If you frequent any JP sites (such as PhotoII looking for any interesting FFXI screenshots posted) be careful what you click on. There's a trojan going around right now (circulating JP sites) in the forum of a simple Hyperlink to a couple of websites that people are just posting on these forums etc.

The website downloads a program to your computer using a bit of Javascript and a flaw in the windows help system that allows it to execute code. It download and runs a "SVCHOST.EXE" to your system, which will grab your POL ID and Password next time you log in. It's not a Key logger, it doesn't need to wait for you to type it in, it just needs you to run POL.

About 50 accounts are supposedly confirmed to be stolen by this now. The IP addresses of the sites hosting the Trojan are supposedly Chinese. Few sites known to install the trojan:

www-japan213-com
www-1102213-com
ff11-free-sakura-ne-jpi/nove/00-00.html
homepage3-nifty-com/~ffxi/Shield.html

Probably a ton more, those are just sites confirmed to do it if you visit them.

The following HEX view of the trojan executable seems to show that the program reads your login information from a temporary file in the PlayOnline Viewer folder that stores your ID and Password. It then opens what appears to be a simple ASP page that sends the author your details.



The executable shows the ASP page being stored on the domain above, so the best thing to do right now would be to block that domain on your firewall. If somehow you got infected, hopefully it wouldn't be able to get through. Dots were replaced by dashes so hopefully nobody accidentally follows the link somehow. Block this:

www-japan213-com = 211-100-26-182

Note: "SVCHOST.EXE" is also the name of the Windows Service Host, and most (if not all) Firewalls will allow it access to the Internet by default. So don't expect your Firewall to trap it. It might do so, but don't give it the chance.

Decided to try to Telnet to that server to see what happens, lol.



Yeah, definately a trojan there, lol. If you're gonna be curious like me, make sure you know what the heck you're doing.

thanks a lot for the warning ketrebu! never look at JP sites but perhaps one day by accident you may stumble upon a link or somthing. I just configed my firewall to block that site.

_________________
LV75 Dark Knight LV75 Black Mage 75 Warrior
SJ: THF53 NIN40 RDM37 WHM37 SAM41


OO_SKYLINE_OO

sooo yea... how do you get your firewall to block it? haha

<< doesnt know shit about PCs

Thanks for the heads up ket. Gonna avoid going on any FFXI sites with my FFXI computer.

Ill just use my laptop for all my browsing.


if anyone finds a site list it here so we know to avoid it.

_________________
COBRA KAI DOJO NEVER DIES
RIP Shiloh

if you have norton 2005 just click the firewall tab and select config. then click on the Network tab and click restricted then click add then just enter the IP or site. not very complicated

_________________
LV75 Dark Knight LV75 Black Mage 75 Warrior
SJ: THF53 NIN40 RDM37 WHM37 SAM41


OO_SKYLINE_OO

lol my anti-virus had already got this virus protected from last month and its never found that virus yet so I got lucky.

_________________
PS3 Friend list name: Pantherxx Wii code 1629-0463-4657-0263 (revised 9/28/07) Steam ID - Pantherxx010 62BLU 75PLD Reactived 7/5/10 I dare you Click this!

Thus the NA Onry movement was started!

_________________

o_o The product of MNK73/THF25

http://ffxi.allakhazam.com/profile.xml?72267