Problem - Viral Site

Updated: 24 Sep 2010 | 10 comments

hrsand

0 0 Votes

Looking for feedback from anyone who may have experience with a site at

http://sites.google.com/site/dfgfhjkjvcdfgh5683/qn.... Address is strange, but link site is for pharmecuticals. One of my users went there and I'm concerned they may have infected their box. Took the computer out of the network and restarted it in Safe Mode (XP Home SP3). Endpoint scan didn't find any problems, but was not able to access several folders in programs like Quickbooks and Microsoft Money. Not sure how best to proceed. TIA!

discussion Filed Under:

Security, Endpoint Protection (AntiVirus), Security Risks, Vulnerabilities & Exploits

Comments RSS Feed

Comments

Mar

2010

0 Votes 0

Rafeeq

hi

I did not click on that link yet :)
whats the error message you get while opening quickbooks? or MM ?

Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

Mar

2010

0 Votes 0

hrsand

Sorry. Getting the feel for

Sorry. Getting the feel for the site and didn't realize I had responses so fast. I haven't tried to access the programs. I shut down, went into safe mode and did a full system scan. The inaccessible folders were in the scan log.

Mar

2010

2 Votes +2

riva11

Questions

Just to two questions,
Do you see virus after the full scan ?
Did you check the access permissions for inceccessible folders ?

Mar

2010

0 Votes 0

hrsand

I never saw any virus at all.

I never saw any virus at all. The user got an email from a trusted source that included that link, so they followed it and freaked. I told them to shut it down and leave it alone, restarted in Safe Mode and did the scan. Saw several folders in the log that were inaccessible, including MM & QB. It may have been the safe mode, or the permissions. I'll check them out when I get back to the box this afternoon. Thanks!

Mar

2010

0 Votes 0

jhay6600@yahoo.com

Are you using mozilla firefox

Are you using mozilla firefox or internet explorer?

Mar

2010

0 Votes 0

hrsand

I didn't try to access MM or

I didn't try to access MM or Quickbooks. The full scan gave the error in the log. Using Firefox.

Mar

2010

0 Votes 0

Brian81

Here's the source

Here's the source code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascript">/* Copyright 2008 Google. */ (function() { // Input 0
var a=window;
// Input 1
var c="start";function d(e){this.t={};this.tick=function(f,g,b){b=b?b:(new Date).getTime();this.t[f]=[b,g]};this.tick(c,null,e)}var h=new d;a.jstiming={Timer:d,load:h};try{a.jstiming.pt=a.chrome&&a.chrome.csi?Math.floor(a.chrome.csi().pageT):a.gtbExternal&&a.gtbExternal.pageT()||a.external&&a.external.pageT}catch(i){};
// Input 2
})()
</script>
<link rel="shortcut icon" href="http://www.gstatic.com/sites/p/3c554e/system/app/images/favicon.ico" type="image/x-icon" />
<link rel="apple-touch-icon" href="http://www.gstatic.com/sites/p/3c554e/system/app/images/apple-touch-icon.png" type="image/png" />
<script type="text/javascript">/* Copyright 2008 Google. */ (function() { var e=parseInt,h=window,i="length";function j(a){return document.getElementById(a)}h.byId=j;var k="";function l(a){return a.replace(/^\s+|\s+$/g,k)}h.trim=l;
var m="MSIE",n="6.0",o="string",p='id="',q='" ',r='class="',s='title="',t="display:inline-block;",u="left",v="float:left;",w="right",x="float:right;",y="cursor:hand;",z="<span ",A=' style="width:',B="px; height:",C="px;",D=";padding: 0;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='",E="', sizingMethod='scale');\"></span><span style=\"padding: ",F=" ",G=";",H="float:",I='"></span>';
h.ie6ImgFix=function(a){var b=h.navigator?navigator.userAgent:k;if(b.indexOf(m)!=-1&&typeof opera=="undefined"){var d=/MSIE\s+([^\);]+)(\)|;)/;d.test(b);b=RegExp.$1;if(b==n){var c=typeof a==o?j(a):a;a=c.id?p+c.id+q:k;b=c.className?r+c.className+q:k;d=c.title?s+c.title+q:s+c.alt+q;var f=t+c.style.cssText;if(c.align==u)f=v+f;if(c.align==w)f=x+f;if(c.parentElement.href)f=y+f;var g=c.currentStyle,L=c.width-e(g.paddingLeft,10)-e(g.paddingRight,10),M=c.height-e(g.paddingTop,10)-e(g.paddingBottom,10),N=
z+a+b+d+A+L+B+M+C+f+D+c.src+E+g.paddingTop+F+g.paddingRight+F+g.paddingBottom+F+g.paddingLeft+G+(g.styleFloat?H+g.styleFloat+G:k)+I;h.setTimeout(function(){c.outerHTML=N},1)}}};var J=[],K=0;h.JOT_addListener=function(a,b,d){var c=new String(K++);a={eventName:a,handler:b,compId:d,key:c};J.push(a);return c};h.JOT_removeListenerByKey=function(a){for(var b=0;b<J[i];b++)if(J[b].key==a){J.splice(b,1);break}};
h.JOT_removeAllListenersForName=function(a){for(var b=0;b<J[i];b++)J[b].eventName==a&&J.splice(b,1)};var O="function";h.JOT_postEvent=function(a,b,d){var c={eventName:a,eventSrc:b||{},payload:d||{}};if(h.JOT_fullyLoaded){b=J[i];for(d=0;d<b&&d<J[i];d++){var f=J[d];if(f&&f.eventName==a){c.listenerCompId=f.compId||k;(f=typeof f.handler==O?f.handler:h[f.handler])&&f(c)}}}else h.JOT_delayedEvents.push({eventName:a,eventSrc:b,payload:d})};h.JOT_delayedEvents=[];h.JOT_fullyLoaded=false;var P="__duration__";
h.JOT_formatRelativeToNow=function(a,b){a=((new Date).getTime()-a)/6E4;if(a>=1440||a<0)return null;var d=0;if(a>=60){a/=60;d=2}a>=2&&d++;return b?h.JOT_siteRelTimeStrs[d].replace(P,Math.floor(a)):h.JOT_userRelTimeStrs[d].replace(P,Math.floor(a))}; })()
</script>
<script>

var webspace = {"signInUrl":"https://www.google.com/a/UniversalLogin?continue=http%3A%2F%2Fsites.google.com%2Fsite%2Fdfgfhjkjvcdfgh5683%2Fqnfb5w&service=jotspot","isGaiaBarRendered":true,"isConsumer":true,"termsUrl":"http://www.google.com/sites/help/intl/en/terms.html","enableAnalytics":false,"homePath":"/","sharingPolicy":"OPENED","isAdsenseEnabled":true,"analyticsAccountId":"","baseUri":"/site/dfgfhjkjvcdfgh5683","name":"dfgfhjkjvcdfgh5683","features":{"lazySiteHierarchy":false,"subpageNav":false,"enableNewBrowserEditChecks":true,"useStandardEmbedsInSidebar":false,"experimental":{"displayEditorLockExceptions":false},"navadminperf":false,"structuredDataSchemas":false},"domain":"defaultdomain","adsensePublisherId":null,"isStartPageEnabled":false,"domainAnalyticsAccountId":"","siteTitle":"dfgfhjkjvcdfgh5683"};

webspace.gadgets = {"isGadgetDirectoryEnabled":true,"baseUri":"/site/dfgfhjkjvcdfgh5683/system/app/pages/gadgets","isGgsRenderingEnabled":true};

webspace.user = {"uid":"","hasAdminAccess":false,"guest_":true,"domain":"","hasWriteAccess":false,"userName":"guest","dasherUser":false,"primaryEmail":"guest","displayNameOrEmail":"guest"};

webspace.page = {"canDeleteWebspace":null,"locale":"en","state":"","wuid":"wuid:gx:733189210cecb7d3","timeZone":"America/Los_Angeles","properties":{},"type":"text","canChangePath":true,"parentWuid":null,"revision":1,"title":"qnfb5w","isRtlLocale":false,"bidiEnabled":false,"siteLocale":"en","name":"qnfb5w","path":"/qnfb5w","isSiteRtlLocale":false,"parentPath":null};

var editorResources = [
'http://www.gstatic.com/sites/p/3c554e/system/js/trog_edit__en.js',
'http://www.gstatic.com/sites/p/3c554e/system/app/css/trogedit.css',
'/site/dfgfhjkjvcdfgh5683/_/rsrc/1268949111780/system/app/css/editor.css'
];

var JOT_clearDotPath = 'http://www.gstatic.com/sites/p/3c554e/system/app/images/cleardot.gif';

var JOT_userRelTimeStrs = ["a minute ago","__duration__ minutes ago","an hour ago","__duration__ hours ago"];

webspace.page.currentTemplate = {"title":"Web Page","path":"/system/app/pagetemplates/text"};

var JOT_siteRelTimeStrs = ["a minute ago","__duration__ minutes ago","an hour ago","__duration__ hours ago"];

</script>
<script type="text/javascript">
window.jstiming.load.tick('scl');
</script>
<link rel="stylesheet" type="text/css" href="http://www.gstatic.com/sites/p/3c554e/system/app/themes/iceberg/standard-css-iceberg-ltr-ltr.css" />
<link rel="stylesheet" type="text/css" href="/site/dfgfhjkjvcdfgh5683/_/rsrc/1268949111855/system/app/css/overlay.css?cb=iceberg150goog-ws-none" />
<title>qnfb5w (dfgfhjkjvcdfgh5683)</title>

<td id="sites-header-title">
<h2><a href="http://sites.google.com/site/dfgfhjkjvcdfgh5683/" dir="ltr">dfgfhjkjvcdfgh5683</a></h2>
</td>
<td class="sites-layout-searchbox">
<div>
<form id="sites-searchbox-form" action="/site/dfgfhjkjvcdfgh5683/system/app/pages/search">
<input type="text" onpropertychange="JOT_setTextDir(this)" oninput="JOT_setTextDir(this)" dir="" id="jot-ui-searchInput" name="q" size="20" />
<input type="hidden" id="sites-searchbox-scope" name="scope" value="search-site" />
<div class="goog-inline-block goog-button goog-button-base "><div class="goog-inline-block goog-button-base-outer-box"><div class="goog-inline-block goog-button-base-inner-box"><div class="goog-button-base-pos"><div class="goog-button-base-top-shadow"> </div><div id="sites-searchbox-search-button" class="goog-button-base-content " style="" onclick=""><span id="sites-searchbox-search-button-label">Search this site</span></div></div></div></div></div>
</form>
</div>
</td>
</tr>
</table>

</div>
<div id="sites-chrome-main-wrapper">
<div id="sites-chrome-main-wrapper-inside">
<table id="sites-chrome-main" class="sites-layout-hbox" cellspacing="0">
<tr>
<td id="sites-canvas-wrapper">
<div id="sites-canvas">
<div id="goog-ws-editor-toolbar-container"> </div>
<div xmlns="http://www.w3.org/1999/xhtml" id="title-crumbs" style="">
</div>
<h3 xmlns="http://www.w3.org/1999/xhtml" id="sites-page-title-header" style="" align="left">
<span id="sites-page-title" dir="ltr">qnfb5w</span>
</h3>

<div id="sites-canvas-main-content">
<table xmlns="http://www.w3.org/1999/xhtml" cellspacing="0" class="sites-layout-name-one-column sites-layout-hbox"><tbody><tr><td class="sites-layout-tile sites-tile-name-content-1"><div><h1><a name="TOC-CLICK-HERE-"></a><div style="text-align:center"><a href="http://www.aquteriox.com/" rel="nofollow"><img style="border:0px solid" src="http://xmages.net/upload/1e0f8375.jpg" /></a></div>
<a href="http://australiapharmacyonline.eu/" rel="nofollow">CLICK HERE!!!</a></h1></div></td></tr></tbody></table>
</div>
</div>
<div id="sites-canvas-bottom-panel">
<div xmlns="http://www.w3.org/1999/xhtml" id="COMP_page-subpages"> </div>
<div xmlns="http://www.w3.org/1999/xhtml" id="COMP_page-attachments" style="display:none" class="sites-canvas-bottom-no-items">
<div id="sites-attachment-wrapper" class="sites-canvas-bottom-panel-wrapper">
<div jotId="sites-attachment-inner" style="display:none;" class="sites-attachment-inner">
<ul id="JOT_ATTACH_container">
</ul>
</div>
</div>
</div>

<a xmlns="http://www.w3.org/1999/xhtml" name="page-comments"></a>
<div xmlns="http://www.w3.org/1999/xhtml" id="COMP_page-comments" style="display:none;" class="sites-canvas-bottom-no-items">
<div id="sites-comment-wrapper" class="sites-canvas-bottom-panel-wrapper">
<div jotId="sites-comment-inner" style="display:none;" class="sites-comment-inner">
<div jotId="comments" class="sites-comments">
<div id="_wuid_" jotId="template" class="sites-comment" style="display:none">
<div><strong>_displayNameOrEmail_</strong> - _time_ - <a href="javascript:;" onClick="JOT_postEvent('removeComment', this, {wuid:'_wuid_'});">Remove</a></div>
<p dir="_dir_">_text_</p>
</div>
</div>
</div>
</div>

</div>
</div>
</div>
</td>
</tr>
</table>
</div>
</div>
<div id="sites-chrome-footer-wrapper">
<div id="sites-chrome-footer-wrapper-inside">
<div id="sites-chrome-footer">
<div xmlns="http://www.w3.org/1999/xhtml" class="sites-subfooter">
<p>


                <a href="https://www.google.com/a/UniversalLogin?continue=http%3A%2F%2Fsites.google.com%2Fsite%2Fdfgfhjkjvcdfgh5683%2Fqnfb5w&service=jotspot" class="sites-system-link">Sign in</a>

                <a href="/site/dfgfhjkjvcdfgh5683/system/app/pages/recentChanges" rel="nofollow" class="sites-system-link">Recent Site Activity</a>



            <a href="javascript:void(window.open('http://www.google.com/sites/help/intl/en/terms.html'))" class="sites-system-link">Terms</a>

            <a href="/site/dfgfhjkjvcdfgh5683/system/app/pages/reportAbuse?src=/qnfb5w" rel="nofollow" target="_blank" class="sites-system-link">Report Abuse</a>


                <a href="javascript:;" onclick="window.open(webspace.printUrl)" class="sites-system-link">Print page</a>



             |
            <b class="powered-by">Powered by <a href="http://sites.google.com">Google Sites</a></b>

</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>

}
</script>

    // Decorate any fastUI buttons on the page with a class of 'goog-button'.
    if (webspace.user.hasWriteAccess) {
      JOT_decorateButtons();
    }
//]]>
</script>
<div id="server-timer-div" style="display:none"> </div>
<script>
          window.jstiming.load.tick('render');
        </script>
</body>
</html>

Endpoint Knowledge Base

Security Best Practices

Mar

2010

0 Votes 0

hrsand

Thanks for the source

Thanks for the source Brian81. I didn't think of looking at it, but I'm also not sophisticated enough to be able to ascertain if there's any malicious components to that page. Do you see anything nasty there?

Mar

2010

0 Votes 0

postechgeek

What do the permissions look

What do the permissions look like on the Microsoft Money and Quicken directories? Log on to the computer with admin account and check the permissions.

Mike

Mar

2010

0 Votes 0

hrsand

I'll check that out. The box

I'll check that out. The box is off site, so I won't get there until later, but I'll check it out. It may be they blocked the scan. Thanks.

Problem - Viral Site

Comments

Would you like to reply?

Links

Technical Support

Symantec.com

Store

Community Stats