I would think after 60 days somebody would have updated a scanner to detect this and I am still clean as of yesterday. Not trying to anger you, but I just don't think I am infected. I do this for a living and sometimes go to great pains to certify a machine as clean. I also did manual searches for files you mentioned and they don't exist on my machine.

If I were infected I would think that the other 3 sites I admin would also be affected but they aren't, one of which I upload to daily.

Thanks again.

Jim

This is the only forum where I found this mentioned, so I thought I'd present my version of the problem after spending most of yesterday with my hosting support (unable to solve it). Because we worked through most of what's mentioned in other posts please allow me to just give the basic facts.

1. Only people using IE have told me about the problem if their anti-virus threw up a message.

2. I tried it from several computers that have not visited my site before. Same thing.

3. Watching the status bar at bottom, I see that when typing in the domain name, the address being connected to is dnv-counter.com/rtf/gc... then the virus alert goes off.

4. I checked an IP look up and this name has an IP in Ukraine and the number is 85.255.177.90

5. Yesterday, I would see first the dnv business and then a second IP address which was 81.95.146.132 , the same Russian Business Network mentioned in an earlier post.

6. If I type in w w w.mydomain.com what I call "the virus process" starts and I can see the address in the bottom status bar.

7. However if I type w w w.mydomain.com/index.htm or any other internal address, I do not see the process.

8. My index.htm is a simple refresh to another program. We wrote a new one last night and installed from Host Support's end.

9. If I view the source code when I type in my domain and the DNV-Counter appears in the bottom status bar, but Before the page actually (refreshes) redirects to my internal page, I see that a long javascript code as been placed on the initial index.htm page.

10. We looked for the iframe coding mentioned here but found nothing.

11. Yesterday the blocked Russian IP was accessing what Norton called a downloader. Today the DNV-counter.com is trying for MSN.exe


So we are stumped trying to find out how this is working. It seems like the same as described above, but without the iframe code. We can't figure out what is creating the encoded Javascript on the index page, which we assume contains the dnv-counter.com address

Any help or suggestions would be hugely appreciated.

I may be way out in left field here,
because of the different result you get based on your 2
example URL's.
This makes me think perhaps they are pulling off some
fairly high level DNS poisoning in your case.
I put nothing past those bastards, we are talking BIG money.
They change domains like socks.

Just a few thoughts.

Thanks for comments. Is that something that can be handled by my host support, or someone else? This successfully flew over my head (and skill level).

I only thought of it because in your 2 URL's
you got different results.
I would believe they would resolve slightly differently,
possibly skipping the DNS server that the Botmaster
Puss Sacs have control over or have poisoned.
I know from the Blue Frog SPAM war that these baddies
have people on the inside. Very high up the internet
food chain. Backbone providers if you will.
If I could in detail explain the exact mechanics of how
they do it I would.
It might be worth running the concept by your hosting
people.
Would you care to share your URL for any further
investigation?
Just curious now on the nature/purpose of your threat.

PS. I went to DNV-counter.com and got an apache server test page.

The complete address I see on the bottom is dnv-counter.com/trf/gc

If you only go to the domain name you do see that apache test page, but the other complete address is where the fun is.

If you check out the whois, the domain name is registered to a woman in NY.

I will pm my domain to you.

Thanks again for the help.

I have blocked that entire bank of IP's in my firewall and router and have changed the passwords on the website hosts that I manage. Might have to change the passwords once a month or so.....

Will and all,
All i have found so far regarding the exploit.

From XPL:
A javascript is using a decryption technique to expose code which is suspected to contain a Javascript window() (CVE-2005-1790) exploit. A malicious web page uses javascript to create a very large buffer of data and passes this into the prompt() function. This then causes Microsoft Internet Explorer to crash and with the presence of properly injected code can cause the remote execution of that code.

From F-Secure:
F-Secure Anti-Virus contains generic detection for a exploit that takes advantage of the vulnerability in the way Internet Explorer handles certain objects within onLoad event, allowing execution of arbitary code.

Further information about this vulnerability is available from Microsoft Security Advisory 911302:

http://www.microsoft.com/technet/security/advisory/911302.mspx

Hope this helps.
Bad out.

I wanted to thank everyone who helped with this. I don't know how or why but the problem appears to have stopped. I have been sending lots of emails to my hosting company and to my domain name registrar godaddy.com so who knows, maybe one of them did something.

In any case, thanks everyone.

FYI, this nailed me on 7/18/06. I only noticed because the iframe was inserted before my php headers, which caused a bunch of ugly error messages. I'm bookmarking this topic and will refer back to it if anyone posts any new news.

Hey,

I got the same "downloader" virus just a minute ago and was also unable to acces. Norton Showed that it deleted a virus but from reading here I'd rather be sure its gone.. since ive been gone for a coupel of weeks on vacation (I just got home -__-) I havent updated my virus definitions yet and I am a IE7 user.

The website that I got it from was world-of-sins.net and I got it through Active-X, the forum was spammed with porn adverts a like 1-2 weeks ago so it may be something to mention seeing I got this virus after that >_>...

So thx if you reply on this ^^