A serious warning to FFXI PC players.

[Shirai]

I haven't seen it posted here yet but I think it should.

A fair warning to all FFXI PC players

Lately an RMT group has been releasing a trojan on FFXI community sites and have hijacked several Final Fantasy XI accounts.
Yesterday a couple of my own LS mates have become victim to this.

For now the following has been confirmed:
For now Somepage has been confirmed to have this trojan up on their website.
Do not visit Somepage!
Other pages that have been rumored to be infected are ffxiah and wikipedia but these are unconfirmed for now.

The trojan installs itself onto your computer without you noticing and sends the encrypted file which saves your Playonline ID and password.
(So far most people infected use Internet explorer, I haven't heard about people using firefox getting hacked.)

The possible leak and sollution:

Basicly:

1. Run > Regedit
2. Select My Computer
3. Edit > Find(Top bar drop down)
4. Enter the name of the file.
5. Find

Try to find the following:

in3.dll
rsbo.exe
kb1ss1p.dll
kb1ss1p.sys

The should all be under the following string:
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

If they are remove these string immediately, and change your POL password! You are infected and risking to lose your character!
Note that there is an rsbo there under that string that is not the trojan, look specificly for rsbo.exe!!

Lastly: DO NOT SAVE YOUR PLAYONLINE PASSWORD!

[Rishutlaw]

Oh geez... I was visiting somepage a couple days ago!

[Fiye]

Thank you for the warning. I'll visit my computer's registry when I get home.

*Uses IE7*

[Rishutlaw]

Ok I just ran a search and I didn't find anything other than some cookie that I deleted (good/bad idk).

[Shirai]

Personally I prefer Firefox as a browser.

I'm not sure about IE in general because of their wide open ActiveX content policy which seems to activate the install of this this aledged trojan.

There are several ffxi sites and forums handing out tips on checking your pc like KI, Allakhazam and Bluegartr.

[Rishutlaw]

I forget what version of IE I use. Its atleast 7 I know that.

[ScarlettPheonix]

Omg, thank you Shirai!

I play on PS2 primarily but I checked anyway since I do occasionally use the PC version to bazaar something overnight on my husband's character.

I use firefox and while I haven't visited somepage in awhile but I do use FFXIAH frequently so I figured I might as well- better safe than sorry and all that. I'm so glad I did- my PC was infected.

My antiviral software didn't pick up on it at all and we've never had a problem with any sort of virus/trojan until now.

Thanks again, I'm going to be passing this along to my linkshell since I know a lot of the members don't read the forums much.

[Shirai]

If you have removed it, make sure you change your password asap and make sure you don't save it.
There's a big chance they might have the file with your password in it if you saved it on your computer.
I read from most people they had.

Spread the news, as far as I know nearly one hundred people have lost their accounts to this rmt group by now and SE's customer service is tres crappy when it comes to returning it to their rightful owners.

[edit]
Links with info read and pass on!:

http://bluegartrls.com/forum/viewtopic.php?f=2&t=27226

http://bluegartrls.com/forum/viewtopic.php?f=2&t=27256

http://bluegartrls.com/forum/viewtopic.php?f=2&t=27042

[Tianshii]

i'll check when i get home...
I haven't visited somepage in many months... but I do check wikipedia all the time & ffxiah sometiems
... DAMN RMT where's a good bird flu to wipe out the frikkin rmt

[Kintrra]

TYVM Shirai for posting HOW to find it. I've been seeing a LOT of news lately about this via FFXIclopedia forums, but had yet to see anyone on there post anything other than "OMG TROJAN" and accounts of hacked....accounts....yes, bad play on words there, but anyway.

[Fiye]

Quick comment: I did a quick search on my Registry. I use Windows Vista (Home Premium 32-bit) and did not find the "Search Assistant" folder under the "HKEY_CURRENT_USER" tree.

[Shirai]

My LS mates called SE today again and they told him that SE is working on getting the stolen accounts back to their rightful owners.
They couldn't tell him however how long that will take as they seem to need stuff like court orders or something.

@Fiye
The trojan has indeed infected Windows XP computers for the most part.

I've been reading up about this on the larger ffxi forums for the last couple of days and warnings have been given out on our Linkshell's forums where I also posted these instructions.
It had died down the last couple of days, however when I read about my LS mates being hacked two days ago I felt that I had to post it here as well.
(One of which nearly finished their relic Katana, I seriously hope the rmt didn't touch it!)

I'm just happy none of my fellow kitties has lost their characters yet.

[Okuza]

If you have the virus, chances are your account is or will be gone within an hour of typing in your password. It's a keylogger. The folks doing the hack&sack are incredibly bold. They just change your PW & the CC info, then run around selling your gear right in front of you.

SE refuses to assist. They say you don't have the current CC info, thus it isn't and never has been your account. My guess is that opens them up for fraud charges, since they've just admitted to fraudulently charging you for your character for years. Still, getting even the tiniest bit of satisfaction out of SE (restored char, etc) will take immense work. SE flatly doesn't care if you get hacked and won't assist if you do.

IIRC, the actual exploit hole was via a Flash script targeted at Realplayer plugins that are older than (or have not been upgraded since) October. This doesn't mean you're safe if you don't use Realplayer -- there are lots of other holes that can be exploited if you permit scripts to run on your browser.

BTW, it wasn't *only* somepage, too. It was just part of their banner, which was controlled by the people that own the site presumably. The advertisement was also reported seen as part of a google redirect advertisement on other FFXI sites; ie. someone paid google to distribute their virus.

There's a lot more about the whole thing over on Blue Garter.

[ScarlettPheonix]

No, my accounts are safe. I was on Phe last night in sky and I checked my plants on the other account this morning. Considering I probably had the trojan for a few days I think I'm ok.

As I said earlier, I play on PS2 primarily and only occasionally use the PC version for over night bazaaring on my husband's account. Its very rare for me to log into Phe on the PC.

Anyway, PCs now clean and my PWs are all changed now- being a slightly paranoid kitty atm I changed the PWs via my PS2 not my PC. Just in case

[Sugami]

This was apparently happening last week kinda scarey, my account has been untouched by anyone else but me this past week so I assume it is safe. Somepage is apparently clean now

[Shirai]

*bump*

Posted on my linkshell's forums, the gilsellers are at it again and are targeting more then just FFXI and gaming websites!

new trojan stealing PASSWORD.. located over 10,000 NON FFXI RELATED, LEGIT SITES. YOU COULD BE FUCKD RIGHT NOW. i didnt know about this until i went to creative.com tryin to shop for sound card. story goes:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

BLOCK 2117966.net from your host FILE NOW!

Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98/ME = C:\WINDOWS

your host file is located in one of those

simply add
127.0.0.1 2117966.net
to the bottom of your host file, now.

More about the trojan can be read here: http://www.shadowserver.org/wiki/pmwiki ... r.20080313

Find your operating system and copy and paste whatever C:\ extension into Run. (Press window+R to open run).
After pressing enter you should see something similar to this:

Right Click Hosts, and go to Properties. It will look like this:

Make sure that read only is unchecked.Make sure that read only is unchecked.Make sure that read only is unchecked.
Now, Open hosts in Wordpad or Notepad. Scroll down to the very bottom and add this text to it:


Now you are protected. Also, if you haven't already installed Firefox and Noscript, do it. People are getting hacked constantly, over and over. By this time there are people who have fallen victim and people who haven't taken the necessary preventions to protect themselves.

Note: this is for XP, but imagine 2K/Vista couldn't be much more different.

[Kintrra]

Cripes, another freakin issue. >.<;

Thanks for the save yet again Shirai.

[Sugami]

How are they able to hack all these sites?

[xaresity]

Орфо294.4(проBettHoodCrysАдреAdes(6:2фигуклейМезеGeorLUDWИллюChriРоссPhilTescCameПиблTennFall
WhisбатаCathWatsоргаDoveAirpБориNellзапиВАРадеятGrooWyntкролхозяпроиЦеркJohnPlatJuliOrsoGill
AccaдирестихКариПаврКулаГончStepрубеXXIIмягкELEGОрлоЕршовнешTintлечеGottАронШтерMariCotoDele
ДефосертCircAcadOutlWeniNikiЗелиMarkотдеGentСемеPeteВекуБобрJeweМикалюбоWindштабвгкыспецжурн
EdwaLeonязыкZoneZoneZoneZoneChetZoneZoneZoneZoneZoneZoneZone(ПолZoneZoneZoneASASЛитвZoneZone
ZoneобъеаббрCasiFragOZONАфанDantBookJADIзвенSR1Aскла2300Россслож1771BobiVOLVAlexМетарекоtrac
CleaТексTrefСеметемаупрапласWindXVIITeacMagiPhilhoupClorChoiEnroJingЛитРLaurRookЛитРВУЗоТамо
JeweсобсBuloМатвоблаПавлКузьМалаPaulLouiStarwwwnакадистоPlanWolfAfriNintсамоMindНовасъемавто
ЧукоСтраGleeСущиАндрKaitШумеавтоХанаPhilпокоТрошАлекполуKokoКурбБуроrancСолнобозЧижиCasiCasi
CasiBriaКривЕгоррабоHappSpelсловOlieЛейфCircYourИеруtuchkasунивBenQ

[xaresity]

инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинйоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоtuchkasинфоинфо