Re: My.yahoo downloading trojan's? in Security

Re: My.yahoo downloading trojan's? in Security http://www.dslreports.com/forum/r20909630 en Tue, 01 Dec 2009 02:05:41 EDT Tue, 01 Dec 2009 02:05:41 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20928332 MarkAW : Thanks for the suggestion and i did do a search and nothing was found. So i guess i was one of the lucky ones to not of gotten hit with this problem.
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle]]> http://www.dslreports.com/forum/remark,20928332 Sun, 10 Aug 2008 11:10:40 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20927824 Kayrac : A user on another forum i visit, found this plgou SQL injection website 2days ago(i think), i did a little bit of seeing exactly what the files do

Theres 2 dif files hosted there, one on the csrss area, that file is the worse of the two, it downloads 3 more files, and tries to run a 'sl.exe', my VM currently runs on crappy vista so i couldn't investigate further, but if you were hit, you may wish to look for sl.exe(no guarentee it may change filename/delete after run)

-Brian]]> http://www.dslreports.com/forum/remark,20927824 Sun, 10 Aug 2008 07:03:40 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20926197 MarkAW : I haven't used mine in so long i was suprised to see it still there and with a new look at that. But i had no problems with my.yahoo.
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle

]]> http://www.dslreports.com/forum/remark,20926197 Sat, 09 Aug 2008 18:47:55 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20925638 mysec : Another article:

My.yahoo.com Hosts Trojans - Apparently driven by techbargains.com
»news.softpedia.com/news/My-yahoo···62.shtml

The msyahoo.exe file, downloaded as rondll32.exe, installed hidden programs and commands that made some resources in users' computers available to hijackers.

sans.org notes that these files, msyahoo.exe and rondll32.exe surfaced in their current SQL injection analysis, which may be linked to the techbargains.com exploit:

More SQL Injections - very active right now
»isc.sans.org/diary.html?storyid=4844

EDIT: In the above diary, scroll down to the "yahoo.htm" analysis. The script code is the same as the code for the plgou.com/csrss/yahoo.htm site you mentioned in your post.

]]> http://www.dslreports.com/forum/remark,20925638 Sat, 09 Aug 2008 16:07:29 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20921598 Doctor Four : As japiscan00 above said, the trojans were as a result of an
attack on Techbargains. Anyone who had their RSS feed in
their MyYahoo page would have gotten the virus warnings from
their AV (or the trojan if it wasn't detected). Sandi
Hardmeier's Spyware Sucks blog has a writeup:
»msmvps.com/blogs/spywaresucks/ar···844.aspx

This topic is linked there.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
]]> http://www.dslreports.com/forum/remark,20921598 Fri, 08 Aug 2008 19:06:40 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20915642 anon : very believable scenario. How about the name of that malicious script "fuckjp" (as in, Fuck Japan), they're getting Japan back for WWII? No wonder Japan attacked them! I feel like attacking them myself!!

I still haven't gotten Outlook Express or *any* browswer working again, so they must have hosed some of my Internet access files before I killed their script. I've re-applied XP sp2, but this is "Home" edition, so if want to re-install XP, I've got to obliterate my HD. Oh why didn't I switch to Linux like my mother told me to?...]]> http://www.dslreports.com/forum/remark,20915642 Thu, 07 Aug 2008 17:16:20 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20915592 louist : Yes multiple problems yesterday and today. Our AV product is intercepting the trojan and disabling it. In some cases this action also disable IE.

When I shut and restart IE the problem corrects, but if you visit "My.yahoo" again, it happens again every time. Easily replicable.]]> http://www.dslreports.com/forum/remark,20915592 Thu, 07 Aug 2008 17:06:43 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20915123 la_pepe59 : I found an interesting article regarding Iframe's on CA's website. Here is a link as to what was happening and will probably continue to happen for at least a bit anyway.

http://community.ca.com/blogs/securityadvisor/archive/2008/05/28/compromised-websites-a-real-danger-for-internet-users.aspx]]> http://www.dslreports.com/forum/remark,20915123 Thu, 07 Aug 2008 15:48:36 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20915032 Graystoke :

said by rudee :

Hello,

One thing I've noticed about my.yahoo.com since I started using it is that it actually goes to cm.my.yahoo.com; that's happening with Yahoo's explicit permission. They've farmed my yahoo out to Mainland Chinese programmers (not surprising since the CEO is chinese) and now that anally retentive Chinese premier has put gov't programmers on "payback" detail to western journalists for stirring up trouble... us poor my.yahoo.com saps got taken along for the ride... just a theory.

Is that what the "cm" stands for? I always wondered what that stood for. Actually, I only saw that when the new My.Yahoo page was in beta. I don't see the "cm" anymore.

Back on subject. My.Yahoo working ok here with Firefox and IE.]]> http://www.dslreports.com/forum/remark,20915032 Thu, 07 Aug 2008 15:34:01 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20914662 therube : Well if (& assuming) this type of code is being injected into Yahoo (my.yahoo.com) web pages, isn't that going to be a vulnerability that exists on Yahoo's end (on their servers/softwares)?

Or could it be caused by code the end user placed into their page?

I gather if you have this patch installed, you're likely to be less vulnerable.

»www.microsoft.com/technet/securi···021.mspx

Further, as it appears to use vbscript/ActiveX, using a Mozilla browser would render the page ineffective.]]> http://www.dslreports.com/forum/remark,20914662 Thu, 07 Aug 2008 14:31:19 EDT Re: openDNS http://www.dslreports.com/forum/remark,20914633 anon : Good to know about and I'll use it, but I'm using a router at home and the problem only exists on the PC that got redirected to the chinese mainland web site. I changed over my router to openDNS and my.yahoo.com started to load, whereas before I was getting "web site could not be loaded". Not sure if that's because yahoo has fixed it in the interim, but they better mention something about this or I'm going to twitter to blog about it ;-).]]> http://www.dslreports.com/forum/remark,20914633 Thu, 07 Aug 2008 14:27:03 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20914555 anon : I started having the same problem at around the same time. I found that an RSS feed, that I had setup on my Yahoo home page, may have been causing the problem (i.e., techbargains.com).

when I tried to go to the site directly, I found:

Techbargains.com is undergoing maintenance right now.

Come back soon!

I deleted the RSS feed from my Yahoo home page, the problem went away (no more links to plgou.com) and no more McAfee warnings of trojans.

I am thinking that maybe the site got hacked, and they are trying to fix it. This was one of my favorite feeds, hope they fix it. ]]> http://www.dslreports.com/forum/remark,20914555 Thu, 07 Aug 2008 14:16:46 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20914427 VerdeDude : Could be possible DNS poisoning, which takes you to a malicious site.
Try using open DNS (www.opendns.com) and see if it fixes the problem. ]]> http://www.dslreports.com/forum/remark,20914427 Thu, 07 Aug 2008 13:51:36 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20914134 anon : Hello,

Yes, I have seen these exact symptoms. In addition, I saw that IE wanted to load the chinese character set and some kind of popup window appeared with a chinese looking name on it. It's either chinese dissidents or chinese gov't behind it. After deleting the previously mentioned files in system32, The b**tard hosed something to do with my Internet access. I can ping everything, but IE and Outlook Express won't work. I installed Firefox and that wouldn't work either. I haven't done anything else, but it looks like I'm going to have to run XP repair. I'm guessing it replaced one the Microsoft dll's related to http, probably a redirector of some kind. Everything works from my other computer so that's confirmed.

One thing I've noticed about my.yahoo.com since I started using it is that it actually goes to cm.my.yahoo.com; that's happening with Yahoo's explicit permission. They've farmed my yahoo out to Mainland Chinese programmers (not surprising since the CEO is chinese) and now that anally retentive Chinese premier has put gov't programmers on "payback" detail to western journalists for stirring up trouble... us poor my.yahoo.com saps got taken along for the ride... just a theory. ]]> http://www.dslreports.com/forum/remark,20914134 Thu, 07 Aug 2008 13:01:03 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20909630 skyroket : I haven't used that in quite awhile, but can't you put "unsupported" modules on your page? Maybe someone's IFRAME or some module is redirecting to some bad site. I'd remove all questionable modules and start over with your page customization.

.]]> http://www.dslreports.com/forum/remark,20909630 Wed, 06 Aug 2008 16:48:04 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20909231 Le Boule : »www.pcqanda.com/dc/dcboard.php?a···ll&page=]]> http://www.dslreports.com/forum/remark,20909231 Wed, 06 Aug 2008 15:50:53 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908914 heels_fan : FF 3.0.1

No suspect activity]]> http://www.dslreports.com/forum/remark,20908914 Wed, 06 Aug 2008 14:58:43 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908909 MagMan : I tested mine also and everything is ok.

I rarely use it though. :D]]> http://www.dslreports.com/forum/remark,20908909 Wed, 06 Aug 2008 14:57:09 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908859 Grail Knight : I do not doubt what you are saying I just answered your question on how MyYahoo worked for me.

Other members that use MyYahoo will no doubt chime in and let you know their results.
--
"Living on Earth is expensive, but it does include a free trip around the sun".]]> http://www.dslreports.com/forum/remark,20908859 Wed, 06 Aug 2008 14:48:52 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908763 la_pepe59 : Here is a link to another thread regarding this
»answers.yahoo.com/question/index···9AA3SNrG

I am using IE7 fully patched but haven't been back there lately as I am trying to remove the nasties from my machine. When launching IE normally it creates subs called sss.exe, beauty.exe and fengxing.exe that I see in process explorer. Under limited user, those don't launch.]]> http://www.dslreports.com/forum/remark,20908763 Wed, 06 Aug 2008 14:32:11 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908611 Grail Knight : Just tested MyYahoo and it is working fine on Fx v3.0.2pre.]]> http://www.dslreports.com/forum/remark,20908611 Wed, 06 Aug 2008 14:05:32 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908600 Grail Knight : MyYahoo is the personalized page yahoo users can create if they have an account.

Email, weather, personalized news, etc.. The user puts it together by selecting modules and colors.
--
"Living on Earth is expensive, but it does include a free trip around the sun".]]> http://www.dslreports.com/forum/remark,20908600 Wed, 06 Aug 2008 14:04:10 EDT Re: My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908564 Rungel : What is My.yahoo? Is it part of there messenger IM service?]]> http://www.dslreports.com/forum/remark,20908564 Wed, 06 Aug 2008 13:55:40 EDT My.yahoo downloading trojan's? http://www.dslreports.com/forum/remark,20908087 la_pepe59 : It appears to have started today but going to my yahoo page is linking to plgou.com/csrss/yahoo.htm and trying to download some trojans. I noticed another thread on answers.com where another person was having the same issue and it just started today.

Anyone else seen this?]]> http://www.dslreports.com/forum/remark,20908087 Wed, 06 Aug 2008 12:33:37 EDT