Trojans on Neopets.com
Sat Sep 02, 2006 7:12 pm
Same two exploits as a week ago (August 26-27). Virus called value[1].wmf and a trojan downloader called bl4ck.com so beware folks.
I believe last week Neopets was temporarily blacklisted in Australia by some ISPs for the same reasons.
All were at least localized to Temp and Temporary Internet Files folders.
AVG Free catches both every time, but it becomes tedious trying to use the site with such constantly popping up at me even after quarantining.
Today I got something more at the Healing Springs. Now that's not good. Especially since that ad alone should not be there at all, ever.
I have sent Neopets a report over it, and hope they resolve this soon!
I believe last week Neopets was temporarily blacklisted in Australia by some ISPs for the same reasons.
All were at least localized to Temp and Temporary Internet Files folders.
AVG Free catches both every time, but it becomes tedious trying to use the site with such constantly popping up at me even after quarantining.
Today I got something more at the Healing Springs. Now that's not good. Especially since that ad alone should not be there at all, ever.
I have sent Neopets a report over it, and hope they resolve this soon!
Last edited by anjuna on Sat Sep 09, 2006 8:42 am, edited 4 times in total.
Sat Sep 02, 2006 7:30 pm
Um, what? I get those errors occasionally on Wikipedia, and I'm sure they're not infected with anything (and I'm sure I'm not).
Sat Sep 02, 2006 7:39 pm
If you are getting a virus called value[1].wmf and a trojan downloader called bl4ck.com from any Internet site, I suggest you rid yourself of it.
The infections are easily cleared, but they come back every other neopets page so I just stopped playing for the day, unfortunately just before I had to feed my pets. If you are not affected by the infections, that's great!
I know for a fact last week I got the exact same two exploits from neo plus an 'adrun'. I don't know what the Healing Springs exploit is all about.
But I'd rather be safe than sorry. Beyond that it is unacceptable for Neopets to allow this on their servers so I am boycotting them for now.
The infections are easily cleared, but they come back every other neopets page so I just stopped playing for the day, unfortunately just before I had to feed my pets. If you are not affected by the infections, that's great!
I know for a fact last week I got the exact same two exploits from neo plus an 'adrun'. I don't know what the Healing Springs exploit is all about.
But I'd rather be safe than sorry. Beyond that it is unacceptable for Neopets to allow this on their servers so I am boycotting them for now.
Sat Sep 02, 2006 8:30 pm
By the way, AySz88, it was not the error per se. Well it was, since the page just should have loaded to an uninfected Healing Springs page. Check the bottom pane of "coordinates" (m: (465,465) r: (0,0,728,300) + fcxs (normal, -10,-15)) where the URL information appears when loading. Plus, as I said there should never and especially *only* load just an ad that would not normally be on the Healing Springs page (I block the banner with a stylesheet). It appears oversized even for a neo-banner.
Sun Sep 03, 2006 7:23 am
This is completely off topic and waaaay creepy of me, but you and I live in the same city. 
Re: Neopets.com Infected (Again)
Sun Sep 03, 2006 2:03 pm
anjuna wrote:Same two exploits as a week ago (August 26-27). Virus called value[1].wmf and a trojan downloader called bl4ck.com so beware folks.
I believe last week Neopets was temporarily blacklisted in Australia by some ISPs for the same reasons.
All were at least localized to Temp and Temporary Internet Files folders.
AVG Free catches both every time, but it becomes tedious trying to use the site with such constantly popping up at me even after quarantining.
Today I got something more at the Healing Springs. Now that's not good. Especially since that ad alone should not be there at all, ever.
I have sent Neopets a report over it, and hope they resolve this soon!
ImageShack hates me and won't let me see the full-sized image. What does the error message actually say (or even better, the offending banner)?
Sun Sep 03, 2006 6:05 pm
varii, but I live in Santa Cruz, not Roo Island, lol. 
That is cool though.
Officer 1BDI, the "error" was just being unable to load the Healing Springs and so operation aborted, but with creepy "coordinates" trying to load.
m: (465,465) r: (0,0,728,300) + fcxs (normal, -10,-15)
The ad is some stupid thing says I won their hourly prize (yay adware from neopets!) and to click to claim it right away.
I will try that patch allnameswereout posted, and hope that doesn't make my system more unstable.
But it is also Neopets' responsibility to keep their servers clean, too. I hope this is not going to be a regular weekly thing (and only on the weekends) 'cause that would really suck.
That is cool though.
Officer 1BDI, the "error" was just being unable to load the Healing Springs and so operation aborted, but with creepy "coordinates" trying to load.
m: (465,465) r: (0,0,728,300) + fcxs (normal, -10,-15)
The ad is some stupid thing says I won their hourly prize (yay adware from neopets!)
and to click to claim it right away.
I will try that patch allnameswereout posted, and hope that doesn't make my system more unstable.
But it is also Neopets' responsibility to keep their servers clean, too. I hope this is not going to be a regular weekly thing (and only on the weekends) 'cause that would really suck.
Mon Sep 04, 2006 2:00 am
oh, yeah, I got that today too...quite annoying.
Mon Sep 04, 2006 12:26 pm
So this thing is coming from the ads, right?
If we were to block the ads using the neat little feature firefox has, then we'd be safe?
At least that's what I got from various sources and topics about this, so I hope I'm safe as long as I use firefox for neopets.
If we were to block the ads using the neat little feature firefox has, then we'd be safe?
At least that's what I got from various sources and topics about this, so I hope I'm safe as long as I use firefox for neopets.
Mon Sep 04, 2006 12:49 pm
I don't know if it comes from the ads or the page, I'm not going there at all. Can't you get frozen for blocking ads?
I thought I saw that in a thread here, or in an editorial or something.
I thought I saw that in a thread here, or in an editorial or something.
Mon Sep 04, 2006 1:28 pm
Hm, really?
That's a bit odd, considering I didn't think they could ...find out. O.o
That's a bit odd, considering I didn't think they could ...find out. O.o
Mon Sep 04, 2006 4:33 pm
It is a trojan, possibly from ads, but neopets better straighten up their act.
It is allowed through a hole in Trident (the engine for IE) but so long as you use Windows and have IE on your system, you are not totally safe.
Using FF or Orca (with the Gecko engine) is probably safe but not the preferred choice for all users, obviously. There is a patch from Microsoft.
But to tell you the truth I won't update my anything without a darn good reason, as usually security updates make my system even more unstable.
AVG catches it every time, but if others are still getting it that is very bad.
PS -- I believe it is totally legal to block ads, but if you are already using FF your Gecko engine probably does not have that security hole anyway.
It is allowed through a hole in Trident (the engine for IE) but so long as you use Windows and have IE on your system, you are not totally safe.
Using FF or Orca (with the Gecko engine) is probably safe but not the preferred choice for all users, obviously. There is a patch from Microsoft.
But to tell you the truth I won't update my anything without a darn good reason, as usually security updates make my system even more unstable.
AVG catches it every time, but if others are still getting it that is very bad.
PS -- I believe it is totally legal to block ads, but if you are already using FF your Gecko engine probably does not have that security hole anyway.
Mon Sep 04, 2006 5:35 pm
I posted here a couple months ago about that same trojan and people were acting like I made it up or something! It's been there a loooong time and no one has ever emailed me from neopets saying they did anything about it either. I haven't had it once while using Firefox, only when I forget and try to use IE.
To the person who said they got that same message while on Wikipedia, don't be daft. A trojan is a trojan. Clean your machine.
On Wiki anyone can post anything, which is one of the flaws of the system. I'm sure it's not the company giving you a trojan. But, seriously, why would you just ignore a message like that?
To the person who said they got that same message while on Wikipedia, don't be daft. A trojan is a trojan. Clean your machine.
On Wiki anyone can post anything, which is one of the flaws of the system. I'm sure it's not the company giving you a trojan. But, seriously, why would you just ignore a message like that?
Mon Sep 04, 2006 9:37 pm
Wikipedia is not a company its a non-profit organisation. Their spendings are covered by generous donations. Wikipedia does not contain ads (afaik last time i checked; i block ads).
I remember from a Neopets editorial it is ok to block ads.
So is that stuff with the coordinates JavaScript? Then I have a theory that there is something (e.g. button, url, picture using WMF exploit) which is not genuine overlapping something else which IS genuine (e.g. a healing springs button). When you click on the latter which seems innocent you actually click on the former which the JavaScript arranges. This is a known, IIRC former hole in several browsers fixed in recent ones. It'd mean theres 2 holes combined.
Perhaps someone could post the code when you are about to be infected and your AV catches it. Just do 'view source' in IE when it occurs. I'm sure brilliant webdesigners can decrypt it we only need 1 to read this topic
I remember from a Neopets editorial it is ok to block ads.
So is that stuff with the coordinates JavaScript? Then I have a theory that there is something (e.g. button, url, picture using WMF exploit) which is not genuine overlapping something else which IS genuine (e.g. a healing springs button). When you click on the latter which seems innocent you actually click on the former which the JavaScript arranges. This is a known, IIRC former hole in several browsers fixed in recent ones. It'd mean theres 2 holes combined.
Perhaps someone could post the code when you are about to be infected and your AV catches it. Just do 'view source' in IE when it occurs. I'm sure brilliant webdesigners can decrypt it we only need 1 to read this topic