Librarium Online Forums banner

Virus?!

2K views 33 replies 20 participants last post by  Zentradi 
#1 ·
Is anyone else getting a virus notification when accessing these forums?

My computer's quarantined a bunch of files that were part of a "JS.Wonka" virus... apparently it runs through javascript or something...

I just figured I'd mention it in case anyone else was having the same issue.


(P.S: it's a trojan)
 
#2 ·
I’ve taken the liberty of moving this thread to a more correct sub-forum; hopefully one of the Admins will see it soon. I too am getting a virus notification from my Norman Antivirus program; it appears to be a Trojan of the type ‘JS/Exploit_based’. Norman has the following to say about this Trojan:

�This is a small piece of javascript code that is sometimes used to break through the security in Internet Explorer. Usually the code is used in connection with "planting" new default start pages, search bars, and favourites to your browser without you knowing about it.

The script does this using a bug in Internet Explorer, and it is the code to "use" this bug that we detect.

It is important to understand that while the script in most cases does not constitute more than an annoyance, it _may_ be used for more destructive actions.�


Will one of the Admins please have a look at this? Thank you.

~Greph.
 
#6 ·
Umm... I got the same hit as well, is anything going to be done about this?
 
#8 · (Edited)
McAfee has been trapping the JS/Wonka Trojan and the Downloader-SG trojan every time I have connected to LO for the past 2 days.

My McAfee is set to auto-update every 7 days.
So it's current.

Thanks for the link BlackHat.
My read of that McAfee report is that JS/Wonka IS a real trojan.
And that reports of false hits were, in fact, real hits of the trojan.

I am going to have McAffe check for the lastest updates
And if this continues I would guess that LO has a real problem.

[EDIT]
OK, just had McAfee check for updates. And it says I am current.
McAfee reports that the NEWS[1].HTML is infected with the JS/WONKA Trojan
and
OPEN[1].EXE is infected with the Downloader-SG Trojan.

Hope this info helps...
 
#9 · (Edited by Moderator)
Blackhat said:
The only thing I can think of is the PNG fix for IE :) No need to worry then!
Actually, the JS/Wonka virus is to be worried about, it hasn't been destructive yet, but, there are a possiblity that the LO frontpage has been compromised and had this code added, but it could also be any add links on the frontpage that's causing it.

I found this link and this link

I forgot to mention, no, your not safe because you use Firefox or any other non IE browser.
 
#12 ·
I have several bookmarks to take me to different sections of LO.
And it does not matter where I come in I DON'T get the trojan warning on the first page.
I get it when I go to the second page.

For example this time I came in with my bookmark for the USER CP page.
No warnings.
I saw there were new posts in this thread so I clicked the link to come here.
As soon as the second LO page starts loading I get the Trojan Warning.

I can recreate this sequence at will.
I.E.
Come in on the forum and go to the gallery. Trojan warning loading gallery page.
Come in on the gallery and go to the forum. Trojan warning loading forum page.
Come in on the forum main and go to a sub forum. Trojan warning loading sub forum page.
Etc etc etc.

Hope this helps.
 
G
#14 ·
Forger of Civilization said:
As eziekeal said, just get a mac, there are maybe 200 viruses in the world for them. Most simply make a bunch of popups occur.
Oh now that's just so easy -_- I think I'll just go outside and WHOA insta-mac <_< Besides, mac sucks :tongue: Just kidding. But really, it's not that easy to just go and get a mac as you say.
 
#19 ·
I am still getting 2 trojan warnings.
Yes I can replicate it as follows:

I can go to any LO page. No warnings.
Click on any link to go to a second LO page. 2 Trojan warnings.
Continue navigating around LO. No more warnings.

Close the LO web page.

Go to any LO web page. No warnings.
Click on any link to go to a second LO page. 2 Trojan warnings.
Continue navigating around LO. No more warnings.

Close the LO web page.

Repeat.....

As I mentioned before, McAfee is reporting that NEWS.HTML and OPEN.EXE are infected.
 
#20 · (Edited by Moderator)
Maybe not my place to say this, but i am going to anyway as I think the community has a right to know.

In the Mod forum, Blackhat has confirmed that a minor Trojan has installed itself in some of the forum code.

He has also linked us to this http://www.systemsmanagementpipeline.com/news/172302797 , which includes the following...

Linked site said:
About half of the more than 10,000 sites using JS/Wonka are either compromised or malicious Web sites attempting to stick malware or spyware on unsuspecting users' PCs, said Hubbard. The other half of the sites use the encoded, obfuscated JavaScript to display spoofed search results which link to sites selling products typically shilled through spam, or used by sites trying to hide their URLs from affiliate advertising vendors because those sites may be breaking contractual agreements.
 
#22 ·
Firefox users have the option of installing the NoScript extension - It will block all javascript apart from what you specifically allow.

I would recommend it as a further level of protection for any who do not have it.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top