by   June 15 2005   
Dropper.Inor Virus / Trojan Info tracking my offically first drive by virus infection. Naturally I was using AVG Linkscanner even then to warn me when a virus via flash, java, etc was attempting to install on my computer. With that information collected I was able to track this virus to a server in South America and then in Europe. I didn't even need to look for the virus. It was on many sites.

Dropper.Inor Virus / Trojan Info for Digital Spy

I know the subject line is not going to win me points in this forum with members and moderators.

But I feel for the visitors and understand the point that Beth Hart a Digital Spy Forums Senior Moderator made.
The closing post regarding this ongoing issue:
http://forum.digitalspy.co.uk/board/...&postcount=108

I just joined up to share a bit of information and to ask for some information from the members of Digital Spy.

I agree with Beth Hart that blocking things like revenue banners is not a good policy. Clicking on them is a good policy and I do my share of that when I like the sites content.

But in this case we are talking about a single advertisement being run that allows for a virus to be installed on computers where the visitor or member uses Internet Explorer.

I prepared a long and detailed post but think it's best just to post up some quick information for the group.

Firefox users, this information doesn't apply to you. Your Firefox browser by default will not allow this code to be installed because it is using the media interface of IE to place the virus in the startup folder.


The Banner that carries this virus is at the bottom of just about every page. It advertises Fast56kb.com. The link itself is safe but the banner has 4 levels of IFRAMES that install this virus.


First I'll cover how to stop this site from installing the virus without blocking the banner or making the banner nonfunctional as a revenue source for Digital Spy.


international.statscounter.info

That is the site from a few of my tests over the past few weeks it bounces between Russia and Argentina from the ad.es.doubleclick.net ad server.


This is a IE issue only from my tests:

For IE Internet Explorer users.
Open up Internet Options in IE (Internet Explorer)
<Open IE> CLICK <Tools> CLICK <Internet Options>
Click on the Security Tab:
Click on Restricted Sites:
Click on the button Sites (Just to the lower right of the Restricted Sites Icon)
Add the following site to your restricted sites list.
International.statscounter.info
Click Add.


That will restrict the download of the virus when the Fast56kb.com ad is running.

That's about it for normal visitors and members.

Now for you Moderators I have some additional information for your log books.
PLEASE IF YOU ARE A VISITOR STOP HERE. DO NOT CLICK OR VISIT THE URL (SITES) LISTED AS THE VIRUS SITE.


For Digital Spy Moderators:
You may have the best firewall, Antivirus and spyware software running on your computer but I don’t think all your readers do.
Please follow the links below and tell me you agree to the planting of a known SpyWare marketing Tool and Logging program.


Your Ad that carries this virus:
http://ad.es.doubleclick.net/1047805/uk.gif

The IFRAME that is pushing the virus:
http://ad.uk.doubleclick.net/adi/www...rd=1052375223?

The site that is embedded into this IFRAME:
http://international.statscounter.in.../uk/index.html

The actual location of the Virus:
NOTE: Please do not click or past this URL in your browser because it is a virus I will chop up the URL so if you do copy and paste it you have to patch it up and I will say now it is a live virus.

http:// international. statscounter. Info /fast / uk / index.php

I’ve been tracing this for about 30 days on and off between a couple of sites in the USA and this site in the UK.

It’s an Internet Explorer problem. The people that wrote about using Mozilla Firefox do not seem to have the same problem. But I don’t know if everyone in these forums uses Firefox.


Notes:
Now to test your IE setup.

From Explorer open up your Startup folder.
Here’s where it is:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Look for a file called Windows Update.hta.
If you don’t see it refresh the Digital Spy webpage that displays the banner for Fast56kb.com. (That’s your virus banner guys)

Now refresh the folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup

If you don’t see the virus you’re setup good to go surf any page within the Digital Spy Website.
For now that is, from my past experience the site international.statscounter.info will change and a new restricted site will go up in my IE.

I would like to ask those that do this if you see the virus come back again drop me a line over at xtremecomputer.com I’ll check back and see how they are working the new method and give you a simple fix without having to pull your hair out and worry that your Antivirus software will find it in time.

By the way, this virus goes active after a reboot. So if you can see the Windows Update.hta in your startup folder now and have never seen a virus warning you can relax and know you have this virus installed. Update you virus software like the FAQ says to http://forum.digitalspy.co.uk/board/...0&postcount=52

But then ask around because things like this aren’t just a problem they really piss people off at times.
I can surf digital spy now without a problem but when the International.statscounter.info
Site changes its location and name the virus will be back.

Again, drop a note over at xtremecomputer.com under the Sections of Adware and Spyware: /forum.asp?FORUM_ID=14
Or the forum that only reports on doubleclick issues: /dforum.asp?CAT_ID=36


I have more details at my little website if you are interested.
Thanks Jo Jo for pointing out Digital Spy ad issue.
Good Luck to you all in the UK.
Regards,
Technical Support:

PS: Beth, I know I said this in the beginning of the post or someplace online, but feel like I need to say it again.
You can safely click on the Fast56kb.com banner ad after you restrict the virus site.
This method doesn’t block or ban any good advertisements that generate revenue for Digital Spy it just keeps you a little safer as a member and visitor.

 

 

 

Dropper.Inor Virus / Trojan Info tracking my offically first drive by virus infection. Naturally I was using AVG Linkscanner even then to warn me when a virus via flash, java, etc was attempting to install on my computer. With that information collected I was able to track this virus to a server in South America and then in Europe. I didn't even need to look for the virus. It was on many sites.