Invision board virus
April 13, 2006 7:14 PM   Subscribe

How can I safely visit a web forum to see if the virus that infected it is gone?

A forum I visit daily (which is running the latest version of Invision Power Board) keeps getting infected with a virus. (Someone is "hacking" it - their other tricks have been changing the forum name and putting up anti-American, pro-Turkey and pro-Iraq info.) I'm using Firefox 1.5, and it keeps asking me to open xps.wmf (I'm positive of the extension, not so of the file name - xps or xpl I think) and apparently I don't have the right plugin installed. (I get the Missing Plugin bar before I click Cancel.) I can still load forum pages but it takes 3-4 minutes and freezes Firefox several times.

I'm fully up-to-date with Firefox and Windows XP and AVG Free; however, I'm running AVG right now and it detected a virus. (It's still scanning.)

Firstly, how can I safely check the forum to make sure the virus is gone? I Googled for text-only browsers and Lynx came up, but it said I couldn't view the site unless it explicitly allowed it. Is there another browser I could use, or what all should I turn off in Firefox besides Java?

Secondly, I'm tempted to go back to Norton Antivirus. It always pops up with a virus warning... unless I'm mistaken, AVG just ignored it until I actively scanned my hard drive. I know PC World recently rated AVG as one of the lowest-ranking of the free virus scanners. (This is from memory of an article I read that compared them.) Should I switch back?
posted by IndigoRain to Computers & Internet (12 answers total)
You could use VMWare Player, which is free, with one of their Linux images. VMWare Player lets you run another operating system inside your own, so even if it's hacked, it's isolated from your main system. If you set the virtual disk to be 'non-persistent' -- that is, any changes that are made go away when you exit VMWare Player, you should be able to browse anywhere with a high degree of safety.

Note that this is not _perfect_. If the Linux machine is hacked (itself very hard, if you keep up on your patches), someone who is really, really good, and actively paying attention to you, could potentially break out of a VMWare machine into your main computer. But that's quite difficult, and would take personal attention... there are no automated tools to do this, as far as I know. The vast majority of bad guys out there are running automated tools.

And Linux is _really_ hard to crack to begin with. Just keep up on your patches... you have to patch/update a virtual machine the same as a real one. (remember to set it in regular disk mode when you're updating: go back to non-persistent when you're browsing.)

If you really get into the VMWare thing, the beta product VMWare Server is also free, and lets you install/create your own virtual machines. Player will only let you use machines that other people have made for you.
posted by Malor at 7:23 PM on April 13, 2006

The WMF exploit shouldn't be a problem with a properly updated version of WinXP. It wasn't that serious a problem if you were using FireFox anyway; Firefox won't attempt to display WMF automatically so you'd have to download the file when prompted, then open it with a vulnerable application to get infected. The vulnerabilities within MS's own software (which is what most if not all applications used to display WMF) have long since been patched.

If you give the address, assuming it's public, I'd be happy to visit and report back.
posted by TimeFactor at 7:30 PM on April 13, 2006 There you go - the webmaster goes by the name of Comtesse.
posted by IndigoRain at 7:44 PM on April 13, 2006

Metafilter was down last night, the forum in question is down this morning, so I haven't been able to check.

What has AVG found on your system?
posted by TimeFactor at 4:09 AM on April 14, 2006

Boot from a Knoppix cd, and visit the site safely. Well worth having a Knoppix cd available anyway. It's very useful for troubleshooting.
posted by theora55 at 5:44 AM on April 14, 2006

If you know of some text string that identifies the virus, you could wget the site and do a text search on it.
posted by sonofsamiam at 5:57 AM on April 14, 2006

I just visited with firefox and XP tablet edition and firefox froze, and i got some java/directshow errors. i had to kill the process. weird, as i just used sam spade to browse the site and the source shows nothing relativly dangerous. I say wait a few days, and don't download any wmf files.
posted by Mach5 at 9:38 AM on April 14, 2006

If you're using Mozilla or Firefox, you could always download the AdBlock extension (which is great to have in any case) and set one of the filters to *.wmf. The browser shouldn't even attempt to download the files afterward.
posted by Danelope at 10:02 AM on April 14, 2006

Yup. The site's infected. There's an iframe on the forum main page whose source is a page which itself has iframes. One of those iframes loads a page which deliberately and maliciously tries to sneak an infected file, xpl.wmf, onto visitors by encoding the binary as text in the page source and then using javascript to decode (which is why it seems to freeze - the decoding bogs down the browser). When the decoding finishes, Firefox prompts you to download the file. I scanned the file with AVG Free Edition once I downloaded it and AVG IDs it as WMF exploit. (I don't have AVG set up to scan continuously and automatically so I don't know if it might have caught it earlier if so configured).

The question that remains to be answered is how this ended up on the forum main page.

Here's the (slightly obfuscated) src for the main page iframe: www*doubleh*fr/audio/index*htm
here's the src on that page that tries to infect:
posted by TimeFactor at 10:11 AM on April 14, 2006

Also block, as it is a 1x1 pixel IFRAME embedded in the page, which not only launches the WMF download but also contains four 1x1 pixel IFRAMEs, all of which are part of some spam farm nightmare and likely the cause of the freezing.
posted by Danelope at 10:12 AM on April 14, 2006

BTW, Firefox 1.5.01, Win2Ksp4. And I didn't get infected.
posted by TimeFactor at 10:13 AM on April 14, 2006

I already have Adblock Plus - thank you, I've blocked that now.

The webmaster's disabled the forums for now. I have no idea how the "hackers" are doing it - if they're guessing a password or using some Invision exploit. They're also using the board's mass e-mail feature to send spam out to the members with a link to traff4all.

Unfortunately I already deleted whatever AVG found, so I don't have it anymore... I should have written it down.

Thanks everyone.
posted by IndigoRain at 11:06 PM on April 14, 2006

« Older Stock Options help   |   How often should a guy wash his hair? Newer »
This thread is closed to new comments.