Megaupload Pop-ups = Potential Virus? [Help Appreciated]

[MakaAlbarn]

Whenever I download things from sites like Megaupload.com or Mediafire.com I always get pop-ups. They're in a separate window though, and I'm almost positive the pop-ups aren't just ad's from the site itself... If that makes any sense. Usually I just close them out quickly before it has time to load, and everything is fine, but that doesn't help much now. The last time I downloaded something from one of those sites, I ended up getting some 'mega-virus' (the ones that can change their name, that aren't easy to finally get rid of). Also recently, something from Megaupload that popped up was possibly some Malware/virus thing..
I don't know if this is a problem for other people or not. But I was wondering if there is anything I could do to prevent this from happening?
Sorry it's a lot.. And also I apologize if this has already been discussed.

Thanks a lot to anyone who is willing to help~!

[Adblock Plus Fan]

Megaupload.com or Mediafire.com I always get pop-ups.

For these two sites you can:
right click the link -> Save Link As...
This usually avoids any popups.

As for the virus which you may or may not have, use something like Avast or AVG or Spybot - Search & Destroy. ABP can't do anything about viruses.

[MakaAlbarn]

Megaupload.com or Mediafire.com I always get pop-ups.

For these two sites you can:
right click the link -> Save Link As...
This usually avoids any popups.

As for the virus which you may or may not have, use something like Avast or AVG or Spybot - Search & Destroy. ABP can't do anything about viruses.

The pop-up link or just the site like itself? (Sorry, new to using ABP).

And thank you very much.

ABP can't do anything about viruses.

As for that, I already knew it can't prevent the viruses and such. I have virus protection/anti-virus software, what I meant just preventing the pop-ups that have may be harmful (usuing ABP)... If that made sense, I'm probably not saying this very well. xD;;

[Adblock Plus Fan]

The pop-up link or just the site like itself?

After megaupload has finished countdown from 45, there should be a download button. You can right click this button and choose Save Link As.

[Emily]

From a friend of mine (includes a fix):

This is not a ruse, I'm absolutely 100% certain of WHAT infected me and WHERE it came from.

MegaUpload just infected me due to one of their random pop-ups!

I just got infected on my backup machine. My main machine was already protected, but the second one I don't surf with much, and it doesn't have the same levels of protection.

What happened: I hit several sites over the course of an hour, and something happened... something was working just slightly differently than before. I quickly looked inside of the c:\windows\system32 directory (sorted by date, reverse order) and lo and behold there was a damned new DLL from just minutes earlier. AVG didn't catch it.

I immediately disabled the network connection, then started to see what had gone on. Based on the Firefox history (you have to sort by LAST VISITED to see it in true time order) and what was in the Firefox cache, it could ONLY have come from a download I'd done at MegaUpload. First I got a Shockwave Flash file, then seconds later the infected DLL came in. Double checking the cache again, the only SWF file (other than all of the crap from MegaUpload itself) came from x-playing.com/spl.swf. After I'd already torched the rootkit and cleaned everything up, I download a fresh copy of that file direct from x-playing.com. It exactly matches the Shockwave file in my cache that hit me seconds before the virus did, so that certainly was the trojan downloader.

Jotti's malware scan doesn't see anything wrong with the SWF file, but that's just because I'm the first one to track it down and report it. I'll be submitting a full virus report to any of the vendors that will accept it. Jotti DOES recognize the trojan (Vundo.H and a bunch of other names), and the trojan pulled the standard trick of making multiple copies of itself with different names and changing the file contents so a CRC check fails.



Eventually, all of the vendors will catch this piece of shit AND it's SWF loader, but

IN THE MEANTIME, if you EVER use MegaUpload for downloading, DO THE FOLLOWING:

There's a Windows file just called 'hosts' (no extension) that you can use to utterly block access to any domain. It's located in either:
C:\Windows\system32\drivers\etc\hosts
or
C:\Winnt\system32\drivers\etc\hosts

Open it up with Wordpad or another pure text editor. You'll see something that begins like this:

Code: Select all

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Immediately after that last line, add this:

Code: Select all

127.0.0.1  x-playing.com

Make sure there are 2 or more spaces between the 127.0.0.1 and the domain you want to block (x-playing.com in this case)

What did I just do? HOSTS is an old file that tells Windows where certain host names are located in the Internet. When Windows goes to resolve a host/domain name, it first checks to see if it already knows about it in the HOSTS file. If it does, it goes to the associated address. 127.0.0.1 is called a LOOPBACK address... it means "don't go anywhere".

I already had that line included in the HOSTS file on my main machine, 'cos I hate the stinkin' pop-ups that some of the cheezy file sharing services use. I block the content for every damned one I come across. If you want the same level of CRAP PROTECTION, add ALL of these to your HOSTS file:

Code: Select all

127.0.0.1       syndication.exoclick.com
127.0.0.1       www.adtology3.com
127.0.0.1       pagead2.googlesyndication.com
127.0.0.1       landing.etology.com
127.0.0.1       adultfriendfinder.com
127.0.0.1       passion.com
127.0.0.1       www.google-analytics.com
127.0.0.1       www.sponsorads.de
127.0.0.1       login.tracking101.com
127.0.0.1       www.cams.com
127.0.0.1       www.megavideo.com
127.0.0.1       www.sexmission.us
127.0.0.1       iscoolmovies.com
127.0.0.1       bin-layer.de
127.0.0.1       www.usenext.de
127.0.0.1       www.flirt-fever.de
127.0.0.1       www.myfreecams.com
127.0.0.1       adson.awempire.com
127.0.0.1       www.sedoparking.com
127.0.0.1       www.livejasmin.com
127.0.0.1       getmyvideonow.com
127.0.0.1       www.besthqmovies.com
127.0.0.1       cams.com
127.0.0.1       www.mit-iqexam.com
127.0.0.1       us.myfuntext.com
127.0.0.1       www.free-hd-divx.com
127.0.0.1       www.fulltiltpoker.com
127.0.0.1       x-playing.com
127.0.0.1       www.marketgid.com
127.0.0.1       www.desktopsmiley.com
127.0.0.1       showing.com

EDIT: here's a couple of other ad sites that hit within seconds of the one that downloaded the SWF loader. Add these into your HOSTS file as well, as they may be involved in the infection:

Code: Select all

127.0.0.1  s.megaclick.com
127.0.0.1  magistrare.com

You can add as many as you want, but when you get over about a thousand entries, Windows *might* slow down a little. If you get over ten thousand entries, ALL accesses to the Internet will slow down. Keep it short, and only block the really crap sites with the HOSTS file.

Lemme know if you have trouble. Oh, and ONLY open the HOSTS file with Notepad, Wordpad or another file that WILL NOT ADD any strange document formatting. MS Word frequently tries to be 'helpful' and will save a pure text file in Word DOC format, and that will thoroughly fuck up your HOSTS file.


If you've already been hit by this one, Malwarebytes Anti-Malware (a free download) will clean it up properly.
http://www.malwarebytes.org/mbam.php
scroll all the way down to get the latest updates file, or use this link:
http://www.gt500.org/malwarebytes/database.jsp

[p2u]

MegaUpload just infected me due to one of their random pop-ups!
...
There's a Windows file just called 'hosts' (no extension) that you can use to utterly block access to any domain.

Hi, Emily!

Do you have the exact address of
1) the file you intended to download
and of
2) that uninvited .swf object that came with it? Could you post an un-clickable (disabled) link to both, please? (for malware research purposes)

P.S.1: There is a limit, you know, to the size of the Hosts file; your Internet speed may be hampered if it becomes too loaded with addresses. Besides, it's blocking AFTER the act...

P.S.2: Just a thought: Wouldn't it be more reasonable to start white-listing per site and per allowed type of blockable element as discussed in the topic Disable On...? The lesson I learned from that topic is expressed in my signature. In this way, Adblock Plus *can* become a VERY powerful pro-active security application, you know, and it seems only difficult or uncomfortable at first sight to work the way I do...

Paul

[Emily]

Sorry, but it didnt happen to me. It happened to my techie buddy. I'll ask him if he can oblige.

I know that viruses from pop-ups arent new. I've heard stories about people getting hit with them at ImageVenue also.

I don't think MegaUpload is to blame, just a bad entity compromising an advertiser.

[tech_weenie]

Hiya! I'm Emily's friend.

regarding your questions,

1) nope, I'd pulled down 5 or 6 files over the course of about 10 minutes, don't recall what they were. I had two FireFox tabs open: one the site I was getting the links from, and the other a tab I was re-using to paste the MegaUpload links into. The specific MU link wasn't the issue, what I saw in the cache was an SWF file and seconds later a virus. Due to the timestamp resolution, they both show 18:10, the ONLY things in the cache for about a +/-5 minute span.

2) that SWF file URL is listed in Emily's first message. I purposely left the HTTP:// part off 'cos I didn't want anyone accidentally clicking on it. As far as I'm concerned, it's toxic. The URL sans the leading characters is x-playing.com/spl.swf and I have a stored copy of it here that I saved directly from their site in case they claim "It wasn't us!!" I'm ... uncomfortable passing that URL around on the off chance that some wannabe script kiddie takes it apart and uses it for NEXT week's Virus of the Week.

Re: P.S.1, yes, HOSTS is microseconds after AdBlock Plus shuts something down, but it absolutely stops ANY access to a 'bad domain', whether ABP is enabled or disabled. I occasionally need to disable ABP as one or another of the filters interferes with a page, and the sites I listed initially I don't EVER want to go to.

P.S.2: that'd be a wonderful idea, but if it means fiddling with the filters for EVERY new site we go to (when only a very few are toxic) then it quickly gets annoying. If it's annoying enough, SOME people will just shut down ABP. I've seen people turn off FIREWALLS before because they frequently popped "Are you sure you want this to happen?" messages.

A safer solution would be to correct the SEVERE bug in ShockWave that allows these new 'virus downloader' apps to elevate themselves and alter the registry and write into %windows%

Note on the SWF from x-playing.com: It's easily possible that *I* got infected 'cos their site is compromised and is randomly adding a bad site into the XML file for the SWF file (pre-supposing that it USES one, of course.) I submitted the SWF file to all of the AV vendors, and it's still showing CLEAN at virusscan.jotti.org, so either I was mistaken and the original downloader/vector was something else, or they never disassembled the SWF file. I don't have an SWF disassembler currently.

There was only one other file in the cache that had any possibility of attacking the system (another SWF file), but I know that applet... it's from another site entirely. http://www.longtailvideo.com/players/jw-image-rotator/

BTW, since it's the first time I've been here, lemme say that AdBlock Plus has done a FANTASTIC job of improving my browsing experience. I've been a fan for quite a while, and recommend FireFox + ABP frequently. Life is SOOOO much nicer without all of the junk!

[p2u]

Re: P.S.1, yes, HOSTS is microseconds after AdBlock Plus shuts something down, but it absolutely stops ANY access to a 'bad domain', whether ABP is enabled or disabled.

Thanks for your reply. What I meant with 'it's blocking AFTER the act' was not that the HOSTS file blocks slowly. I was criticizing the principle itself: it's 'Default_Permit' (allow ANYTHING) and add bad addresses after they have infected you, which is unacceptable as a security approach. I'm quite sure that patching Shockwave Player, Flash Player and all the others is NOT a real solution to the problem. :=)
For reference, it's good to read this old Ranum article, which hasn't lost its value yet: The Six Dumbest Ideas in Computer Security. I'll leave it at that, since we're drifting way off the purpose of this forum: Adblock Plus support... :=)

Paul

[tech_weenie]

Anyhoo, here's what was in the cache that MegaUpload used to launch the contents of the pop-under window, from digging into various FF cache files:

h--p://x-playing.com/?pubid=games0754&advrtsid=adid0118&cn=EN

[p2u]

/?pubid=games0754&advrtsid=adid0118&cn=EN

Thanks! I found one description of such an event with exactly the same address, but it's in Vietnamese: as far as my knowledge of that language goes, the user describes how Avast recognizes this as HTML:IFrame-CD [Trj]

Paul

[Pam06]

Just wanted to say thanks to you guys for figuring this out. A nasty virus got through my AV a week ago and eventually led to me having to reformat . Couldn't find a mention on any board until now, but I was sure it came from a megaupload pop-up (a magistrare.com address?).

[w4r3zh4ck]

Non-sense tip removed by moderator

[Celtic]

There is an add-on for blocking sites : BlockSite 0.7.1
But the list is limited to 14 names so it is a good idea to use wildcards (*)

[Wladimir Palant]

But the list is limited to 14 names

Where did you get this one from? From all I know, there is no such limit in Blocksite - unless there is a bug that should be reported to the author.