You are linked to a VIRUS on your case mod thread!

[computer]

I have to do some work now but I'll check again for the Trojan alert and I'll try and make a pdf copy of the page where I get it.

Yeah I understand they pay the bills. So I guess you ought to try the static banners if possible. ?

Personally it's not the FIXED banners that bug me, is the popup BS I hate. Did you copy the code yet?

 

[dansdata]

Yeah I understand they pay the bills. So I guess you ought to try the static banners if possible. ?

No can do, unless I spend time selling ads myself. _Some_ of my ads are static, though; the Aus PC Market links and banners, for instance, and the SecureWebs pimping at the bottom of every page.

Did you copy the code yet?

Oh, sorry - there's nothing to copy, since the code you posted is exactly the same as the code I already have in every page file here in my web/dansdata directory . The dynamic-ness happens when the Burst server delivers something in response to that code.

Not all ad systems work this way - the page I'm composing this message on, for instance, has Appro, Thermaltake ("Quiteness Made Possible"; nice one, proofreaders and Mushkin ads that're completely non-obfuscated in the code, because the whole thing's being server-side generated. My site is flat-file, though, so I use the fat-n-ugly Javascript ad code I'm given .

 

[clarkmo]

From the link in the first post, I don't get a virus per the Trendmicro housecall page. It did give me a false positive on 2 files though, regupdate.exe and winlogon.exe in the system folder. These 2 files have been used/rewritten by virii in the past but also have legit uses. Perhaps your virus software is messing up?

 

[clarkmo]

From the link in the first post, I don't get a virus per the Trendmicro housecall page. It did give me a false positive on 2 files though, regupdate.exe and winlogon.exe in the system folder. These 2 files have been used/rewritten by virii in the past but also have legit uses. Perhaps your virus software is messing up?

 

[erikistired]

did you really email the fbi about that?

 

[jna]

I went to dansdata.com and MY COMPUTER EXPLODED! INTO LITTLE BITTY BITS AND PIECES!

He tried to play nice and tell me how to glue it back together:

"A roughly 50/50 mixture of thermal grease and five minute thermal epoxy (or
just metal-loaded "Devcon"-type epoxy, which is pretty much as good...) "

BUT IT DIDN'T WORK! NOW MY COMPUTER IS IN LITTLE BITTY PIECES AND I ONLY HAVE DAN TO BLAME! BE VERY AFRAID!

 

[computer]

did you really email the fbi about that?

No, I wasn't the one he was speaking of regarding that email.

From the link in the first post, I don't get a virus per the Trendmicro housecall page. It did give me a false positive on 2 files though, regupdate.exe and winlogon.exe in the system folder. These 2 files have been used/rewritten by virii in the past but also have legit uses. Perhaps your virus software is messing up?

The virus is not at the Housecall page. It is at some pages at Dansdata.com. What makes you think you're getting a false-positive?? Ever think that those files are infected? No, my AV software is NOT "messing up".

Dan I went back to the site a few times and got the virus warnings again. I tried to save the page as a .mht archive file on two occasions, then opened the files and got no alert. Evidently the page was either not saved fast enough, or it did not save the EXACT paths/banners on the pages and they must still be 'dynamic' within the saved pages. I checked the pages for any commonalties and find these: 1. that banner at the top with "some guy yelling with his hands up by his mouth" from Vonage and it reads "$39.99/month....unlimited and long distance.....etc" (the one with a solid blue background on one portion). 2. The Windows.net DotNet server for as low as $99" banner. 3. and the small Securewebs.com image at the bottom.

I just now clicked the link on your homepage to http://dansdata.com/email.htm and got the virus warning again. At the top was that same banner 'with the guy yelling" I described above. That could be the suspect banner causing the virus.

Jna.......HUH??????

 

[dansdata]

1. that banner at the top with "some guy yelling with his hands up by his mouth" from Vonage

OK, that one's disabled now. That particular campaign's only been running since the start of this month, but the same ad (or offending code, at least) may have been running in a previous campaign.

2. The Windows.net DotNet server for as low as $99" banner. 3. and the small Securewebs.com image at the bottom.

Those are just static files on my own server (SecureWebs being my hosting service, for whom I run ads all the time), so they're not it.

Let's see if disabling the Vonage thing makes a difference.

 

[minerat]

While I find the fact that burst could be serving up ads with malware troubling (but not surprising), you need to have low IE settings for it to execute. Also, it shouldn't be a huge mystery as to whether Burst's ad has actually infected a computer. Do you have unwanted favorites? A signature file in OE? Perhaps no access to advanced internet options? I'm behind a corp firewall at the moment, but why doesn't someone turn off all IE security settings and browse around dan's website? It says it opens a popup to a number of domains, perhaps looking at what popups come up on dan's page would help and then it can be traced back to an ad.

 

[computer]

I just got it again here: http://dansdata.com/email.htm . It was a DIFFERENT Vonage banner at the top this time. I saw the previously mentioned suspect Vonage banner at the top of the HOME page, and I didn't get any alert that time! So, 'hellifiknow' which is causing it! FAIK, they (Burst?) could be rotating the damn virus code on banners! I think you need to contact them, if you can determine that it IS them that is doing it.

 

[computer]

I was just about to mention the same thing. But from what I've heard about that virus, it adds some porn crap to a sig. file, so that wouldn't point the finger at Burst. However if it adds something ELSE to the sig file, like a Burst ad, well then that would say a lot. What I don't understand, is since Dan has yet to see the virus warning, why hasn't he gotten the virus? Yeah it could be due to security settings in IE. I for one am not going to turn off my AV software and relax security settings and try to get infected.....my luck it would be some "excessively hostile virulent mutative ba$tard" that would "rip me a new one"! LOL. (FYI, I was among the FIRST 18 in North America to get JUNKSURF!!! I checked for, AND GOT the virus def update for that day, and a short time later I got infected as I found out in a routine Housecall scan. I then checked for another update, and they had another new update that same day only about 2 hrs. apart!! With odds like that against me, I don't screw with these codes!!)

 

[computer]

Yes I'm also behind a HARDWARE firewall AND a software firewall, and I don't think I can turn off the HW firewall. I don't know if you were asking me, or just hypothetically asking those questions, but no; I have no unwanted sig file, or fav's I didn't add, and I do have IE options. But if it would not have been for my AV software and possibly highest security settings, I WOULD have them.

Hmm, I just went to Burst.net and saw the red "-" sign @lower right in IE for the security cookie blocked, checked it out and it was for http://roi.gotoast.com/ which is a KNOWN "cyber-terrorist" trackware/spyware company!

Burst and this other place is also listed in AdAware and SpyBot.

 

[dansdata]

It was a DIFFERENT Vonage banner at the top this time.

Most campaigns, including the Vonage one, have a selection of ads they can display - usually all variations on a theme. The current Vonage one has five banners, three of which are slightly different but all feature the shouting guy, and two of which seem to actually be exactly the same, and don't feature Mr Holler.

Anyhow, I've disabled that campaign. I don't know how long it takes Burst to stop serving ads for a given campaign after you uncheck its box in their selector dingus.

 

[CAMS]

Originally posted by: jna
I went to dansdata.com and MY COMPUTER EXPLODED! INTO LITTLE BITTY BITS AND PIECES!

He tried to play nice and tell me how to glue it back together:

"A roughly 50/50 mixture of thermal grease and five minute thermal epoxy (or
just metal-loaded "Devcon"-type epoxy, which is pretty much as good...) "

BUT IT DIDN'T WORK! NOW MY COMPUTER IS IN LITTLE BITTY PIECES AND I ONLY HAVE DAN TO BLAME! BE VERY AFRAID!

If you really knew Dan at all he would have advised to use magnets!

 

[computer]

FWIW Dan, I just got the virus again here.... http://www.dansdata.com/coolercomp.htm and there was no Vonage banner at the top. This time at the top was the gold and white MS Office banner, "Transform" was on it (still a Burst banner). Immediately after clicking the banner, there is a Burstnet.com URL showing for less than a second, then redirects to:
http://click.atdmt.com/goiframe/1473346/brstmmsg02800004ddb/direct/070108 (another spyware company) before it goes to the final URL destination.

 

[dansdata]

FWIW Dan, I just got the virus again here.... http://www.dansdata.com/coolercomp.htm and there was no Vonage banner at the top.

OK. It's not triggering on any particular ad (I've turned the Vonage campaign back on now, because for some reason people occasionally click on it and make me some money .

The false positive is, rather, triggering on the intermediate Javascript that surrounds whatever banner gets loaded. This script is always very much the same; the only things that change are the title tag and the details of what the script calls in an iframe (yes, just like JS_FORTNIGHT, the difference of course being what's actually being put in the iframe).

A couple of readers using Trend Micro's antivirus products have managed to preserve the files it's unhappy about; here's one of them:

var theDoc=document;
var sawPop=theDoc.cookie.indexOf('bpuc488919403=ywsi');
if(sawPop==-1)
{
theDoc.cookie='bpuc488919403=ywsi; path=/;';
if(theDoc.cookie.indexOf('bpuc488919403=ywsi') == -1) {
sawPop = 1;
} else {
sawPop = -2;
}
}
if(sawPop == -2)
{
var pophtml = "<HTML>\n"+
"<HEAD>\n"+
"<TITLE>Matchmaker</TITLE>\n"+
"</HEAD>\n"+
"<BODY leftmargin=0 topmargin=0>\n"+
"<iframe src=http://www.burstnet.com/cgi-bin/ads/ad4889a.cgi/SZ=0X0SB/RETURN-CODE/BCPG19403.37524.40298/53523/ height=300 width=700 frameborder=0 scrolling=no marginheight=0 marginwidth=0>\n"+
"</BODY>\n"+
"</HTML>";
var awin = window.open('', '_blank','width=700,height=300,scrollbars=no,status=no,resizable=no');
window.focus();
awin.location = 'javascript:*opener.pophtml';
awin.moveTo(60,40);
}

I inserted a * between "javascript:" and "opener" to stop it from turning into javascriptpener... turn off emoticon parsing and all tags apparently stop working. No matter.

The stuff between the title tags changes from ad to ad, and the four five digit numbers after RETURN-CODE also change, and so do the height and width tags for the iframe and for the window.open below. That, however, is it for the differences between this code, which is one of the ones that gets a JS_FORTNIGHT warning, and other ads, which don't. I don't know what the magic cookie is that triggers the warning, but I am now satisfied that it is entirely spurious, since it appears to be triggering on various ads from various unrelated companies. Yes, they're all Burst ads, but all the antivirus programs seem to be noticing is that there's an iframe being opened with something in it that matches a JS_FORTNIGHT signature.

I haven't been able to find the actual code for any JS_FORTNIGHT variant, though; if someone has it and would like to e-mail it to me (dan@dansdata.com; do yer worst, I run Eudora , that'd be great.

 

[computer]

Hey, that's it. I just pasted that code tag into the source code of an HTML document, removed *, saved it and I got the virus warning.

 

[Glorious729]

I think Daniel has been exceedingly accomodating in your ridiculous goose chase for what is beyond any reasonable doubt a false positive. The fact that you absolutely refuse to even consider that possibility and some other things you've said indicates that you simply do not have the understanding of the issues you claim. Talk about firewalls, either of the software or hardware variety, is completely irrelevant to the discussion at hand. Again, the fact that you seem to think they somehow have something to do with this particular problem demonstrates you really don't have any clue what you're talking about.

I'd appreciate it, and I'm sure that Daniel would too, if you'd be slightly more constructive and less overbearing and imprecatory. I lack Daniel's subtlety, tact, and politeness so I have been rather blatant, but I certainly don't feel I'm in the wrong here. Can you truthfully say the same? Or are you just going to continue with the mindless hysteria that resolves nothing and only establishes, without any question, your error in judgement in attacking Dan in all this?

 

[computer]

I think Daniel has been exceedingly accomodating in your ridiculous goose chase for what is beyond any reasonable doubt a false positive.

Look jerk, I think you need to read through this ENTIRE 2-page thread again!! Put your ***king glasses on and remove the wool over your eyes!!!!!!! EXCUSE THE F**K OUT OF ME FOR TRYING TO HELP and INFORM OTHER MEMBERS!! Jerk! Obviously a "close personal friend" of Dan's and you felt the need to "rush to his rescue" hence the one post only!! Dan needs no help to "defend" himself, and this matter was CLOSED DAYS AGO!!! HE asked for MY ASSISTANCE and if you could read, THAT IS WHAT I WAS TRYING TO DO FOR DAYS!! Now what is NOT accommodating about that!!!?? The suspect code WAS FOUND, and one can hardly consider that a "pursuit of an untamed aquatic ornithoid". (BTW, that's "accommodating" not "accomodating"). You obviously missed the update I placed on the first original message: UPDATE: Trojan code has been identified in a Burstnet.com ad banner.

The fact that you absolutely refuse to even consider that possibility........

AGAIN, proof that your micro-brain cannot comprehend language. Now, WHAT DOES THIS STATE?? Does this appear to you as someone that as you say "refuses to consider other possibilities"??????
Swscorch, yes it could very well be from some of those 'spy' sites he's linked to/has banners for (view.adtmt.com, burstnet, adclick, etc....possibly Dealtime, but I doubt they'd do it). I didn't see any popups because of my stopper so I don't know if any of those are there, but I did check to see what cookies were blocked and he has many there from tracking websites and ads websites. (I'll send it to you off list).
I guess you ALSO "missed that"!

Talk about firewalls, either of the software or hardware variety, is completely irrelevant to the discussion at hand.

I started the thread and if I want to discuss FW's; hardware or software wise that's my prerogative. Once again, showing that English is your second or third language; I wasn't even the one that brought up the go**amn subject of FW's in the first place!! At any rate, YOU have A LOT to learn if you think FW's have nothing to do with the topic of Worms or Trojans!!

I'd appreciate it, and I'm sure that Daniel would too, if you'd be slightly more constructive

Well, I and others would "appreciate it" as well if you would read an entire thread completely before shooting your mouth off!!! I sent the go**amn screen shots to people!!! I spent hours going over his HTML and Java code trying to help him find this!! On two occasions I pasted code from his "infected" pages I found into this thread (since removed to take up less space) for him to examine!!! I tried to recreate the alert on another webpage!! Perhaps you need to "redefine" your definition of "constructive"!!

Only YOU have created any "mindless hysteria", the only one hysterical around here is apparently YOU, and also seriously misinformed.

The only "error in judgment" here is your needless input. "Resolves nothing"??? We found out what banner ad was causing it did we not??????

And ONCE AGAIN:
If you have a "problem" with my post, THEN I SUGGEST YOU TAKE IT UP WITH TRENDMICRO, as well as EVERY OTHER AV software maker that ALSO identifies the code at the website as a malicious code!!!!
If you want to bitch to someone then go bitch to them.

The fact of the matter is the same and the bottom line does NOT CHANGE. I was alerted to a "malicious code" at a site linked to by this forum and did what any decent, concerned person would do and informed others about it!! IF it is indeed a "false positive", then again I "suggest" you take that up with the AV software manufacturers and NOT me, and go bitch to them about it!

No good deed goes unpunished. The NEXT f***ing time I come across something that could infect/affect AT members, I'll just keep my go**amn mouth shut and let your as$ get potentially harmed by it.

The mod needs to close/lock this thread.

 

[Davegod]

CLICK

 

[computer]

Hee hee.

 

[Glorious729]

Here's a real update. (Why? because your update is false. There isn't any Trojan code in the ad, there is only a false positive)

You are a hysterical poster who does not understand what a false positive is.

You cannot imagine that A/V software could ever make a mistake and don't really care to hear about how it could. Despite people explicitly telling you that this is a false positive, you still continue to believe you did the world a service by going into hysterics.

You know nothing about how viruses, trojans or A/V software work, and again, you don't really care too. You went into what can only be described as an uncontrollable panic when you saw the words "VIRUS" because you are scared to death of what you don't understand.

I have never met Dan, I have never talked to him, I don't even live on the same side of the planet he does. I am most certainly not a close personal of friend of his. The only thing I know is that you went completely nuts, said his site had a trojan, then emailed half the world about it.

Let me spell it out for you. There was never any trojan in any ad on Dan's site. There was something that resembled one, and whatever variety of A/V you use decided it was one. But it wasn't. That's what a false positive is. Consider yourself informed.

YOU have A LOT to learn if you think FW's have nothing to do with the topic of Worms or Trojans!!

With worms? Certainly. When it comes to getting infected by a Trojan? Nope, Firewalls have nothing to do with that. The fact that you equate the two just demonstrates that you know very little about the topic, as do numerous other things in this thread.

Well, I and others would "appreciate it" as well if you would read an entire thread completely before shooting your mouth off!!!

I did read the entire thread. That's why I know that you don't know as much as you think you do about this topic.

"Resolves nothing"??? We found out what banner ad was causing it did we not??????

Right. You found the problem that wasn't really a problem in the first place. Why? Because it's not a Trojan, it's a false positive. Congratulations on fixing something that wasn't broken.

EVERY OTHER AV software maker that ALSO identifies the code at the website as a malicious code!!!!

They aren't the ones who are posting in forums saying "OMFG DAN'S PAGE IS INFECTED!!!!!!1111". They also aren't emailing fraud centers about it.

No good deed goes unpunished. The NEXT f***ing time I come across something that could infect/affect AT members, I'll just keep my go**amn mouth shut and let your as$ get potentially harmed by it.

First off, anyone with any knowledge about A/V software related topics should immediately know that there was never any potential harm involved, because it was a FALSE POSITIVE. The circumstances involved should have made this clear from the very beginning.

Second off, I don't need hysterical people who freak out at the mere word "virus" to defend me from infection. In fact, I don't think anyone does. I've never gotten any virus, worm or Trojan, and I don't even run A/V software. If you are a computer enthusiast, you shouldn't worry about such things at all, simple precautions make you virtually immune (more so than not doing the precautions and hoping your A/V software will take care of you).

Third off, can you even tell me what harm even the REAL "malicious code" could cause in this context? Or are you just saying that because it sounds good.

 

[computer]

<sigh> Blaster is one of many that CAN BE blocked by a firewall:

"To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. "

Trojans:
"......However, firewalls are able to block Trojan's network activity and therefore make the Trojan horse ineffective, but most users find it very difficult to properly configure firewall rules to make it effective of blocking Trojans horses. There is also a risk that rookie users may occasionally set their firewall to allow Trojan communication. As for Trojans, firewalls should be considered as valuable addition to anti-trojan tools that are able to discover a Trojan on infected machine and then remove it. These tools are so called Anti-trojan software (or just Anti-trojans) and Anti-viruses." Link

Do I need to continue with more examples??? Now whom is the one not informed??

Again, I AM fully aware of what a false-positive is, and does not change that fact that if this was a false-positive that is not my fault nor my problem. TAKE IT UP WITH THE GO**AMN AV SOFTWARE COMPANIES THAT ARE SUPPOSEDLY ERRONEOUSLY IDENTIFYING IT INCORRECTLY, GET OFF MY ASS, AND GET A LIFE.

Making a post to this forum is hardly "emailing half the world about it" or "emailing fraud centers". I fail to see how anyone is in some "uncontrollable panic" and "scared to death" over this. Seeing virus/worm/Trojan activity is a common daily occurrence on Windows PC's with IE and OE on them. You're also sadly mistaken if you think that only "simple precautions" can protect one from all malicious codes. The only way a Windows PC can be fully immune to any type of "infection" without AV software & firewalls is never connect to the internet, or share files.

can you even tell me what harm even the REAL "malicious code" could cause in this context?

It was already previously discussed what the FORTNIGHT Trojan does. If you would have read this thread, you would have seen that.

Regards.

 

[Glorious729]

Blaster is one of many that CAN BE blocked by a firewall:

MSblaster is a WORM, NOT A TROJAN. You're just illustrating my point for me! You do not know the difference!

However, firewalls are able to block Trojan's network activity and therefore make the Trojan horse ineffective

But they do nothing to protect you from being infected by one, which is what I said. And since we are talking about BEING infected by one, this fact is pointless.

TAKE IT UP WITH THE GO**AMN AV SOFTWARE COMPANIES THAT ARE SUPPOSEDLY ERRONEOUSLY IDENTIFYING IT INCORRECTLY, GET OFF MY ASS, AND GET A LIFE.

Again, they are not the ones who emailed everyone about this. YOU did. They didn't post on forums about this. YOU did.

Seeing virus/worm/Trojan activity is a common daily occurrence on Windows PC's with IE and OE on them.

A DAILY occurrence? Uh no. Did you even see the infection number of js_fortnight on Symantec's security response? It was 0-49. THE LOWEST rating! I've never got a single virus/worm/trojan in my entire LIFE!

You're also sadly mistaken if you think that only "simple precautions" can protect one from all malicious codes. The only way a Windows PC can be fully immune to any type of "infection" without AV software & firewalls is never connect to the internet, or share files.

No, my point is that you are far better off taking simple precautions than to just run A/V software and hope for the best. Why? Because A/V software sucks.

It was already previously discussed what the FORTNIGHT Trojan does. If you would have read this thread, you would have seen that.

Right. In Outlook Express. Mind explaining how exactly it would work in Internet Explorer?

 

[alexrocks]

Again, I AM fully aware of what a false-positive is, and does not change that fact that if this was a false-positive that is not my fault nor my problem. TAKE IT UP WITH THE GO**AMN AV SOFTWARE COMPANIES THAT ARE SUPPOSEDLY ERRONEOUSLY IDENTIFYING IT INCORRECTLY, GET OFF MY ASS, AND GET A LIFE.

If you are "fully aware" of what a flase positive is, why did you post this? It's been said already that this is an outlook trojan, not an IE one. The fact of the matter is that you started this thread, and it's been resolved. What you've been getting is a false positive, and nothing more.

Jesus christ man just SHUT UP ALREADY!