New Trojan/Spyware (might hijack/rewrite DNS info)
I just found a link in the server-side stats for my website which showed that a webpage about some video was linking to my website. When I followed the link to see what this webpage was about, I found what looked to be a YouTube video embedded in the page, but a dialog poped up complaining that I needed to download a new ActiveX control to view the video. It looked like a dialog you would see in IE6 on Windows XP, but I'm using Opera 9.23 on Linux, so it was obviously JavaScript. The scripting on the page was also very persistent, and each time I tried to cancel the download, it would just start it back up again (eventually causing Opera to hang, and me to be forced to kill the Opera processes in my KDE SystemGuard). While I did not take a look at the scripting, or try the site out in any other browser, my guess is that it will also exploit security flaws in Internet Explorer to automatically install itself on visitors computer, and do so without their knowledge.
The URL of this website is below. Please note that this link is for the Spybot team only, and no one but you can be held responsible for the damage done to your computer if you follow this link, and your system gets infected.
"http://www.volny.cz/alexpics/video.html" (quotes are to prevent auto-linking)
The file that was downloaded was called "VideoAccessCodecInstall.exe" and it was identified by ClamAV as "Trojan.Dropper-2259" and by AntiVir as "TR/DNSChanger.CA.9". Kaspersky Labs just e-mailed me back to confirm that this really is a new virus, and that they have named it "Trojan-Downloader.Win32.Zlob.byx".
If you need any more info, then just let me know.
If this would have been better reported via e-mail or an online form, then let me know, and I will make sure to use it next time.
Reply With Quote
