dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
18026
share rss forum feed


koolman2
Premium
join:2002-10-01
Anchorage, AK

2 edits

1 recommendation

Is this site infected?

downloadvirus.txt 174 bytes  
My uncle got a political flyer the other day, and when he visited their website, AVG caught some form of malware. I want to know if it really is infected and not a false positive, so that we can contact them and let them know. The link is contained inside the text file attached to this post, and a screencap of the virus detected message is above as well. It pops up with both IE and Firefox, and IE requests ActiveX scripts to run, which I denied, of course.

Thanks a bunch.
--
huh?


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
looking at the view source i thinks it is for real and you should let them know

Cudni

Graycode

join:2006-04-17
reply to koolman2
Click for full size
The image shows some of the bad things that site is doing.


reckoner

join:2001-03-24
Fort Collins, CO
reply to koolman2


dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18
reply to koolman2
LOL! POOR coding on that page! Opera chokes hard on it for 30 seconds and finally opens.

IE7 just gets stuck in a loop asking for ActiveX.
--
Think outside the Fox... Opera


Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK
reply to koolman2

Norton Warning

ActiveX Warning
Norton went bonkers as well.


Greg_Z
Premium
join:2001-08-08
Springfield, IL
reply to koolman2
The site is hosted by wildwestwestdomains.com


Stem Bolt
Aka Smiling Bob
Premium
join:2002-11-08
Cleveland, OH
kudos:2

1 edit
reply to koolman2
Dr. Web caught it also.
--
Dr.Web, BOCLEAN, Router/Firewall, Firefox, Acronis True Image


jp0469
JP

join:2000-12-13
Rochester, MA
kudos:1
reply to koolman2

Avast alert
Avast caught it too but only when opened in Internet Explorer. Nothing when opened in Firefox.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to koolman2
Visited it using Mozilla 1.7.10. Nothing whatsoever from
Avast when the page was loaded, but scanning my cache came
up with the same warning about Gedza.A.

Since I don't have an ActiveX extension for Mozilla, it
can't be executed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Destiny Of The Daleks)


Owlbet
Ignite the Ice
Premium,MVM
join:2002-09-24
Palmer, AK

1 edit

3 recommendations

reply to koolman2
I just got off the phone with Fran Gianoutsos and she was shocked (to say the least) that their site is throwing up these warnings. She said she would get in touch with her webmaster.

Elections and candidates are public information. I found their contact information here:

»www.gov.state.ak.us/ltgov/electi···d06g.php


Stem Bolt
Aka Smiling Bob
Premium
join:2002-11-08
Cleveland, OH
kudos:2

3 edits
reply to koolman2
Looks like they took down the website.
--
Dr.Web, BOCLEAN, Router/Firewall, Firefox, Acronis True Image


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to koolman2
F-Prot does not like the site either.



eyespy6

join:2002-12-09
Canada
reply to Stem Bolt
As of 6:55 PM East, Oct21/06, it's still infectious!!

Regards,
bill


Greg_Z
Premium
join:2001-08-08
Springfield, IL
reply to Stem Bolt
said by Stem Bolt:

Looks like they took down the website.
Nope, still up. I guess the admins over @ WildWestdomains.com do not know how to kill a server. Most likely there is more then one site infected over there.
--
I threw out the map a long time ago. Now I follow my own direction!


anony101

@bellsouth.net
reply to koolman2
Bitdefender found 16 infections. All .htm files.

Kaspersky finds nothing. Can anyone confirm this?


Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
kudos:1
reply to Graycode
Click for full size
Scroll on down.

eyespy6

join:2002-12-09
Canada
reply to eyespy6
Still infectious as of 7 PM Eastern!

Regards,
bill


Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
kudos:1
reply to anony101
Click for full size
Hell even Clam detects it, don't know whats up with KAV.
--
Best RegardsVampirefo


Stem Bolt
Aka Smiling Bob
Premium
join:2002-11-08
Cleveland, OH
kudos:2

3 edits
reply to koolman2
Funny, I can't open the website anymore in Firefox but I can still get the website in Internet Explorer multiple times. I was able to load the site 1 time in Firefox that's when Dr. Web detected it. I've shut down Firefox and restarted but still can't load the website.
------------
Edit: Dr. Web "locked" objects from this site while in Firefox. That's why I can't reload the website in Firefox.

--
Dr.Web, BOCLEAN, Router/Firewall, Firefox, Acronis True Image


poppster
Tell the truth and then run.
Premium
join:2003-12-23
Midwest
kudos:1
reply to koolman2
AntiVir PE Classic caught it in no time.
--
Dedicated to TD, TSC, and F@H 24/7!


anony101

@bellsouth.net
reply to koolman2
Click for full size
The only antivirus which doesn't catch the enfection is Kaspersky. Go figure???

ALL 16 html pages have the infection embeded and I'm sorry to say that the server itself is compromised and being used as a warez download site. Hope they have a good backup.

mysec
Premium
join:2005-11-29
kudos:4
reply to koolman2
It's a Turkish VBS virus created by GEDZAC LABS. Search for GEDZAC for links to Gemel virus and others.

Their work goes back at least to 2003, where Sophos identified W32/Mapson-A:

In July the worm displays 2 message boxes about the
author and the worm, one with the title "Lorraine Worm
[GEDZAC LABS 2003]" and the message "Creado por Falckon/GEDZAC"
and the second with the same title and a message containing
the text "Dedicado a mi G. Lorena R. S.".

Pulling this from the Alaska page:

bktbna'/"ue4

a number of other sites turn up in a search:

'<*************GEDZAC LABS 2004**********> Rem VBS/Israfel.a un
producto de <GEDZAC LABS> Rem USA aqui tienes un enemigo
m&#195;&#161;s, un grano de arena m&#195;&#161;s en el desierto

<title>Backup Newffr.com 2001-2006 - Virus & Anti-Virus -
petit virus vbs -> Gedzac Labs 2004</title>



-rich

______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier


kw
Premium
join:2004-06-12
New Albany, OH
kudos:6
reply to koolman2
McAfee caught it while running Firefox. They should get on that. Is that virus a "bad" one?


PCInTech
keeping art alive since 1953
Premium
join:2004-06-07
Massena, NY
kudos:9
reply to koolman2
ZA Security Suite hit right on it, too. There's some amazing sites out there.


cableties
Premium
join:2005-01-27
reply to koolman2
7:20Pm EST and Avast (through FireFox) found that worm. (Sign of VBS:Gedza [Wrm]; Abort connection )


heels_fan
1.20.09 The start of Socialism
Premium
join:2003-02-07
Columbia, TN
kudos:1
reply to koolman2
nothing here with Firefox, AVG and the NoScript Extension

mvdu
Premium
join:2003-07-28
Collegeville, PA
kudos:1
reply to koolman2
Ok, I became the guinea pig. I am a Kaspersky user, but have Norton Ghost, so I decided to try the page on IE with Active X completely allowed. There was a scripting error with the VBS file. Perhaps it's corrupt, and that's why Kaspersky isn't detecting?
--
Don't Blame Me, I Voted for Kerry!

JTY

join:2004-05-29
Ellensburg, WA
reply to koolman2
Zone Alarm AV doesn't like it either.


tonyfer2

join:2002-08-14
Elizabeth, NJ
9.00pm est still geting warning about Gedza.A.
from avg Norton and za