EZTV - Trojan?

every time i open the eztv page nod32 comes up with this:

img522.imageshack.us/img522/5153/trojankj3.png

must be hiding in one of your banner ads

1) we don't have ads.
2) we don't have ads.
3) the only iframe we use is when you reply to a thread, the iframe is to show
the previous posts.

so based off that the only solution i can come up with is that nod32 is shit and
doesn't know what it is talking about.

nova, it did happen, then disappeared after we started talking about it on the
irc channel, so someone in there was probably responsible. ive already given
info to bog about it.

the embedded code used the clsid as mentioned in this security bulletin:
messenger.yahoo.com/security_update.php?id=060707

based off that url seems like only yahoo! people are affected by it. i didn't
know yahoo! still existed to be honest.

but it is still an iframe issue, and the only place that uses that is on our
reply to thread page.

nova, see my msgs to you on irc

sorry, i just assumed adblock was hiding them


well - as long as you guys know about it 🙂


edit - if you want a copy of that file, let me know - sitting in quarantine.

just thought i'd register cause tvfan's post made me laugh. i use norton and i
also got a warning pop up. something about a html file. downloader trojan or
something. i've been checking the forums ever since to see if anyone else got
the same thing. and well just now i noticed this post. so it wasnt a photoshop.
just wanna add, your attitude nova isnt very good. not saying you did it on
purpose but you would think you would want to get to the bottom of something
serious like this.

edit - it only ever came up twice btw after i refreshed the page the 2nd time.
wish i had got a screenshot. but i thought norton would of quarantined it but
instead it just deleted it.

btw - i've been a lurker here for a while and its nice to see tvfan being his
nice and usual arrogant self

ok looked in the logs

eztvefnet[1].htm & index[3].htm files.

this was the culprit
h**p://securityresponse.symantec.com/security_response/writeup.jsp?docid=2002-
101518-4323-99

iframe.bof is an exploit for a buffer overrun vulnerability that occurs in
internet explorer v6.0 running on windows xp/2000 computers. it allows to
remotely execute arbitrary code in the vulnerable computer, with the same
privileges as the current user.

iframe.bof is an exploit for a buffer overrun vulnerability that occurs in
internet explorer v6.0 running on windows xp/2000 computers, and allows to
remotely execute arbitrary code in the vulnerable computer, with the same
privileges as the current user.

this vulnerability is rated as extremely critical, according to panda software,
and it is caused due to the way in which internet explorer handles the
attributes src and name in the html tags frame, iframe and embed.

the exploit is included in a malicious web page or in an e-mail message in html
format, which contain executable code. this executable code is automatically
run when a buffer overflow occurs while processing a specially crafted iframe,
frame or embed tag. if exploited successfully, iframe.bof allows to run
arbitrary code, which could be of any nature.

as mentioned above, this exploit is hosted in web pages or included in e-mail
messages in html format. in order to exploit the vulnerability, a malicious
user would have to entice the user into accessing one of those web pages or
opening the e-mail message. some variants of the worm mydoom use this exploit
in order to affect computers.

-----------------------------

*looks at photoshop file* aren't you running ie7?

well im running ie7...........

screenshot shows tabs "loading" before eztv, what makes you so sure one of them
are not responsible?

ive been using this site since the very beginning and in that time i've used 3
different anti-virus/spyware programs. never have i had any problem with
trojans, pop-ups or anything remotely like that.

btw brett007, nice going. bad mouthing novaking and tvfan in the same post.
i smell barbecue.

i use nod32, i have no problems at all.

the site was only exposed for a brief period of time.

use etrust, isa & gfi. haven't had any problems from this site, although i am
relatively new to this site. checked my isa sql logs, which logs everything
24/7 and no issues from this site whatsoever since my first access or during
any access thereafter. as torrent sites goes this has to be one of if not
equally the cleanest one i have visited. this is in terms of any and all noisy
data, i.e. any 'unwanted' or 'unnecessary' data of any kind. kudos to the
coders. nice site, well done!