• Hello Guest, welcome to the initial stages of our new platform!
    You can find some additional information about where we are in the process of migrating the board and setting up our new software here

    Thank you for being a part of our community!

Thread is redirecting to virus!

daniels740

Member
Joined
May 8, 2019
Location
South Florida
DO NOT CLICK "NWV: 86-93 240 wagon shell." thread in wanted.

It redirects to a malicious webpage. Thank God I have Norton antivirus security that immediately blocked the webpage. No idea what virus it was trying to install but my Norton antivirus detected a "web attack," categorized under High severity. I'm going to not browse the forum until this is fixed :omg::omg:
 
i suspect its just a false positive on a way the images were hotlinked? Not sure but theres really no way to redirect a thread link to a website.
 
I dunno, but I at first ignored the "known malicious website" warning and proceeded, only for Norton to detect large suspicious traffic outgoing, and multiple web attacks following proceeding to wherever the link was taking me. It induced a bit of a panic.

The link it was redirecting to can be seen with a couple other details from Norton.
1Sz1oUo.png

4a5Ojwz.png

I have fairly fast internet, so it could be that it was taking me to the actual thread first but redirecting really fast. It seemed instant to me.
 
I wonder if maybe you have malware on your PC somewhere. I've clicked the thread multiple times with no problems. Granted, I'm running a Mac and am using Firefox. So, if you have the Malwarebytes app on your computer, run a full scan and make sure that the hard drive is clean. Also, if you're running Microsoft Edge, I'd use Firefox instead.
 
I wonder if maybe you have malware on your PC somewhere. I've clicked the thread multiple times with no problems. Granted, I'm running a Mac and am using Firefox. So, if you have the Malwarebytes app on your computer, run a full scan and make sure that the hard drive is clean. Also, if you're running Microsoft Edge, I'd use Firefox instead.

The link was fixed when JohnMc edited the post at 9:23pm yesterday and I've been able to view it with no issue since. I also completed all sorts of scans to be on the safe side yesterday and had no problem. The antivirus I pay for did its job. Maybe JohnMc can let us in on some details of what he fixed.
 
There was some javascript link in script tags - the 'nicoletto.com' shown in in the screen shots above. I took that out. Not sure what it was supposed to be doing. I removed it.
 
I just hope nobody got a virus. When I proceeded to the webpage, it appeared to redirect me to a webpage that just wasn't available, no visible download or anything. If Norton hadn't detected and stopped the web attack, as well as informed me of suspicious outbound traffic, I would not have had a single clue that something was up.

I'd just advise that everyone get a good antivirus on their computer. It was apparent that this thing was trying to spread like wildfire to the other devices on my network, had Norton not blocked the outbound traffic.

Stay safe, guys.
 
I got the same warning with my Norton Antivirus software when I posted to the thread. I just deleted the thread. The OP can try again if he/she is legit.
 
I have done some problem solving and figured out what is happening. YOU GUYS ARE NOT SAFE!!!

Either OP is himself infected with a virus or he is trying to infect board members.

To stop the redirecting, I blocked javascript in google for TB. That allowed me to visit the forum, to see that OP's latest post has a bit of javascript at the bottom that redirects to the malicious website.

I wanted to see if Firefox automatically blocks it, but NO, IT WILL ALLOW THE INTRUSION ATTEMPT.

More in detail, I visited the thread on Firefox, and it looked completely safe, only for Norton to need to block the intrusion attempt. Had Norton Antivirus not done this for me, I would have had no idea of the intrusion attempt when I used Firefox. It looked like I just visited the thread like normal.

I HIGHLY advise that we temporarily or perma-ban the OP.
 
I got the same warning with my Norton Antivirus software when I posted to the thread. I just deleted the thread. The OP can try again if he/she is legit.

I was just about to PM you cause I saw you responded to the thread while it was redirecting. I am certain there are a couple of people on here who are infected with the virus and have no idea.
 
To recap, there is a period of time when clicking on the thread (even if it appeared to load normally) allowed a web attack onto the user's computer, if they had JavaScript enabled and do not use a good antivirus.

SO, IF YOU VISITED THE THREAD "NWV: 86-93 240 wagon shell" in wanted:

FROM Original post time on 4/15/2021 TO Time edited ~9:25PM EST 4/15/2021
OR
FROM Second post by OP at ~5PM EST 4/19/2021 TO Time the thread was deleted 4/19/2021,

and nothing seemed out of the usual on your PC that has no antivirus, you likely have malware running on your PC. I have no idea what this web attack would have done to mobile devices, Macs, etc.

I cannot stress this enough, I advise that everyone has a good antivirus. It is worth the price.
 
Last edited:
Running Puppy Linux with Chromium, so of course I clicked on it, got the source, and downloaded the referenced Javascript file from nickletto.com.

Just for fun, I gave the .JS file to Virustotal.com to look at.
Copied most of the results here:


Ad-Aware - JS:Adware.Lnkr.E
AegisLab - Adware.Script.Generic.2!c
Arcabit - JS:Adware.Lnkr.E
Avast - Script:SNH-gen [Adw]
AVG - Script:SNH-gen [Adw]
BitDefender - JS:Adware.Lnkr.E
Comodo - Application.JS.AdWare.Revizer.E@8bp9s7
Cyren - JS/Revizer.A
DrWeb - JS.Siggen5.40409
Emsisoft - JS:Adware.Lnkr.E (B)
eScan - JS:Adware.Lnkr.E
FireEye - JS:Adware.Lnkr.E
GData - Script.Adware.Injector.OC
Kaspersky - Not-a-virus:HEUR:AdWare.Script.Generic
MAX - Malware (ai Score=64)
NANO-Antivirus - Trojan.Script.Adware.iestfp
Rising - Adware.Lnkr/JS!1.D2D0 (CLASSIC)
ZoneAlarm by Check Point - Not-a-virus:HEUR:AdWare.Script.Generic

-------------------------------------

When executing the file being studied, it performed the following actions on the registry of the sandbox environment.

Registry Actions

Registry Keys Set

HKLM\Software\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
1

HKLM\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces
00 00 54 00 45 00 76 00 65 00 6E 00 74 00 4C 00 6F 00 67 00 45 00 76 00 65 00 6E 00 74 00 43 00 6F 00 6E 00 73 00 75 00 6D 00 65 00 72 00
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenland Standard Time\TZI

HKLM\SYSTEM\ControlSet001\Control\TimeZoneInformation\ActiveTimeBias
4294967176
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Iran Standard Time\TZI

HKLM\SYSTEM\ControlSet001\Control\BackupRestore\FilesNotToBackup\BITS_LOG
%windir%\System32\Bits.log

HKLM\SYSTEM\ControlSet001\Control\BackupRestore\FilesNotToBackup\BITS_BAK
%windir%\System32\Bits.bak

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex
1

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refresh
0

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Refreshed
1

HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Data
28 1B 00 00 01 00 00 00 00 00 00 00 10 00 00 00 18 1B 00 00 09 00 00 00 9A 00 00 00 01 00 00 00 01 00 00 00 40 00 00 00 1A 00 00 00 5C 00 5C 00 2E 00 5C 00 72 00 6F 00 6F 00 74 00 5C 00 77 00 6D 00 69 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 01 00 00 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 64 00 00 00 68 00 00 00 3A 00 00 00 4D 00 53 00 69 00 53 00 43 00 53 00 49 00 5F 00 43 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 69 00 6F 00 6E 00 53 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 1A 00 00 00 49 00 6E 00 73 00 74 00 61 00 6E 00 63 00 65 00 4E 00 61 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 02 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 48 00 00 00 1C 00 00 00 42 00 79 00 74 00 65 00 73 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 64 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 15 00 00 00 00 00 00 00 64 00 00 00 00 05 41 10 40 00 00 00 14 00 00 00 42 0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Counter
12642

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last Help
12643

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Paraguay Standard Time\TZI

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\ndis.sys[MofResourceName]
LowDateTime:-1971493113,HighDateTime:30676308***Binary mof failed, see WMIPROV.LOG

HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32\Drivers\portcls.SYS[PortclsMof]
LowDateTime:-1221632304,HighDateTime:30487028***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]
LowDateTime:-403062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\DRIVERS\HDAudBus.sys[HDAudioMofName]
LowDateTime:-1867536076,HighDateTime:30116016***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\System32\Drivers\en-US\portcls.SYS.mui[PortclsMof]
LowDateTime:-503062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\advapi32.dll[MofResourceName]
LowDateTime:-1337772912,HighDateTime:30778796***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\en-US\advapi32.dll.mui[MofResourceName]
LowDateTime:-1270310445,HighDateTime:30778796***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\mssmbios.sys.mui[MofResource]
LowDateTime:-143062016,HighDateTime:30016570***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\DRIVERS\en-US\HDAudBus.sys.mui[HDAudioMofName]
LowDateTime:-2018029312,HighDateTime:30016571***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\en-US\ndis.sys.mui[MofResourceName]
LowDateTime:-1258029312,HighDateTime:30016571***Binary mof failed, see WMIPROV.LOG

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\DRIVERS\en-US\intelppm.sys.mui[PROCESSORWMI]
LowDateTime:2076937984,HighDateTime:30016571***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\IDE\DiskAMDX_HARDDISK___________________________2.5+____\5&2770a7af&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
LowDateTime:803713417,HighDateTime:0***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\DRIVERS\intelppm.sys[PROCESSORWMI]
LowDateTime:-2085707242,HighDateTime:30778791***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\ACPI.sys[ACPIMOFResource]
LowDateTime:-1241494372,HighDateTime:30646958***Binary mof compiled successfully

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\DRIVERS\monitor.sys[MonitorWMI]

HKLM\Software\Microsoft\WBEM\WDM\%windir%\system32\drivers\mssmbios.sys[MofResource]
LowDateTime:2004871927,HighDateTime:30733930***Binary mof compiled successfully

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\22\(Default)

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff00
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff01
00 00 00 00 77 00 00 00 19 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff02
01 00 00 00 5A 00 00 00 D6 17 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24\ffffffffffffffffffffffffffffff03
00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF

HKLM\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName
Global\MMF_BITS_s
\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Middle East Standard Time\TZI

Registry Keys Deleted

HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help
HKLM\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List

Process And Service Actions

Processes Terminated

wmiadap.exe /F /T /R

Processes Tree

2992 - wmiadap.exe /F /T /R
2676 - wscript.exe %SAMPLEPATH%
3040 - %windir%\system32\wbem\wmiprvse.exe
 
Although I'm not technologically-literate enough to understand the full extent of the previous post, I wanted to know how you were able to find the nickletto file after the thread was deleted. Did you copy the link seen in my screenshots?

I wanted to know because I was looking into how the OP was redirecting the thread the way they were.

From research, I found out they can use a couple JavaScript codes that I will not be sharing to redirect to a different webpage. Although those codes worked using youtube.com as the new page in some testing I completed, I was not able to match the speed at which the poster with the actual virus was able to complete.

Therefore, I'd like to know if you can still view their original post because, in that case, I would like to see it too, to see the JavaScript code they were using in their post.
 
Running Puppy Linux with Chromium, so of course I clicked on it, got the source, and downloaded the referenced Javascript file from nickletto.com.


Wow, good info, thanks!

If someone could tell me WHO the person is, i'll take care of it.
 
Last edited:
I wanted to know how you were able to find the nickletto file after the thread was deleted.

I didn't. I saw you say "They've done it again." and off I went.

Opened the thread, viewed the source (Ctrl+U), found the nickletto link, and did a "Save link as..." to bring it on down.

Therefore, I'd like to know if you can still view their original post because, in that case, I would like to see it too, to see the JavaScript code they were using in their post.

Can't see the post any more, as it's now an "Invalid link".
<strike>But here's a pretty little ZIP file with the post's source, as well as the JS file...</strike>

(Stay tuned... trying to get Google Drive to cooperate). :???:

Screw it. Google sucks.
This is the link:
Code:
www.nickletto.com/2305aeaa4cd4bdad02.js
Right click, save the link as... whatever. 189Kb
No idea what happens if you directly click on in, so don't.

<strike>You can also easily find the link in the source file... just search for "nick".</strike>
It's just a single line injected at the end of the OP's reply.

Here's a nice safe picture of the line with the link:

link.jpg


Might know why I couldn't link the ZIP. Google Drive had it "Flagged for abuse". Maybe they're mad at me now.
 
Last edited by a moderator:
I didn't. I saw you say "They've done it again." and off I went...

That screenshot is exactly what I was looking for, thanks! Looks to me like they were able to redirect so quickly because they weren't redirecting to an external website that executed the file, they were executing the external JavaScript file itself.

Either way, I wanted to know if we can somehow disable external JavaScript files or commands to stop board members from doing things like this. I, myself, who never wrote a JavaScript command heretofore, was able to figure out how to redirect a thread immediately upon loading using JavaScript in a reply to a thread.

I'm sure you can see why this is a problem, so I'm thinking about if there's something we can do to stop misuse of JavaScript in the forums.
 
Back
Top