Following a recent post I made in another group, a member responded .......

BTW, "uploading.com" tried to send me a present... Trojan.Script.255082
(Virus)

My security software took care of that for me. Perhaps you should scan your
computer for viruses.

**

I replied as follows:

That's most interesting. I pasted your finding here:
http://www.viruslist.com/ - it found nothing.


I tried here, too:
http://threatinfo.trendmicro.com/vinfo/default.asp?sect=SA Nothing of
that name found.


> My security software took care of that for me. Perhaps you should scan
> your
> computer for viruses.

What "security software" are you using, Ron?

Did you/can you send the 'rogue' item to http://www.virustotal.com/ or
http://virusscan.jotti.org/en or is it too late?

An independent check can be useful to rule out false positives.

****

You probably appreciate that I'm using an Apple iMac - with the most
current and up-to-date software.
OS X is (supposedly) virtually malware free, unlike Windows XP which I
think you are using.

I'd appreciate your further comments.

**

The following response was received:

Charter Security Suite 9.01

Viruses are automatically removed, all I see is what actions were taken.

From what I saw on the action log the infected file was named "pdffile.php"
and came from "statcntr.com".

**

Has anyone come across this before?

Few result were found by Google, but this one from just 2 days ago may
be helpful.
http://www.cybertechhelp.com/forums/showthread.php?p=1148394#post1148394

Any comment will be appreciated.

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

~BD~ wrote:
> Following a recent post I made in another group, a member responded .......

Where is that conversation?

> BTW, "uploading.com" tried to send me a present... Trojan.Script.255082
> (Virus)

uploading.com is a file sharing place. That is a common way for viruses
to get spread around. If a person is going to download files being
passed around, then they have a responsibility to protect themselves.

> My security software took care of that for me. Perhaps you should scan your
> computer for viruses.

That is a stupid and useless remark by him. That person doesn't know if
his AV ware gave a false positive. That person hasn't taken the
quarantined object to be checked out. That person didn't actually
accurately describe how he came to be alerted - whether it was from a
file he downloaded or from some kind of insecure setting on his browser.
It isn't clear to me if he is saying that he invited the webserver to
run a script which was malware or something else.

And, even if he had, advising you as he did doesn't make any sense.

> That's most interesting. I pasted your finding here:

Searching on the name of a virus which is given to you by someone else's
AV agent isn't a reliable way to get some information.

There are all kinds of ways to name a virus, and searching on one string
often will not give a hit on a similar string which is what some other
AV agent calls some particular virus or malware family.

IMO you should 'drop' the investigation you are attempting.

> Did you/can you send the 'rogue' item to

> Charter Security Suite 9.01
>
> Viruses are automatically removed, all I see is what actions were taken.

Which means that he can't tell the false positives from the real ones
and it also means that he doesn't care to.

> From what I saw on the action log the infected file was named
> "pdffile.php"
> and came from "statcntr.com".

Similarly, there isn't really any use searching on either the .php or
the domainname.

> Any comment will be appreciated.

Forget it. Your investigation is worthless, or at least seems worthless
to me.

uploading.com doesn't even say whether or not they screen the shared
files for malware, but it doesn't matter whether they do or not, because
the potential problems and responsibilities for self protection for the
downloader are still the same.

If you choose to interpret his report as saying that uploading.com is a
dangerous malware site, you can check the google safe browsing tool and
see if it is reported. I doubt it.

At the top of my list is a false report based on some kind of webserver
stat tool script or something.


--
Mike Easter

On 09/01/2010 18:22, Mike Easter wrote:
> ~BD~ wrote:
>> Following a recent post I made in another group, a member responded
>> .......
>
> Where is that conversation?
Hi Mike

It's in alt.politics.scorched-earth - Thread: Ping: Pogo Stick aka
Aardvark

Path: border2.nntp.ams.giganews.com!border1.nntp.ams.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!new sfeed6.news.xs4all.nl!xs4all!feeder.erje.net!feeder.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: "RonNNN"<nrrrr@charter.net>
Newsgroups: alt.politics.scorched-earth
Subject: Ping: Pogo Stick aka Aardvark
Date: Thu, 7 Jan 2010 18:15:06 -0600
Organization: A noiseless patient Spider
Lines: 31
Message-ID:<hi5teh$ece$1@news.eternal-september.org>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary = "----=_NextPart_000_006C_01CA8FC5.5759C270"
Injection-Date: Fri, 8 Jan 2010 00:15:13 +0000 (UTC)
Injection-Info: feeder.eternal-september.org; posting-host="MMzbBYnGNSS9QIJM9pudfw";
logging-data="14734"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18GsQP7QC05cLPlboq6ypfFWdJHwgPrLpU="
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Newsreader: Microsoft Outlook Express 6.00.2900.5843
Cancel-Lock: sha1:clCPIBq9ciPxHQKDQFfJmPSVOC0=
X-Priority: 3
X-MSMail-Priority: Normal
Bytes: 2244
X-Original-Lines: 30
X-Original-Bytes: 2179
Xref: number.nntp.dca.giganews.com alt.politics.scorched-earth:19558


>> BTW, "uploading.com" tried to send me a present... Trojan.Script.255082
>> (Virus)
>
> uploading.com is a file sharing place. That is a common way for
> viruses to get spread around. If a person is going to download files
> being passed around, then they have a responsibility to protect
> themselves.

I totally agree!

>> My security software took care of that for me. Perhaps you should
>> scan your
>> computer for viruses.
>
> That is a stupid and useless remark by him. That person doesn't know
> if his AV ware gave a false positive. That person hasn't taken the
> quarantined object to be checked out. That person didn't actually
> accurately describe how he came to be alerted - whether it was from a
> file he downloaded or from some kind of insecure setting on his
> browser. It isn't clear to me if he is saying that he invited the
> webserver to run a script which was malware or something else.
>
> And, even if he had, advising you as he did doesn't make any sense.

I'm uncertain how to respond to you!

>> That's most interesting. I pasted your finding here:
>
> Searching on the name of a virus which is given to you by someone
> else's AV agent isn't a reliable way to get some information.
>
> There are all kinds of ways to name a virus, and searching on one
> string often will not give a hit on a similar string which is what
> some other AV agent calls some particular virus or malware family.
>
> IMO you should 'drop' the investigation you are attempting.

OK - I'll heed your advice,

>> Did you/can you send the 'rogue' item to
>
>> Charter Security Suite 9.01
>>
>> Viruses are automatically removed, all I see is what actions were taken.
>
> Which means that he can't tell the false positives from the real ones
> and it also means that he doesn't care to.
>
>> From what I saw on the action log the infected file was named
>> "pdffile.php"
>> and came from "statcntr.com".
>
> Similarly, there isn't really any use searching on either the .php or
> the domainname.
>
>> Any comment will be appreciated.
>
> Forget it. Your investigation is worthless, or at least seems
> worthless to me.

You, sir, are probably right!

> uploading.com doesn't even say whether or not they screen the shared
> files for malware, but it doesn't matter whether they do or not,
> because the potential problems and responsibilities for self
> protection for the downloader are still the same.
>
> If you choose to interpret his report as saying that uploading.com is
> a dangerous malware site, you can check the google safe browsing tool
> and see if it is reported. I doubt it.
>
> At the top of my list is a false report based on some kind of
> webserver stat tool script or something.

Please reserve judgement until you've reviewed my next post in the SE
thread.

Thank you for your time taken to respond. I do appreciate it! :)


--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

Is *anyone* familiar with ........... Trojan.Script.255082 ?

Further comments welcomed :)

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

posted to a.c.s only

~BD~ wrote:
> Is *anyone* familiar with ........... Trojan.Script.255082 ?
>
> Further comments welcomed :)

The AV engine in RonNNN's AV ware is F-secure for Charter Security. If
you go to that website and enter that term into the search tools for the
exact same ware he is using, it does not give you a listing or hit, only
the definition for trojan.

The person to have tracked this down was RonNNN, not you. You don't
have access to the item/threat in question.

--
Mike Easter

On 10/01/2010 20:20, Mike Easter wrote:
> posted to a.c.s only
>
> ~BD~ wrote:
>> Is *anyone* familiar with ........... Trojan.Script.255082 ?
>>
>> Further comments welcomed :)
>
> The AV engine in RonNNN's AV ware is F-secure for Charter Security.
> If you go to that website and enter that term into the search tools
> for the exact same ware he is using, it does not give you a listing or
> hit, only the definition for trojan.
>
> The person to have tracked this down was RonNNN, not you. You don't
> have access to the item/threat in question.
>
I discovered earlier today that the threat is also known as .......
Exploit.JS.Pdfka.asd

I have no idea why RonNNN should have had his Security Suite spring to
his aid when he (allegedly) clicked on the link I had posted.

FYI - some long time ago now, having been permitted to rejoin Annexcafe
on the UK U2U group (only) - on a known clean machine, with Norton
Internet Security 2006 installed before connecting to the Internet
(bought from PC World in a box) I once again connected to U2U. The *very
first* link I followed (in a post by a still-active poster called
Makara@Starfleet) what happened? I was presented with an in-the-face big
red warning by NIS.

When I raised the matter with the Moderator of the group, expecting a
somewhat sympathetic ear, I was immediately slapped down, told that
there was nothing amiss with the site in question and that it must have
been a fault at my end. When I went back to that same URL some hours
later, no warning whatsoever was encountered. I felt then, and now, that
the malware on said URL had been removed by the overlords at Annexcafe.
I'd wager, perhaps, that Makara had no idea that he may have been
directing others to a malicious site. It left me with that hinky feeling
again ........... ;)

Just so you know!

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

"~BD~" wrote:

> I discovered earlier today that the threat is also known as .......
> Exploit.JS.Pdfka.asd

That tells me it's a malicious PDF file using embedded javascript.
These are very common initiators of drive-by infections when visiting
bad websites (or even good sites with poor security). The PDFs usually
exploit bugs in Acrobat reader and sometimes other PDF readers. I've
examined many of these files and have yet to see one targetted at any
OS other than Windows.

It's easy to avoid falling victim to them:
* Don't allow your browser to auto-open PDFs.
* If you want to open PDFs online:
- Keep your PDF reader current with the latest version/patches
- Turn off the reader's ability to run its own javascript.

~BD~ wrote:
> Mike Easter wrote:
>
>> The person to have tracked this down was RonNNN, not you. You don't
>> have access to the item/threat in question.
>>
> I discovered earlier today that the threat is also known as .......
> Exploit.JS.Pdfka.asd

That information does not connect the dots which are worthwhile to this
discussion. Why did RonNNN's browser want to go somewhere else than the
target website and why did it want to execute the malware.

RonNNN reported the name of something to you. How he came to encounter
it with his system is unknown. Because he is a top poster and cannot
read news messages comprehensively, he has not even responded to the
question about what is his browser (and its version).

> I have no idea why RonNNN should have had his Security Suite spring to
> his aid when he (allegedly) clicked on the link I had posted.

Exactly. And that question is all that really matters in this
'investigation'.

> FYI - some long time ago now,

<snip>

> Just so you know!

Those 'personal' stories do not relate to this issue. Nor does RonNNN's
'personal' opinion that your 'personal' referral to the uploading.com
website applies to anything about this.

This is not about 'people' or personalities at all.


--
Mike Easter

On 11/01/2010 00:47, Ant wrote:
> "~BD~" wrote:
>
>
>> I discovered earlier today that the threat is also known as .......
>> Exploit.JS.Pdfka.asd
>>
> That tells me it's a malicious PDF file using embedded javascript.
> These are very common initiators of drive-by infections when visiting
> bad websites (or even good sites with poor security). The PDFs usually
> exploit bugs in Acrobat reader and sometimes other PDF readers. I've
> examined many of these files and have yet to see one targetted at any
> OS other than Windows.
>
> It's easy to avoid falling victim to them:
> * Don't allow your browser to auto-open PDFs.
> * If you want to open PDFs online:
> - Keep your PDF reader current with the latest version/patches
> - Turn off the reader's ability to run its own javascript.
>
>
>

Many thank 'Ant'.

What really surprised me was that whilst I appreciate that
http://uploading.com/ might have been
infected, no-one else in our Yahoo engine owners group reported any exploit.

I wonder if anyone else reading here checked the site with a Windows
machine. I tried it with my
wife's laptop (XP Home SP3, IE8 and MSE protection) and had no warning
at all.

--
Dave (Sometimes man stumbles over the truth ...... Sir Winston Churchill)

On 11 Jan, 02:11, Mike Easter <Mi...@ster.invalid> wrote:
> ~BD~ wrote:
> > Mike Easter wrote:
>
> >> The person to have tracked this down was RonNNN, not you. *You don't
> >> have access to the item/threat in question.

Agreed

> > I discovered earlier today that the threat is also known as .......
> > Exploit.JS.Pdfka.asd
>
> That information does not connect the dots which are worthwhile to this
> discussion. *Why did RonNNN's browser want to go somewhere else than the
> target website and why did it want to execute the malware.

I don't know.


> RonNNN reported the name of something to you. *How he came to encounter
> it with his system is unknown. *Because he is a top poster and cannot
> read news messages comprehensively, he has not even responded to the
> question about what is his browser (and its version).

I've asked him to come here


> > I have no idea why RonNNN should have had his Security Suite spring to
> > his aid when he (allegedly) clicked on the link I had posted.
>
> Exactly. *And that question is all that really matters in this
> 'investigation'.
>
> > FYI - some long time ago now,
>
> <snip>
>
> > Just so you know!
>
> Those 'personal' stories do not relate to this issue. *Nor does RonNNN's
> 'personal' opinion that your 'personal' referral to the uploading.com
> website applies to anything about this.
>
> This is not about 'people' or personalities at all.

Easy to read page for Ron to read some background!

http://forums.speedguide.net/showthread.php?t=254309&mode=linear

--
Dave