Trojan on SAB

[The Dude]

On the main sab website (http://www.shaman-australis.com.au) my version of Kasperski found this "Trojan-Downloader.JS.Psyme.me". Someone might want to look into this.

[apothecary]

I don't discount the possibility entirely, but it is more likely that this trojan has infected your browser rather than the SAB site.

[Torsten]

nope. certainly not in that directory. I've asked tech support to check it out, but as they run trojan filters anyway I doubt it would get through.

[The Dude]

nope. certainly not in that directory. I've asked tech support to check it out, but as they run trojan filters anyway I doubt it would get through.

wow that's weird as. It only blocks it when i go onto www.shaman-australis.com.au. I'm real confused, so that means i have an infection that only pops up when i visit that address, and then has kasperski pop up to delete it.. when i already have it anyway???

[FungalFractoids]

Delete your cookies...

[chilli]

Arthur: What happens now?

Bedevere: Well, now, uh, Lancelot, Galahad, and I, uh, wait until nightfall, and then leap out of the rabbit, taking the French, uh, by surprise. Not only by surprise, but totally unarmed!

Arthur: Who leaps out?

Bedevere: Lancelot, Galahad, and I, uh, leap out of the rabbit, uh, and uh...

Arthur: Ohh.

[The Dude]

Arthur: What happens now?

Bedevere: Well, now, uh, Lancelot, Galahad, and I, uh, wait until nightfall, and then leap out of the rabbit, taking the French, uh, by surprise. Not only by surprise, but totally unarmed!

Arthur: Who leaps out?

Bedevere: Lancelot, Galahad, and I, uh, leap out of the rabbit, uh, and uh...

Arthur: Ohh.

dudum tsshh

[tonic]

I am getting the same problem, can't visit the SAB store.

[Thelema]

yes i had a brief flash at the bottom of my screen directing to a lady-love website or something when I last visited last week. it never materialized however.

[Torsten]

damn, I found the ladylove website and have deleted it. This was written into the file from inside the server as my HD copy of the file was clean. I scanned the files with kaspersky's online scanner and it didn't find anything.

[SaBReT00tH]

who wrote the virus in?? are you controlling our computers Torsten!! ?

[Torsten]

I don't know much about how this works and would love to hear from those who might know. I presume that a script made it onto my server and is propagating itself onto certain pages. Just not sure how it made it onto that one cos there are no actual scripts on that page.

[apothecary]

OK not really sure how this virus works, but a little bit of research shows it is some sort of worm run by the Russians (hardly unusual).

Judging by the hojillions of hacked pages that you can see on google by searching psyme-me (DO NOT CLICK ANY OF THOSE LINKS!) it's probably spread by the Russians exploiting some hole as soon as it is discovered and hitting all the websites they can.

Check this forum out

http://www.delta3d.org/forum/viewtopic.php...showtopic=10236

[ethnodude]

i just did a virus scan and Trojan-Downloader.JS.Psyme.me came up. i decided to do a search for it and low and behold i found this post. i had just been looking through some of sab's stock. i won't be ordering anything until i know this has been cleared up. don't want to panic anyone but watch your tracks. big brother is among us. you've been warned. hopefully t can get this cleared up asap.

[Torsten]

it is cleared up! the virus was deleted weeks ago. you must be getting a cached copy from your ISP.

in any case, this was only on the homepage. there have been no reports of any viruses on other pages. you can enter the store without going to the homepage by going here:

http://www.shaman-australis.com.au/Website...ageframeset.htm

[tonic]

I am getting it on that page too.

[ethnodude]

thanks for that t,

is this a common virus that i may have picked up somewhere else?

its just a rather large co-incidence that i was browsing SAB when i found it and i this post was found.

glad to hear its not from sa.

Edited September 24, 2007 by ethnodude

[ethnodude]

I am getting it on that page too.

well there you go. so is it cleared up or not t? if your not sure i think its irresponsibles to say it is. either way i wont be ordering until i'm sure. last thing i want is for some russian to steal my identity.

[Torsten]

I am getting it on that page too.

this is the source code I get for that page as of 24/9/2007 [no psy.me]. if you get something different then your ISP is using an old version. are you on dial up or ADSL?

Shaman Australis Community
http://www.shaman-australis.com.au/Website/Shamanmainpageframeset.htm"> src="Aboriginaldance1asmall.jpg" border="5">   Native & Exotic Ethnobotanical Seeds, Plants, Herbs & more
	http://www.shaman-australis.com/%7Eclaude/index.html">http://www.shaman-australis.com/%7Eclaude/index.html"> http://www.shaman-australis.com/%7Eclaude/index.html" target="_blank">Claude de Contrecoeur memorial
	https://204.157.37.250:2096/"> color="#FFFF33">member's mail

 

[tonic]

I have ADSL T. It's Telstra though and have had various problems and hiccups with these bastards since I have had the broadband.

It's a bummer as I was looking at ordering some stuff from the store soon and don't want to as I can't really be dealing with a virus at this point.

Unless it's got something to do with this kapersky program, which seems to be the main program picking up on this psy.me thing.

Bloody internet! Can't live with it, can't live without it.

EDIT: This is the only code I can get as I am totally blocked out unless I 'allow' this virus into my system.

<html>

<head>

<title>Kaspersky Internet Security 6.0</title>

</head>

<body>

<h1>Kaspersky Internet Security 6.0</h1>

<p>The requested URL <u>http://www.shaman-australis.com.au/Website/Shamanmainpageframeset.htm</u> is forbidden</p>

</body>

</html>

Edited September 24, 2007 by Phosphene_Dream

[Torsten]

sorry, not much I can do about it. mayb you can complain to telstra to refresh the cache for that page?

[apothecary]

Ok, I just checked on a fresh windows XP install, using Kapersky Internet Security 7.0 trial version, checked the SAB main page, webstore and forums with no Psy-me found.

Also examining the source of the page torsten posted I see no malicious scripts.

My recommendation is to use CTRL+SHIFT+R on the website to clear the cache and request a fresh copy from the server.

[ethnodude]

za security suite keeps getting spyware on the s-a store main page.

something like young blonds with big tits.

just a heads up.

[ethnodude]

just deleted cookies and seems ok now.

strange.

[Torsten]

I haven't edited anything on that page, so it's got nothing to do with my end.