Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
My Trojan Killer scan last night found 6 trojans missed by Norton Internet Security, Malwarebytes..
They are all paid versions I bought since my horrible browser hijacking in Feb 2014 on my new computer.
I run Trojan Killer each evening, and very glad I did.
Norton is notoriously bad with trojans, but I was surprised that Malwarebytes missed them.
They were Trojan.U.Gamburl and Trojan.U.BlacolerRef
I looked them up and they can come from a legitimate website.
We’re seeing plenty of reports for a JavaScript redirector malware family that we call Gamburl; previous reports have called it Gumblar or Redir.
These attacks seem to be coming from legitimate Web sites with pages that have been modified to contain this malicious script. So even if you’re visiting a Web site that you trust, there’s still the possibility that you may be a victim of these so-called “drive-by attacks”.
When a user visits a site containing a Gamburl script, the browser will be redirected to a specific Web site that contains a slew of exploits and other malware. As of this writing, Gamburl is known to redirect to the following Web sites:
gumblar.cn
martuz .cn
Once connected to the above sites, Gamburl tries to download other malware into the system. From what we have observed, these malware are mostly backdoors, PDF and Shockwave exploits. However, some of the observed downloaded malware are variants of the Win32/Daonol family. Examples of MD5 of Daonol seen are 7de29e5e10adc5d90296785c89aeabce and 2131112053ed144c46277b9024bcf39f. Daonol trojans are capable of preventing access to security Web sites, and redirecting searches to sites hosting other malware. Daonol is also capable of stealing information, such as FTP credentials, and placing the information in a file in the Windows system folder called sqlsodbc.chm. Note that a file named sqlsodbc.chm exists by default when you install Windows, and so is overwritten if your system has been infected by Daonol. This may be a symptom of Gamburl/Daonol infection. In case you suspect infection, you might want to check the list of some the unique hashes and file size of a clean sqlsodbc.chm.
http://blogs.technet.com/b/mmpc/archive/2009/05/27/gamburl-gone-wild.aspx
9 replies
= new reply since forum marked as read
= new reply since forum marked as read
