[WEB4LIB] RE: Browser Hijackings
Andrew I. Mutch
amutch at waterford.lib.mi.us
Thu Jun 21 23:45:09 EDT 2001
Michael,
This was actually my first guess at what was causing this problem.
However, I was able to eliminate this possibility for several reasons:
1) The browser startup and search pages had not been changed in most
cases but the browsers still were diverted to "bigred.com".
2) I've removed Windows Scripting Host from all of our staff and public
machines to avoid problems related to WSH-related viruses.
3) Our AV scans did not detect any viruses and they would have detected
the "Seeker" application.
The clincher is that the problem has now stopped as mysteriously as it
started.
Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI
On Thu, 21 Jun 2001, P. Michael McCulley wrote:
>
> This is a possible lead to pursue, and try out for test removal of this problem.
> Some preliminary research about bigred.com hijacking suggest you maybe infected with the JS.seeker worm virus.
>
> Please see
> http://www.symantec.com/avcenter/venc/data/js.seeker.html
> for the details and removal instructions.
>
> Quote from the Symantec info:
> "JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta. This file runs only if the Windows Scripting Host is installed."
>
> It appears if the machines have Outlook installed or for use, and don't have the security patch, they may fall victim to this worm (my interpretation at this point).
>
> I hope this helps, and Robert or Andrew, let me know what you find out if you try this fix.
>
> Best,
> Michael
>
> P. Michael McCulley
> Email: mcculley at best.com
>
> Quote of the Moment:
> -I wish you were a beer.
>
> >-----Original Message-----
> >From: web4lib at webjunction.org
> >[mailto:web4lib at webjunction.org]On Behalf Of Wing, Robert
> >Sent: Thursday, June 21, 2001 04:05 PM
> >To: Multiple recipients of list
> >Subject: [WEB4LIB] RE: Browser Hijackings
> >
> >
> >On Thu, 21 Jun 2001 09:20:49 -0400 Andrew Mutch wrote:
> >>
> >>"Just in the past day or two, I've had a rash of staff and public
> >>browsers that appear to have been victims of browser hijacking. When a
> >>user tries to browse to an invalid domain, they are redirected to this
> >>site:
> >>
> >>http://www.bigred.com/"
> >>
> >
> >Both our student and staff PCs have been getting BigRed.com off and on for
> >the last 3 weeks with both IE 5.5 and Navigator 4.07
> >At first, we would get the BigRed page with a huge dialog box asking "Would
> >you like to set your homepage to 'http://
> >hit enter or return to continue"
>
> [remainder snipped]
>
More information about the Web4lib
mailing list