14 replies to this topic

[Nigel Bloch]

Shock troop, i just went to ur site and every page i went to came up with a virus called HapTime I think. just thought i'd let you know because people who don't have a virus scanner will have their computer infected everytime they go to your site.

[ShockTroop22]

Ive just checked. Each page has some script errors on it (those things where it says "do u want to continuing running this page?, yes/no")
I think your virus scanner has just picked up on this, as Hap time, is short for a JAVA script error called "Happy Time".

Trust me, there are no-viruses on the website. Ive just been and checked when all the files were last updated, and they have not been touched since i last updated the site. So there is no way, someone could have messed about with my site.

I think the problem is just down to an overprotective virus-protector. Try turning the security level down a bit and it should be fine.

Thanks for the tip off though, its good to know that if there was a problem on my little corner of the web, someone would let me know.

So Remember People: "My Site Is A Safe Site"
(or some other cheesey line, that keeps you visiting)

[Nigel Bloch]

no prob, great site by the way! :-)

[ShockTroop22]

Thanx, i just finished work on the intro-movie on the first page, this morning, i spent most of yesterday on it.

[ShockTroop22]

By the way, does anyone who has Flash5 know how to make pre-loaders?
I'd be very greatful if i could send someone the source file, and they put a pre-loader on for me.

Anyone?

(im going to bed now its 2:25am)

[Nigel Bloch]

I just found something on the mcafee site. Happy time is a virus and it seems quite bad:
for more info go to: http://vil.mcafee.co...?virus_k=99080

This Visual Basic Script virus will append itself to files, delete files, and can spread via embedded VBScript, contained in the body of HTML formatted email messages.
When the script is permitted to run, the virus inserts itself at the end of .ASP, .HTM, .HTML, .HTT, and .VBS files. If the current day plus the current month is equal to 13, the virus attempts to delete .DLL and .EXE files on local and network drives.

The virus saves its viral code to HELP.HTA and HELP.VBS in the first directory found on the C: drive, and to HELP.HTM and UNTITLED.HTM in the WINDOWS directory.

A registry key value is created to set the HELP.HTM file to the current wallpaper which results in the execution of the virus at system startup, if active desktop is enabled:

HKCUControl PanelDesktopwallPaper=%WinDir%HELP.HTM

In a similar fashion to JS/Kak@M, this virus configures the default stationary used by Microsoft Outlook Express to an external file, %WinDir%UNTITLED.HTM. This causes each message sent from Outlook Express to contain hidden viral code. These setting are modified in the registry to accomplish this task:

HKCUIdentities(User ID)SoftwareMicrosoft
Outlook Express5.0MailMessage Send HTML="1"

HKCUIdentities(User ID)SoftwareMicrosoft
Outlook Express5.0MailCompose Use Stationery="1"

HKCUIdentities(User ID)SoftwareMicrosoft
Outlook Express5.0MailStationery Name="%WinDir%Untitled.htm"

Additionally, the .HTT files in the %WinDir%WEB directory are infected, which results in the virus getting executed each time a folder is viewed as a web page.

The virus keeps track of the number of times that it has been executed by creating a new registry key and incrementing a key value in this key:

HKCUSoftwareHelp

Once the counter reaches a multiple of 366, the virus will unsuccessfully attempt to attach UNTITLED.HTM to the email message which it sends.

[ShockTroop22]

This looks like a job for James Page.
James?

[James Page]

Due to these kind of viruses, I refuse to use Outlook in any way shape or form. So I survived a visit to your website intact! :-)

Sorry ShookTroop, but I can confirm that the HTML pages have the virius script attached, and will infect any visitor who uses Outlook Express 5.

As you use DreamWeaver 4, I suggest you try the "Clean Up HTML" command with all options enabled. This should strip out the VB script from all your pages.

But as you are likely to be infected yourself, they will probably re-embed everytime you modify them/open them in IE with write access.

Worst case scenario, manually strip out the VB script from the end of every page (I've attached a SAFE copy of it below so you know what it looks like) and reinstall Windows. Keep in mind though, that after you have a clean set-up, DO NOT EXECUTE (i.e. open in IE) any of your HTML files without checking them in a safe text editor like Wordpad first.

Hope this helps,
Cheers,
J

----------------------------------
Rem I am sorry! happy time
On Error Resume Next
mload
Sub mload()
On Error Resume Next
mPath = Grf()
Set Os = CreateObject("Scriptlet.TypeLib")
Set Oh = CreateObject("Shell.Application")
If IsHTML Then
mURL = LCase(document.Location)
If mPath = "" Then
.....lots cut out to make it safe here...
If Mid(S, 4, 1) = 1 Then
IsDel = True
Else
IsDel = False
End If
End Function

[ShockTroop22]

James, if i install Norton (anti-virus), will this prevent me having to re-install Windows (and losing all my data)?
Then i just clean-up the HTML?

[James Page]

If Norton can track the modification of HTML files, then yes. Bear in mind though, that you will probably need to keep Norton running all the time from now on, or until you are 110% that you have eliminated every trace of this virus.

Best way is to mark every single on of the infected files read only, and only unlock them when you are editing in a safe application.

[Nigel Bloch]

For some reason it seems that this part of the board is now infected with the virus. How can that be?? The same message comes up here aswell now. Strange.

[James Page]

Nigel Bloch (16 Feb, 2002 04:41 p.m.):
For some reason it seems that this part of the board is now infected with the virus. How can that be?? The same message comes up here aswell now. Strange.

Irresponsible nonesense.

[Nigel Bloch]

James Page (16 Feb, 2002 06:18 p.m.):

Nigel Bloch (16 Feb, 2002 04:41 p.m.):
For some reason it seems that this part of the board is now infected with the virus. How can that be?? The same message comes up here aswell now. Strange.

Irresponsible nonesense.

I know why it came up with the virus message on here. It's because u posted that section of it and my virus scanner thought it was infected. my bad :-)

[James Page]

[b]Nigel Bloch (17 Feb, 2002 06:23
I know why it came up with the virus message on here. It's because u posted that section of it and my virus scanner thought it was infected. my bad :-)

OK, I was worried that people would think I had somehow managed to get the virus to infect these boards!!! That's why I only included a very small section of the code so that webmasters would know what to look for. It's impossible for it to cause any harm in it's neutered state.

[ShockTroop22]

erm... Be right back. I aint seen it yet.