Deprecated: Function set_magic_quotes_runtime() is deprecated in /home/kokushou/public_html/ on line 14
jOSiAh's ^_~ Haven

More Trojans!

One day after the posting of the epic battle of General Wang and the trojans, what do I get? More trojans. (>.<)

I have just launched my Windows Live Messenger (yeah, finally upgraded...) and this pops up.

Followed by this...

So basically ad[1].jpg is a trojan which downloads whatever NewTemp.dll is... (along with a NewTemp.bak which I have manually removed)

So newer is not always better (>.<)

Anyway, tired of how weird things keep dropping in the Temporary Internet Files folder and executing themselves, I've decided to beef up my Internet Security. Now any scripts must seek my permission to run...

So, after relaunching Windows Live Messenger...

If you click yes,

Safe. Yeah right.

Clicking no and the banner ads are gone. And no weird viruses.

However, I'm still not satisfied. I'm not sure where the trojan gets downloaded from in the first place. A query of "Newtemp.dll" on Google comes up with nothing. Nada. 0 results. So I guess it's a new variant. Doing more research, I found that a Javascript file and an HTML file was downloaded along with the "JPG" file. The HTML file is somehow linked to a page from China (with the filename woyao.htm), which when I visited (script execution still disabled of course), showed that the "ad.jpg" file is set as the cursor for the page. There is also the same script attached to it.

More research, and I've learnt that the "cursor" uses an ANI (animated cursor) vulnerability to attain remote execution priviliges. In English, that means that the bad buy can easily control your computer from wherever he is with the supposedly harmless cursor. So better patch that up.

Well, after patching, the "cursor" file is still downloaded, but the attackers can't do anything. So that's good for the time being.

Now if only I can figure out whether the file came from the advertisements, the weird icons, or from some script hidden somewhere... (>.<)

Postscript: Yes, it's been confirmed. It came from the weird icons on the tabs. I've managed to patch the tabs with Tabserve to remove all of them (completely this time, not just hiding them). Now there aren't even any prompts for my permission to run scripts! How the tabs attached itself to my messenger in the first place... I don't know... yay! I can finally sleep in peace! And General Wang will be so pleased with me... (>.<)

Postpostscript: It's a trojan. A new variant. Still related to the Chinese Instant Messenger QQ.

Postpostpostscript: Not my computer's fault. It's the network that's flooded with the worm. My computer is fully protected and safe. Even iFrames are disabled for the time being (>.<)


1 YP said,

You should try other anti-virus sw and see if it gives the same message or not. It is not unusual for anti-virus sw to give false alarm. Btw, I have stopped using AVG for more than 2 years, now i use AVAST, you could also try Adware SE from Lavasoft for spyware scanning, pretty good.

Also, do try to park your PC at for a heath check, it not only check your PC health, it will make recommendation on how to optimize your PC…like taking vitamins. :)

2 josiah said,

No it’s definitely not a false alarm. Googling that particular website URL returned lots of information (in Chinese), most of them being IE homepage hijacking. One post (dated 11th June!) enlightened me about the cursor thing. And it’s actually a variant of the one General Wang battles. ^^; Still trying to figure out how it gets executed through Windows Live Messenger though… The Javascript’s definitely suspicious: it’s all obfuscated by escaping characters (^^;)

I think I have used AVAST in the past and I can’t remember why I switched… I have both Adaware and Spybot Search and Destroy… but they usually only find tracking cookies, and they definitely did not find any of these…

Yeah thanks… I will give my PC a health check (^_^) . I’m fairly confident with the security of my PC though. Except for my Windows which is rarely patched (>.

Commenting is closed for this article.