It's going to be one of those days...

Problems at Yahoo:
My.yahoo downloading trojan's?
I go to my Yahoo home page and my virus protection states that a trojan program is trying to be loaded

my.yahoo.com allows you to add your personalised content to your home page, therefore it is going to be extremely difficult to work out what was causing the problem.

The dangerous URL discovered by the Yahoo user, plgou.com/csrss/...., (please don't go to that site) downloads a file called rondll32.exe, saving it to the victim's machine as "msyahoo.exe".  msyahoo.exe is then run to compromise the victim's computer.

yahoo.htm is not the only bad page at that domain, there is also htm.htm, flash.htm, 06014.html, office.htm and ksx.htm

lash.htm reveals dangerous iframes pointing to i1.html and f2.html

06014.html has a link back to Microsoft Help and Support, and a javascript 'back' link (history.back(1))

office.htm is more complicated, revealing malicious files (wsv.exe and thunder.exe) that are copied to the victim's machine.  The page tries to take advantage of the ActiveX exploit affecting the Snapshot Viewer Control.

The deeper we dig, the more we find.

 

Problems at CNET:
CNET Networks site compromise

At time of writing the site was still compromised.  Don't go there.

Published Thu, Aug 7 2008 11:28 by sandi
Filed under: ,

Comments

# re: It's going to be one of those days...

Thursday, August 07, 2008 3:37 AM by Gayle

I have the same problem today, and I haven't been to that site

# re: It's going to be one of those days...

Friday, August 08, 2008 7:00 PM by Hane Carlson

The Shield Deluxe caught this item at the site above -

"detected: Trojan program Backdoor.Win32.Small.flb"

at URL:

plgou.com/csrss/rondll32.exe//PE_Patch//UPack"

It is one of those awful days.

hc