VBS:Malware-gen

[DavidR]

This forum is also SMF and some time ago there was a code injection attack, so I wouldn't be surprised if 'all links showed up as infected," especially if SMF software is also old.

If the site is hacked then all the pages are likely to have had code placed on them

The URL that avast shows includes the extracted file that was scanned, the \unp263177177 at the end. So the infection is on the main forum page.

There is a Hacked by Tqrl on the page title so it would appear my assumption of it being hacked is correct and all links are likely to have been injected with code. If you are the webmaster or know the webmaster then you should let him know, if he doesn't already that his site has been hacked.

Please modify your post so the link isn't active, e.g. hXXp://www.syaoregon.us/forum replace the tt with XX as in the example.

[decadechild]

Wow. That's weird. Who would hack an inactive forum from an organization?

Sorry, fixed link.

Thanks. I couldn't even see the "Hacked by Tqrl" page title.

[DavidR]

No problem, glad I could help.

People or bots that don't know it is inactive, they are just seeking out vulnerabilities and exploit them when found.

Welcome to the forums.

[Vlk]

Wow. That's weird. Who would hack an inactive forum from an organization?

It is not a manual work anymore. Hackers create crawlers that proactively look for compromisable sites (such as those running outdated/vulnerable PHP-based forums) and inject the shyte automatically... it doesn't really matter if the forum is "inactive" or not...

Cheers
Vlk

[Grey]

Hey when opening www.metal-forever.eu im getting  malware  http://www.metal-forever.eu/forum/clientscript/vbulletin_menu.js?v=368  and abording connection whats up with it  site  had a real virus or is next misunrestood.?
Sorry for my language
Regards Grey

[kubecj]

Really infected. See the top of the page, massive js encrypted stuff.

[Q.Lady]

I have this VBS thing in my 3 flash disks. I tried everything like moving the infected autorun file to the chest then deleting it manually or using a Turkish virus detecter named Dracula but my problem persisted and recurred everytime. I've just used Flash Disinfector and I haven't received any alert from Avast but when I opened my flash disks I saw a blank autorun file made my Flash Disinfector. I formatted one of my flash disks and the problem recurred again. Is Flash Disinfector a temporary solution? What do I need to do to prevent my flash disks from this VBS threat?

Thanks in advance.

[wyrmrider]

Q
please start your own thread - call it Flash Disinfector or something Topical

run a malware bytes anti malware free scan- Click REMOVE post the log
which virus do you have?
With avast- leave the hits in the Chest

do not delete flash disinfector or the file it creates- it's put there for your protection

do not post back here

[lukosanthropos]

I've got one that needs checking, www.short-fiction.co.uk (logging in with a uname/pword creates the warning

[wyrmrider]

lukosanthropos
does your post have something to do with VBS:Malware-gen?
If yes continue  IF NOT start a new thread

You have one WHAT that needs checking?
Why? symptoms?
I tried that site and script block blocked tow parts of it
Have you tried "site adviser" or similar?

[lukosanthropos]

yes it does, going to that website i mentioned and trying to log in causes avast to show a VBS:Malware-gen error, my machine is not infected, I'm not that daft, one of my friends was asking me about it so i tested it in a vmware environment.
I posted this here as I had read the first few posts of this thread, where people highlighted websites which generated these errors from avast and let you know.

You have one WHAT that needs checking? - One website which I would like to know if they are trying to introduce malware (VBS:Malware-gen) to my machine or if this is a false alarm
Why? - Because I'm not going to use the site if it is
Symptoms? - None, I'm not stupid enough to get infected

[lukosanthropos]

my vps version 080902-0 (forgot that bit sorry)

[wyrmrider]

Thanks
I'd like to know too
perhaps one of the members with a sandbox can check out the site mentioned in post 143

[DavidR]

It would be somewhat difficult to test as it requires you logon.

So I just did it with a made up username and password and the page that is causing the grief is hxxp://www.short-fiction.co.uk/account/redirect.php, unfortunately I can't capture this redirect.php page to have a look at it.

[kubecj]

As soon as you get the webshield warning, go to your temp directory, in _avast4_ subdir you'll find the temporary files. You can copy them elsewhere and then let webshield to delete them from the temp. One of the tempfiles would be that problematic page.