Thanks for the warning.

<font color=purple>Ravynmagi</font color=purple>
Ravynmagic.com (http://ravynmagic.com)
http://ravynmagic.com/images/ravyn9b.jpg

Thanks for deleting that thread, Ravyn.. Hopefully no one will be infected by it. [sigh]

Southern
Proprietor, South's Maps & Market (http://souths-market.netfirms.com)
Great Lakes
Eye yam aye tru beeleever inn hour edukashun sistum

http://boards.stratics.com/cgi-bin/forum/uo/showflat.pl?Cat=&Board=uo3d&Number=1207808&page=0&view=collapsed&sb=5&part=1&vc=1

She's here and at it again.

I've already posted the alert there.

-Mac

---------------------------------------
<font color=green>McAlghenny</font color=green>, Recruit Warrior [WOS]
<font color=blue>Angus</font color=blue>, Miner/Smith/Tinker
<font color=purple>Armstrong</font color=purple>, Mule
<font color=red>Napa Valley</font color=red>

You may want to look at the other forums I think it is showing up on all the boards. If this is the same one.

"Not all who Wander are Lost" JRR Tolkien

No Text

<center>http://home.earthlink.net/~ingesticide/sig.gif
"We live on a placid island of ignorance in the midst of black seas of infinity,
and it was not meant that we should voyage far."-H.P. Lovecraft</center>

Its not there anymore.

<center>Owen Lighthood - Moderator!
http://www.scalisemeats.com/lecter.jpg
"A troll once tried to spam my forums.
I ate his liver with some fava beans and a nice chianti. . ." </center>

wow, thanks for the timely warning!

http://www.area666.com/graphic/succabus01.jpg

All --

While visiting CoB a few minutes ago, I noticed someone named &quot;Leanne&quot; posted a message about a new utility available called &quot;UO Player Tracker&quot;.

Me, being the suspicious person I am, followed the link and grabbed the file to check it for possible infection(s)..

And whaddya know, the program is infected with the BackDoor.SubSeven Virus.

If you have downloaded this program from a message you've seen somewhere else, *immediately* head over to McAfee.Com's virus clinic and read the following information:

http://vil.mcafee.com/dispVirus.asp?virus_k=10171&

It contains detailed information on how to remove this trojan from your system.

Now I need to figure out where to send this link to in order for something to be *DONE* about it.. [sigh]

Southern
Proprietor, South's Maps & Market (http://souths-market.netfirms.com)
Great Lakes
Eye yam aye tru beeleever inn hour edukashun sistum

Followup Information about this Trojan:

After installing it on my test machine, it has made the following modifications:

in C:\WINDOWS\WIN.INI, it added the string:
run=bkqvjturlon.exe

It also added the BKQVJTURLON.EXE file to my C:\WINDOWS directory.

It ALSO added the *.EXE file to my Registry, under the HKey_Local_Machine\Software\Microsoft\Windows\Curr entVersion\RUN section. *sigh*

And again to the registry under HKey_Local_Machine\Software\Microsoft\Windows\Curr entVersion\RunServices.

*still looking...*

in my C:\WINDOWS\SYSTEM.INI, it's added the line:

shell=Explorer.exe bkqvjturlon.exe

Back to the Registry again.. This time under:
HKey_Classes_ROOT\exefile\shell\open\command

it added the string:
\nmeusxj.exe %1 %*

ALL of this will need to be cleaned.. and the information from McAfee.Com will only be a starting point.

Again, the McAfee page that will show you how to get rid of most of this infection is located at:

http://vil.mcafee.com/dispVirus.asp?virus_k=10171&

Southern
Proprietor, South's Maps & Market (http://souths-market.netfirms.com)
Great Lakes
Eye yam aye tru beeleever inn hour edukashun sistum

Let's keep bumping this one. Thanks for the helpful information.

...

Hell that's why it's the only Stratics forum that I can load even with DSL with any speed whatsoever. However kudo's to Southern for stickying the post...

Now if we can only get them to limit the number of posts per thread... then the boards might actually load /shared/forum_images/beige/icons/biggrin.gif

Note: If you want an example in extreme pain, try loading the Fisherman's Forum expanded

Thanks to EVERYONE who kept the Floortiles idea alive!

THey have even tryed posting on tradespot and a few other boards trying to get people to download it

http://www.geocities.com/thegreatfisher/sig.jpg

Wow thanks! I've had SubSeven v. 1.2 on my comp for about a month now, just haven't bothered to deal with it... maybe I can get rid of it now! *hic*

Yeah yeah, a full month. blah blah blah. I'm lazy okay? get over it!(besides, it's mostly dormant and Norton has been telling me it's not doing anything subservient)

pH34r mY L33t rP sK!LLz!!
http://www.angelfire.com/ga/erebus/muffinstratics.jpg







*gives you a hug*

what is with this recent rash of hacker/virii attacks? very very odd...apparently there too many people with too much time on their hands =&gt;

http://www.geocities.com/pixeleys/wulfgarsig.jpg

"apparently there too many people with too much time on their hands"

hmmmm /shared/forum_images/beige/icons/wobble.gif

<font color=green>Definatly a</font color=green> http://www.geocities.com/perfectcircle_sonoma/eyeanim.gif<font color=green>Walking Contradiction</font color=green>

I don't want to know what happens if some of us old-timers would get hacked and our houses transfered.... lots and lots of money gone (houses, rares, high end weaps/armor...).


No signature is a good signature.

I am unable to post through my office. But I can read all I want. I saw the post and was reading the fact sheet on the program. It was too good to be true. I figured something was fishy about the whole thing.

Middy

- Yes, you were looted - Take a deep breath - Don't call a GM it's part of the game - Re-equip - and have a great day!

This program was originally called UO Plugin 5.0. I guess it's some kind of trojan horse.

<center>http://www.uo-underground.com/images/banners/banner-uou-loth.gif (http://www.uo-underground.com)</center>

Southern i once herd the FBI takes thies cases :)
maby they were infected one to many times...
also! i have a friend that was a F'n genius with comps. i mean the guy knew everything MS certifyed and was 16 *giveing* collage course lessions... need i say more? but he was busted for hacking :) gave an *butt* hole a few viruses and then shorty after was offored a job. he wont tell me where though :( but thats just my 2 cents.

http://gifs123.tripod.com/babydance.gif
Wooo Hooo! Look at'm go!

so lets just hope i dont get anything mentioned above (i dont what the heck you guys are talking about but i think its bad)

http://a8.g.akamaitech.net/f/8/624/12h/adimages.go.com/ad/sponsors/nba/promotional/pnba-ban0054.gif

Isn't there a way by looking at view source to see the ISP this person is posting from? Then you can report him/her.

I just don't understand these people. *shakes head*

Thanks for your warning. I know a little about computer but this one looks ugly to get rid of.

Ok im such a computer newbie.How can you tell if you got sumthing like that?Im not even sure what one does

ooo

(Norton, McAfee, F-Prot, etc.) virus program installed on your machine, get the latest signature files (download about once a week) and keep active protection on, you'll probably never have a virus problem.

Anti-virus software also picks up on joke programs, macros, and trojans (like "back orofice" and "subseven".


---Tell me more about this Earth custom called "kissing"---

And hey, If I'm certifiable, where's my damned certificate, eh?

I absolutely LOVE the sig Owen

This is posted by the same guy that posted the UO Plug-in 5.0 last week. He posted all over Tradespot, and was reported with all IP addresses and links to OSI and the federal agency for online crimes (or whatever it is). Also, they said that the guy's ISP was being very cooperative in giving any information they needed to get a hold of the guy. =)

well alot of the times you can when you restart your computer depending on how you connect to the internet.
I have a cable modem. Those and DSL lines are not compatible with the subserve7 trojan. Unless it has been updated.
when you restart the computer sometimes a screen pops up saying, "unable to initialize the modem", cannot determine IRC port, modem failed to connect to server, and other little warnings like that.
I recommend getting a little program that monitors internet usage (I can get a web page if you need it) it tracks all the pages you are going to and all of your internet activity. so taht if someone is getting into your computer it would show that you are doing something(even though its not you) then you know that someone is using your system.

I'm going to unsticky this post this evening, so if anyone wants to save any information out of this thread (such as how to remove the trojan), please do so -- as soon as it's unsticked, it will probably automatically fly to page 15 or something. /shared/forum_images/beige/icons/smile.gif

http://www.geocities.com/southern100/southern.jpg
Proprietor, South's Maps & Market (http://souths-market.netfirms.com)
Great Lakes
Eye yam aye tru beeleever inn hour edukashun sistum

Test

I find it odd that every time I click to read this thread (And only this thread) my linksys firewall log in screen pops up.

Odd.