The National Newspaper Has a Problem with a Virus

Posted in Dangerous on July 29th, 2009 by MadDog
No Gravatar

I’ve got all kinds of problems of my own in my IT shop today, but I’m taking the time to notify my readers that one of our newspapers that runs an online version has a virus on the web site.

The National,  one of our two major newspapers has an infection of the HTML/Framer virus which is reported by AVG as such.

Here is the warning page that Firefox throws up:

The Firefox warning page for the HTML/Framer virus

And here is the AVG Threat warning window:

The AVG threat warning for the HTML/Framer virus

Okay, why am I doing this?

Yesterday, Eunie said that the newspaper site was infected. This morning I checked it out. I looked up the HTML/Framer virus and came away scratching my head. It is a strange one, for certain. I’m still not sure exactly what it can do to your computer. So, since I know that there are a lot of my readers who may have dubious virus protection, I’m putting up this notice to let you know that, unless you have bullet-proof anti virus protection, it would be unwise to visit The National’s  online version until you can be certain that the infection has been treated.

If you KNOW that your anti virus is working and up-to-date, then you can try the site. You will get some kind of warning if it is still infected. If you are not CERTAIN that your anti virus is A-OKAY, then I’d advise not visiting the site until the problem is fixed. You might not get any warning at all if the site is still infected. Also, I can’t tell you what it might do to your computer. The references that I looked at this morning were not very helpful in that area and I don’t have a lot of time to devote to the issue.

As soon as I was certain of my information, I called The National  and tried to speak to the webmaster. He wasn’t in yet. I left a message for him to call me, but it is nearly 11:00 and I haven’t heard from him. Therefore, I’m putting up the notice. I’ll make an update to this post as soon as I’m sure that the infection has been cleared up.

NOTE PLEASE: For users who are not sure what’s going on here, nothing that you see in this post means that your computer is infected by this virus or that my site is infected. The images that you see are just screen captures from my attempt to visit The National’s  web site. You have nothing to fear from having read this post.

UPDATE: Here is a portion of an email that I received from Kyle Harris this morning. Obviously, this exploit is a nasty piece of work:

Just saw your web post on the National Newspaper site.  Sounds a lot like the bug that hammered my site last week.  Look up TSPY_KATES.G via Google. Basically it puts a java script in the index.php file in your startup menu that attempts to load the virus onto any machine that visits that site. Then it adds the iframe code to each and every file on the site with the name “index” or “home”, rendering those files useless.

I had AVG on my machine but when I tried to visit my site, it downloaded the virus onto my machine anyway.  Don’t know what was happening with AVG.  Took almost a day to clean out my computer.

The web site is still off line until I can figure out how to repair all those compromised files.  It hammered both my blogs and my main site (cms). Make sure that your WordPress site is upgraded and that you have everything backed up.

I have no idea how it got onto my site.  I have a highly secure password for that the site and had not been on for a couple weeks.  I am wondering if
since I am a shared hosting user if it got in via someone else’s site.

Thanks, Kyle, for the information. I’m keeping my fingers crossed. I’m hoping that, since AVG spotted the exploit on my machine from The National  web site, that I’ll have a bit of protection. I’m also going to contact Hostmonster.com to see if they are doing anything to keep an eye out for their clients.

Tags: , ,