Public Forums 71,145 posts

[MediaWorks Friend MediaWorksJoin date: September 2006Posts: 32Downloads:0Uploads:2 Thanks: 20]

#124633

Three days ago I was posting at joomla.org forum the following virus warning:

Surfing around I entered the site studentsdesign.de.
Pay attention! The redirect file go.html (pointing to JoomlaMarket) contains a Trojan Downloader!
The only Antivirus that intercepts it is AVG.

This virus has been identified as a JS/Downloader.Agent. It’s a Trojan Horse that downloads malicious files from Web sites and executes them. The heuristic was not set, it was simply intercepted and recognized as an infection.
The first time I entered the page I was redirected to JoomlaMarket.de, then to StudentsDesign.de. The agent was on both redirections. I did a search on whois.de but the owner of the domain is hidden.
Later I tried to login again (always at joomla.org forum): after a few minutes my IP was attacked by a process that was taking full control of my computer, so that I had to force the shutdown. It created a bunch of files in my Temporary Internet Folder. AVG was identifying some of them as potentially dangerous but was not able to delete them. I could delete the temporary files only restarting the computer in safe mode.
AVG intercepted it as a JS/Psyme virus, coming from an external site: vertuslkj.com/check.
As supposed and posted in joomla.org forum, the origin of this attack is in Germany. Please note the fake Admin-C email address and telephone number (just a sequence of 2-3-4-5-6-7-8-9).

Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291
Domain Name: VERTUSLKJ.COM
Registrant:
N/A
John Kembler (sflgjlkj45@yahoo.com)
1234 Donal Road
Eustis
3523,32725
US
Tel. +001.234567898
Creation Date: 21-Nov-2007
Expiration Date: 21-Nov-2008
Domain servers in listed order:
ns1.crewsins.com
ns2.crewsins.com
ns1.findserdrt.com
ns2.findserdrt.com
Administrative Contact:
N/A
John Kembler (sflgjlkj45@yahoo.com)
1234 Donal Road
Eustis
3523,32725
US
Tel. +001.234567898
Technical Contact:
N/A
John Kembler (sflgjlkj45@yahoo.com)
1234 Donal Road
Eustis
3523,32725
US
Tel. +001.234567898
Billing Contact:
N/A
John Kembler (sflgjlkj45@yahoo.com)
1234 Donal Road
Eustis
3523,32725
US
Tel. +001.234567898

P.S.: I didn’t and don’t have any kind of problems remaining connected for weeks and visiting hundreds of other sites.

---

Attachments:

1. 
2. 

[MediaWorks Friend MediaWorksJoin date: September 2006Posts: 32Downloads:0Uploads:2 Thanks: 20]

#235312

I spoke with a Joomla.org administrator. There was a problem with Psyme virus at joomla.org, as you can read at http://forum.joomla.org/index.php/topic,245506.0.html (that links back to my posts).
The fact that Psyme was acting in a very similar way as the JS/Downloader.Agent at StudentsDesign.de made me think that there was the same hand behind this virus, also because, as you can read, one of the origins of this Psyme virus is phisically in Germany.
Anyway there is no conflict with Joomla.org staff, everything has been cleared.

[Michael Casha Friend Michael CashaJoin date: September 2014Posts: 2561Downloads:1Uploads:32 Thanks: 41 Thanked: 119 times in 1 posts]

#235318

Thanks for the update MediaWorks. I would also like to mention that JoomlArt, nor any of it’s services, were affected by this issue.

[MediaWorks Friend MediaWorksJoin date: September 2006Posts: 32Downloads:0Uploads:2 Thanks: 20]

#235333

It seems that the problem could be with some Google Ads randomly visualized at studentsdesign.de and joomla.org forum, as referred at:
http://www.news.com.au/technology/story/0,25642,22959118-5014111,00.html
Now the problem should have been solved by Google (after having caused worldwide problems to users and webmasters).

[Author]

Posts