One user has reported the following (but in the wrong place, so I've moved it here):

----------------------------------------------------------------------------------
Enviado por: batifol07 (ALyon-153-1-44-2.w86-194.abo.wanadoo.fr)
Fecha: June 16, 2007 07:10PM
Hi,

It seems that the K-Meleon forum is infected by "http://s99.winmplayer.com";. Actually that is always triggered when I start K-Meleon with K-Meleon forum. The malicious files are indeed hosted at that "winmplayer" site. Winmplayer transfers data during about 1 minute.
----------------------------------------------------------------------------------

I must say that I'm using Kaspersky Security Suite and I can confirm this report. Kaspersky's suite detects it and asks me what to do.

Don't delete message when you can really move them...

I know I can move the threads but it was not a new thread, it was a new message on the Long time to start thread, so AFAIK, I could not move it.

I've sent you the Kaspersky log, it all started the May 30th. Here's an extract from Kaspersky logs:

06/06/2007 11:55:38 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3164. Time: 06/06/2007 11:55:38
06/06/2007 11:55:39 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:39
06/06/2007 11:55:40 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3172. Time: 06/06/2007 11:55:40
06/06/2007 11:55:43 Malicious HTTP object http://s99.winmplayer.com/check/404-6.htm: detected malware 'Exploit.HTML.IESlice.l'.
06/06/2007 11:55:43 Malicious HTTP object http://s99.winmplayer.com/check/404-6.htm: access denied.
06/06/2007 11:55:43 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:43
06/06/2007 11:55:49 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:49
06/06/2007 11:55:59 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:59
06/06/2007 11:56:21 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:56:21
06/06/2007 11:57:04 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:57:04
06/06/2007 11:58:29 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:58:29


81.95.148.13 is an IP from Panama.

Quote
enaitzjga
I know I can move the threads but it was not a new thread, it was a new message on the Long time to start thread, so AFAIK, I could not move it.

Use split thread in that case. Or just copy, but avoid delete, that's not really nice.

All right, I will proceed that way in the future.

----------------------------------------------------------------------------------
Enviado por: batifol07 (ALyon-153-1-44-2.w86-194.abo.wanadoo.fr)
Fecha: June 16, 2007 07:10PM
Hi,

It seems that the K-Meleon forum is infected by "http://s99.winmplayer.com";. Actually that is always triggered when I start K-Meleon with K-Meleon forum. The malicious files are indeed hosted at that "winmplayer" site. Winmplayer transfers data during about 1 minute.
----------------------------------------------------------------------------------

@enaitzjga reported "I must say that I'm using Kaspersky Security Suite and I can confirm this report. Kaspersky's suite detects it and asks me what to do."

For the record, I've just logged on with the same problem, detected by KAV, and denied access by me. It's there.
Cheers,
Buzz

It seems like the problem has been solved. When i try to access the website it gives me this message:

"Service Unaviable

This account has been suspended for violation of hosting terms and conditions"

Don't be fooled. This message is a fake (they even made a typo...)

when i click the forum buttom my computer FROZE for like 2 minutes, so wuts the reason for that? malware?

Quote
enaitzjga
I know I can move the threads but it was not a new thread, it was a new message on the Long time to start thread, so AFAIK, I could not move it.

I've sent you the Kaspersky log, it all started the May 30th. Here's an extract from Kaspersky logs:

06/06/2007 11:55:38 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3164. Time: 06/06/2007 11:55:38
06/06/2007 11:55:39 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:39
06/06/2007 11:55:40 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3172. Time: 06/06/2007 11:55:40
06/06/2007 11:55:43 Malicious HTTP object http://s99.winmplayer.com/check/404-6.htm: detected malware 'Exploit.HTML.IESlice.l'.
06/06/2007 11:55:43 Malicious HTTP object http://s99.winmplayer.com/check/404-6.htm: access denied.
06/06/2007 11:55:43 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:43
06/06/2007 11:55:49 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:49
06/06/2007 11:55:59 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:59
06/06/2007 11:56:21 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:56:21
06/06/2007 11:57:04 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:57:04
06/06/2007 11:58:29 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:58:29


81.95.148.13 is an IP from Panama.

If you detect the intrusion with Kasper, why is the message a fake?
It was malware or not?

ANYONE KNOWS THIS GUY?

IP address: 84.158.233.132
Reverse DNS: p549ee984.dip.t-dialin.net.
Reverse DNS authenticity: [Verified]
ASN: 3320
ASN Name: DTAG (Deutsche Telekom AG)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 84.128.0.0 to 84.191.255.255
Country fraud profile: Normal
City (per outside source): Stuttgart, Baden-Wurttemberg
Country (per outside source): DE [Germany]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No

I don't know him, but I can tell you this:

IP address: 84.158.233.132
IP country: Germany
IP address state: Baden-Württemberg
IP address city: Rohrdorf
IP latitude: 47.733299
IP longitude: 10.083300

I also detected the s99wimplayer when I start Kmeleon site with Internet Explorer only and it crash inmediatly. Thanks enaitzjga, I received at least eleven attacks (?) from the IP above 84.158.233.132 after posted my comment yesterday, detected with sygate pro. I can not read IP in the posts, so I am thinking that somebody who can get access to them is really interested in my PC. I also think that Dorian should was so hard with you and the problem is really here, the s99wimplayer is in this website and starts in IE to make it crash.

Quote
beowulf
I also detected the s99wimplayer when I start Kmeleon site with Internet Explorer only and it crash inmediatly. Thanks enaitzjga, I received at least eleven attacks (?) from the IP above 84.158.233.132 after posted my comment yesterday, detected with sygate pro. I can not read IP in the posts, so I am thinking that somebody who can get access to them is really interested in my PC. I also think that Dorian should was so hard with you and the problem is really here, the s99wimplayer is in this website and starts in IE to make it crash.

I meant Dorian should be less hard with you, because problem exists.

Quote
beowulf
If you detect the intrusion with Kasper, why is the message a fake?
It was malware or not?

I was answering the post above. The message on the site s99.winmplayer.com is a fake.

My antivirus detects a threat when connecting to your forums, as you can see on this screenshot :

http://hfk.free.fr/trojan-k-meleon-forums.png




WTF ?

I've joined the Louis-Paris new thread with this thread because they are about the same issue.

Thanks for the picture, Louis-Paris!

So it's not a problem from Kaspersky, Nod-32 also detects it.

more info on this trojan here :

http://vil.nai.com/vil/content/v_138556.htm

It would be nice if you could get the source of the page when it happens to know from where it come. I can't find much info about this malware...



Edited 2 time(s). Last edit at 06/18/2007 08:27PM by Dorian.

you get the source of the page on my screenshot

When I say the source, I mean the thing you get when doing ctrl+U

Oh wait I've found it I think

just save the URL in a HTML file as a link and open the file and save target file

I haven't noticed more attacks for some days.

Was the problem located and fixed?