Virus Alert for Safe Websites

Twice in the last ten days I have been the subject of a virus attack from
perceived safe websites. I invite comments on if this is a correct
assessment.

Details.

Attack 1. (March 12)

On the website http://netscape.aol.com at the top of the page, I clicked on
the link "Get Winamp toolbar".
The browser indicated that I saved to disk one file called "toolbar.exe". I
ran this file and got this unexpected warning: Ad Watch Live Alerts (I have
this Ad Aware program) stopped process ns70.tmp (3932) because it identified
it as Win32.Trojan.Agent. The Winamp toolbar did install. Scans by Spybot
and AVG Free did not detect any infection.

If Win XP supposed to execute *.tmp files?

Attack 2. (March 3)

I received an email from a person I had not heard from in 4+ years. It had
the characteristics of a virus attack: (1) it appears it was sent to
everyone in the address book, (2) and addressed to "Whom it may concern..."
It contained the following link:
http://rapidshare.com/files/203380183/load_m3_01.exe

It was sent from this persons Yahoo Mail account to my Yahoo Mail account. I
thought Yahoo had protections against this kind of thing. I have not heard
back from this person about my inquiry about this.

Does anyone know what this exe file is or does?
If I'm on a user account and click on it, with the user account protect me
from this exe?

Thanks
Scott
Los Angeles

Was kind of dumb to post that link with your issue. Especially if it is an .exe link

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Scott" <scott@adelphia.net> wrote in message
news:ulSuwwCpJHA.1172@TK2MSFTNGP04.phx.gbl...
> Twice in the last ten days I have been the subject of a virus attack from
> perceived safe websites. I invite comments on if this is a correct assessment.
>
> Details.
>
> Attack 1. (March 12)
>
> On the website http://netscape.aol.com at the top of the page, I clicked on the
> link "Get Winamp toolbar".
> The browser indicated that I saved to disk one file called "toolbar.exe". I ran
> this file and got this unexpected warning: Ad Watch Live Alerts (I have this Ad
> Aware program) stopped process ns70.tmp (3932) because it identified it as
> Win32.Trojan.Agent. The Winamp toolbar did install. Scans by Spybot and AVG Free
> did not detect any infection.
>
> If Win XP supposed to execute *.tmp files?
>
> Attack 2. (March 3)
>
> I received an email from a person I had not heard from in 4+ years. It had the
> characteristics of a virus attack: (1) it appears it was sent to everyone in the
> address book, (2) and addressed to "Whom it may concern..."
> It contained the following link:
> It was sent from this persons Yahoo Mail account to my Yahoo Mail account. I
> thought Yahoo had protections against this kind of thing. I have not heard back
> from this person about my inquiry about this.
>
> Does anyone know what this exe file is or does?
> If I'm on a user account and click on it, with the user account protect me from
> this exe?
>
> Thanks
> Scott
> Los Angeles
>

Why?

Scott
Los Angeles

"Peter Foldes" <okf122@hotmail.com> wrote in message
news:%23p9Bv0CpJHA.6132@TK2MSFTNGP06.phx.gbl...
> Was kind of dumb to post that link with your issue. Especially if it is an
> .exe link
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.

"Scott" <scott@adelphia.net> wrote in message
news:ulSuwwCpJHA.1172@TK2MSFTNGP04.phx.gbl...
> Twice in the last ten days I have been the subject of a virus attack
> from perceived safe websites. I invite comments on if this is a
> correct assessment.
>
> Details.
>
> Attack 1. (March 12)
>
> On the website http://netscape.aol.com at the top of the page, I
> clicked on the link "Get Winamp toolbar".
> The browser indicated that I saved to disk one file called
> "toolbar.exe". I ran this file and got this unexpected warning: Ad
> Watch Live Alerts (I have this Ad Aware program) stopped process
> ns70.tmp (3932) because it identified it as Win32.Trojan.Agent. The
> Winamp toolbar did install. Scans by Spybot and AVG Free did not
> detect any infection.
>
> If Win XP supposed to execute *.tmp files?
>
> Attack 2. (March 3)
>
> I received an email from a person I had not heard from in 4+ years. It
> had the characteristics of a virus attack: (1) it appears it was sent
> to everyone in the address book, (2) and addressed to "Whom it may
> concern..."
> It contained the following link:
> http://rapidshare.com/files/203380183/load_m3_01.exe

So the first attack (we'll call this attack #2) came after the second
one (we'll call attack #1)?

> It was sent from this persons Yahoo Mail account to my Yahoo Mail
> account. I thought Yahoo had protections against this kind of thing. I
> have not heard back from this person about my inquiry about this.
>
> Does anyone know what this exe file is or does?

I got this...

"This file is suspected to contain illegal content and has been blocked.
After the file has been blocked for 7 days it will automatically be
deleted, if the block is not removed by RapidShare. For this reason, a
download of this file is currently not possible."

....from the html document that that URL points me to.

Smells like malware huh?

> If I'm on a user account and click on it, with the user account
> protect me from this exe?

No. The limited user idea is to protect the rest of the system (and
other users) from *you* if you fall for a trojan. No matter what kind of
"protection" you have - it is still not a good idea to execute malware.

The adware "attack" was just you trying to install ad supported software
I think. The latter looks like an e-mail vector clickworm. Good thing
you didn't run it.

Thank you very much for taking the time to investigate and respond.

I was considering the idea of experimenting with this but I guess the safest
course is just to move on.

Scott
Los Angeles

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:uyxZEODpJHA.3896@TK2MSFTNGP04.phx.gbl...
> "Scott" <scott@adelphia.net> wrote in message
> news:ulSuwwCpJHA.1172@TK2MSFTNGP04.phx.gbl...
>> Twice in the last ten days I have been the subject of a virus attack from
>> perceived safe websites. I invite comments on if this is a correct
>> assessment.
>>
>> Details.
>>
>> Attack 1. (March 12)
>>
>> On the website http://netscape.aol.com at the top of the page, I clicked
>> on the link "Get Winamp toolbar".
>> The browser indicated that I saved to disk one file called "toolbar.exe".
>> I ran this file and got this unexpected warning: Ad Watch Live Alerts (I
>> have this Ad Aware program) stopped process ns70.tmp (3932) because it
>> identified it as Win32.Trojan.Agent. The Winamp toolbar did install.
>> Scans by Spybot and AVG Free did not detect any infection.
>>
>> If Win XP supposed to execute *.tmp files?
>>
>> Attack 2. (March 3)
>>
>> I received an email from a person I had not heard from in 4+ years. It
>> had the characteristics of a virus attack: (1) it appears it was sent to
>> everyone in the address book, (2) and addressed to "Whom it may
>> concern..."
>> It contained the following link:
>> http://rapidshare.com/files/203380183/load_m3_01.exe
>
> So the first attack (we'll call this attack #2) came after the second one
> (we'll call attack #1)?
>
>> It was sent from this persons Yahoo Mail account to my Yahoo Mail
>> account. I thought Yahoo had protections against this kind of thing. I
>> have not heard back from this person about my inquiry about this.
>>
>> Does anyone know what this exe file is or does?
>
> I got this...
>
> "This file is suspected to contain illegal content and has been blocked.
> After the file has been blocked for 7 days it will automatically be
> deleted, if the block is not removed by RapidShare. For this reason, a
> download of this file is currently not possible."
>
> ...from the html document that that URL points me to.
>
> Smells like malware huh?
>
>> If I'm on a user account and click on it, with the user account protect
>> me from this exe?
>
> No. The limited user idea is to protect the rest of the system (and other
> users) from *you* if you fall for a trojan. No matter what kind of
> "protection" you have - it is still not a good idea to execute malware.
>
> The adware "attack" was just you trying to install ad supported software I
> think. The latter looks like an e-mail vector clickworm. Good thing you
> didn't run it.
>

From: "Scott" <scott@adelphia.net>

| Why?

| Scott
| Los Angeles

If it is malicious you may infect others.

Always obfuscate possibly malicious URLs such that they are no longer clickable.

Such as...
h**p://rapidshare.com/files/203380183/load_m3_01.exe
and
hxxp://rapidshare.com/files/203380183/load_m3_01.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp