Actually, I was browsing in Firefox 1.0.7. I was not prompted or anything. I have since upgraded to 1.5 (shame on me for not having done that a while back) and this version at least prompts to open or save the file. If you open it then your infected.
This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.
I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.
This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.
And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch...". I clicked on this and... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!
Slashdot Mirror
Curiosity killed the cat.
Actually, I was browsing in Firefox 1.0.7. I was not prompted or anything. I have since upgraded to 1.5 (shame on me for not having done that a while back) and this version at least prompts to open or save the file. If you open it then your infected.
This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.
...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!
I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.
This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.
And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch