Virus?

[marybetht]

Hi All,

 

I am hosting a site on TCH that appears to be infected, but I'm not sure, I have never had this happen before. Using IE, trying to load the homepage, my McAfee kicks in telling me a virus has been detected. It is the VBS/Psyme trojan. According to McAfee it is due to an unpatched IE. Does this mean my website is also infected and trying to send out this trojan? If, so, what do I do?

 

Thanks!

MB

[TCH-Thomas]

Hi,

 

First of all you need to make sure your computer is clean by running a full scan and see what it comes up with.

 

Secondly, you could ask the techs if they can help you find and remove the virus from your site if that to contains it.

 

Third, make sure your internet explorer gets fully patched at the windows update.

[marybetht]

Hi,

 

First of all you need to make sure your computer is clean by running a full scan and see what it comes up with.

 

Secondly, you could ask the techs if they can help you find and remove the virus from your site if that to contains it.

 

Third, make sure your internet explorer gets fully patched at the windows update.

 

Hi Thomas,

 

Scan is already running. I will send a helpdesk request to TCH.

 

Thanks,

MB

[TCH-Thomas]

Please let us know how it goes.

[marybetht]

Please let us know how it goes.

 

Ok, will do.

[TCH-Thomas]

Also, delete all her temporary internet files as well.

 

And try another browser like firefox.

[marybetht]

Also, delete all her temporary internet files as well.

 

And try another browser like firefox.

 

Hi Thomas,

 

Helpdesk told me to download the page from the server and scan it for viruses, then reupload it. I have a couple of RSS feeds on that page, do you think the virus could be getting in through those feeds? They are feeds from two US government agencies, FEMA and the CDC.

 

Thanks,

MB

 

P.S. I tried to upload an avatar from my PC and I got an error message, told me to contact the admin.

[TCH-Thomas]

I don´t think the virus comes from the rss.

However, have you downloaded the file (or files) and scanned it? If so, what did the scan say?

[marybetht]

I don´t think the virus comes from the rss.

However, have you downloaded the file (or files) and scanned it? If so, what did the scan say?

 

I just downloaded the file and ran a scan on the entire site folder and McAfee found nothing. I'm not getting the virus found message from McAfee anymore either when I visit the site.

 

I do use FF most of the time, but just happened to go into IE this time. A few others here at work also got the message from McAfee on their machines.

[TCH-Bruce]

McAfee may be reporting a false positve.

[marybetht]

McAfee may be reporting a false positve.

 

I hope that is all it is. It is embarassing having a virus message popup when people hit your site.

[TCH-Bruce]

Can you post a link or PM the link to me and I will see if I get a virus warning? I don't use McAfee but my virus signatures are up to date.

[TCH-Thomas]

Don´t know if this has been resolved, but if you want, can you please pm me the link as well? That way we´ll know what both McAfee, Norton and whatever virus scanner Bruce use, says.

[TCH-Bruce]

I found no trace when she PM'd the link to me. I think it's a non-issue and McAfee reporting a false positive.

[TCH-Thomas]

Ok.

[haejin]

I am also experiencing a virus problem on my website. One of my users emailed me with the following virus report (he received this when pulling up the homepage):

 

Script execution blocked YOU-GOT-IT\STran iexplore.exe Script executed by iexplore.exe VBS/Psyme (Trojan)

 

http://vil.nai.com/vil/content/v_100749.htm

[TCH-Thomas]

Hi,

 

I would recommend you to do the same as was recommended to marybetht a bit up here in the thread.

[TCH-Bruce]

I am also experiencing a virus problem on my website. One of my users emailed me with the following virus report (he received this when pulling up the homepage):

 

Script execution blocked YOU-GOT-IT\STran iexplore.exe Script executed by iexplore.exe VBS/Psyme (Trojan)

I have tested this site with both IE and Firefox and my AV software is not complaining of a virus on your site. McAfee must be giving false positives.

[heyguy]

Maybe. I haven't seen the pages, but how are your sites built? Static pages you upload, a CMS, a forum script, a blog? I've seen instances where a site built using some forum or CMS script gets compromised through various means and a very, very, very 1px by 1px frame is inserted in the code and the frame loads some outside page that tries to drop a virus of some kind. Your actual code is not "infected" per se so virus scanning your own site does nothing. Your page is loading another page that is trying to drop the virus.

 

It should also be noted that in the instances I have seen, some people get warnings and some don't. So it's worth taking a look. If you pm me a link I'll be happy to give it a go around.

[masson]

I thought I'd add to the chorus. I posted a blog entry noting a problem whereby my WordPress theme had turned all screwy -- the banner disappeared and the sidebar colors and whatnot had all reverted to their default state. In addition, the Tiga-theme editor function in WordPress was no longer functional. The rest of the blog seems to be functioning normally. One of my readers posted this in response:

 

"You might want to check for viruii. I got an error that VBS/Psyme tried to get into my system when I opened your page at the same time as I was opening several others. Since yours is the only one acting funny, it might have been from here.

 

Script executed by iexplore.exe VBS/Psyme (Trojan)"

 

I kind of suspect the two issues are not related, but do not know for sure. I have not been able to dig into the Tiga theme issue because my access to Cpanel and the file manager has been extremely laggy lately - sometimes letting me through, other times timing out while loading the page.

[TCH-Bruce]

Is the user using McAfee as their virus software?

[haejin]

I believe my user was using McAfee, but I'm not 100% sure.

 

However, I'm not sure I have much confidence in the McAfee false positive explanation, if other websites are having the exact same error.....the thing that we all share in common is TCH. My user also said it was the only website that generated that virus error. And a previous poster said he was using Wordpress, whereas I'm using a different publishing system altogether.

 

My website is currently on Server102. Could it be that specific server?

[TCH-Bruce]

As far as I know the only people reporting this are people using McAfee. I tested your sites in both IE and Firefox and I received no virus warnings. Not to say that there isn't. I am just not seeing it and thus my response.

 

I have been informed that the techs are also checking to be sure there is nothing coming from the server. But as heyguy points out above it may be an injection of an image with a link to some other site that is causing it. But my tests resulted in no such thing.

[marybetht]

Maybe. I haven't seen the pages, but how are your sites built? Static pages you upload, a CMS, a forum script, a blog? I've seen instances where a site built using some forum or CMS script gets compromised through various means and a very, very, very 1px by 1px frame is inserted in the code and the frame loads some outside page that tries to drop a virus of some kind. Your actual code is not "infected" per se so virus scanning your own site does nothing. Your page is loading another page that is trying to drop the virus.

 

It should also be noted that in the instances I have seen, some people get warnings and some don't. So it's worth taking a look. If you pm me a link I'll be happy to give it a go around.

 

I am also running the Nucleus CMS v3.23 Blog.

[marybetht]

I thought I'd add to the chorus. I posted a blog entry noting a problem whereby my WordPress theme had turned all screwy -- the banner disappeared and the sidebar colors and whatnot had all reverted to their default state. In addition, the Tiga-theme editor function in WordPress was no longer functional. The rest of the blog seems to be functioning normally. One of my readers posted this in response:

 

"You might want to check for viruii. I got an error that VBS/Psyme tried to get into my system when I opened your page at the same time as I was opening several others. Since yours is the only one acting funny, it might have been from here.

 

Script executed by iexplore.exe VBS/Psyme (Trojan)"

 

I kind of suspect the two issues are not related, but do not know for sure. I have not been able to dig into the Tiga theme issue because my access to Cpanel and the file manager has been extremely laggy lately - sometimes letting me through, other times timing out while loading the page.

 

masson,

I am also running a WordPress Blog on another site I administer, different host, not TCH, and the same thing happened to me, the theme changed on me. It switched to the Basic theme, very bizarre. I've since switched it back to the theme I was using and no problems since, but it makes me feel a bit insecure.

 

MB

[TCH-Bruce]

I have not been able to dig into the Tiga theme issue because my access to Cpanel and the file manager has been extremely laggy lately - sometimes letting me through, other times timing out while loading the page.

 

This really should be asked in our Wordpress forum but I will comment here since I can't split the original post and move it.

 

I use the Tiga theme on my personal blog and I have to use the static CSS file it generates instead of the PHP style sheet it creates because of a conflict with one of my plugins.

 

I set up another instance of WP with no plugins and the Tiga PHP style sheet works. That's how I generated the static CSS file for my site. If I want to make changes I go back to my other instance make the change and save the CSS changes for use on my blog.

[nitecat]

I read somewhere on the web last evening that McAfee is giving false positive virus warnings on pages containing Google Ads, specifically Google video ads.

[haejin]

I read somewhere on the web last evening that McAfee is giving false positive virus warnings on pages containing Google Ads, specifically Google video ads.

 

I'm not running either on my website.

 

Question -

Given that TCH is probably doing what they can in terms of security, are there additional things that we as users can do to protect the security of our websites? I'm assuming there aren't any anti-virus programs that we can run in our home directories, correct?

[joshuaorum]

I've also had problems as reported above:

- MacAfee reporting the trojan

- Very slow Cpanel loading

- And in one case, some random JavaScript link was inserted into some HTML, but I couldn't see it on the server!

 

I can't duplicate any of these problems, so I can't log a useful TT, but they are happening...

[Madmanmcp]

I've just talked with Bruce and I've checked the websites in question and have not gotten the error described.

 

I run McAfee Security Center and Virus Scan is using DAT Version 4882 10/26/2006. I would suggest everyone update thier virus signature files and try again to see if these errors remain. I think they are just false positives.

[marybetht]

I read somewhere on the web last evening that McAfee is giving false positive virus warnings on pages containing Google Ads, specifically Google video ads.

 

interesting, but my site doesn't contain any google ads either.

Edited October 26, 2006 by marybetht

[marybetht]

I've also had problems as reported above:

- MacAfee reporting the trojan

- Very slow Cpanel loading

- And in one case, some random JavaScript link was inserted into some HTML, but I couldn't see it on the server!

 

I can't duplicate any of these problems, so I can't log a useful TT, but they are happening...

 

i just logged into my cpanel and it loaded fast as usual.