ClipMate Support Forum

[Chris Thornton]

I suspect this is a virus or phishing attempt. I was browsing along, closing tabs in FireFox, and all of a sudden, I'm getting "boing boing boing" from ClipMate. I'm running Vista, with Vista clipboard notification, so I know it's not a "loop" like you can get on XP. Something is sending the same clip over and over, about once a second. And it's rejecting, due to being duplicate. But the item being copied over and over, is this:

h x x p:// xp-vista-update.net/?id=91873534231

DO NOT CLICK ON THIS!!! I altered the URL with xx's to protect you from clicking on it. I have no idea what it is or does. Googling seems to indicate a virus, or some other unwanted thing, but it's too new for any good info to be out there. I'm just posting here to let you know that it isn't a ClipMate bug, but something on some website, possibly an advert, is messing with the clipboard, pushing this URL.

In my case, closing the msnbc.com tab in FireFox stopped the behavior. I do not know if the unwanted behavior originated at msnbc.com or not.

Update: Ok, it's not THAT new. Reports go back to mid-july. But google isn't much help - most results are just blog comments and such that are trying to spread this thing further. Beware of clicking any links related to this thing - I saw one that said "click here" to solve it, and it was a link back to the xp-vista-upgrade site! Yuck!

--
Chris
_________________
I'm the ClipMate Guy!

[Chris Thornton]

My analysis, without actually seeing the code, is just based on what I observed, joined with what I see if I google for xp-vista-update.

I think it's a piece of javascript that runs on infected sites, copying their silly URL to your clipboard, over and over. The result is that when you paste anything, all you get is their URL. So this spreads their URL. If someone replies to an e-mail, they paste from the clipboard, and get the URL. Maybe they catch it, maybe not. Likewise with blog posts, guestbooks, comments, facebook, etc.. They're hoping that when you paste, you paste their crap, and it gets through.
I'm not sure WHAT lies at xp-vista-update dot net, but I'm going to wait until later and try it on my son's Linux XO laptop - try to infect THAT!
--
Chris
_________________
I'm the ClipMate Guy!

[Chris Thornton]

Here's an article on what these ads look like and who's behind them.
http://msmvps.com/blogs/spywaresucks/archive/2008/04/23/1600159.aspx

Here's an article on the business end of things:
http://sunbeltblog.blogspot.com/2007/11/rogue-ads-on-ad-networks.html
Summary: new advertisers sign up with established sites, and submit flash ads that contain a redirect to any URL that they want to trick people into visiting.
_________________
I'm the ClipMate Guy!

[Chris Thornton]

I'm pretty sure it's a deployment vector for "AntiVirus 2009". They're trying to trick people into posting the URL onto blogs. The Flash/clipboard thing is not the virus - it's a method of tricking people into visiting/installing the actual virus. This seems to match what they're talking about on the (recommended!) viruswarn mailing list at www.viruswarn.com (sign up for it - you'll be glad someday).
_________________
I'm the ClipMate Guy!

[Chris Thornton]

It just happened again, this time on my XP laptop.
While on MSNBC.com frontpage, I clicked on a link to a newsweek article about Obama's comments on tire pressure. Bam! Next thing I know, I'm at a malware site: hxxp://webscannerfreever.com (don't go there!!!!!) and it's claiming to have found all sorts of malware on my PC, and keeps trying to initiate a download. I must have cancelled the thing 20 times before I could get my browser to go back (click the back button). Then I landed on the Newsweek page, which must have flashed by. Heres the newsweek page: (approach with caution! - I altered http to hxxp to prevent unintended following) hxxp://www.newsweek.com/id/153140
I cranked my popup blocking setting in IE7 to the max, and re-visited the newsweek page. Now this page wants to do a popup, but IE7 won't let it now.
Geeez!!!! Clean up your sites, guys!
_________________
I'm the ClipMate Guy!

[Chris Thornton]

Some more links and discussion at TheRegister:
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
_________________
I'm the ClipMate Guy!

[Chris Thornton]

LOL! McAfee SiteAdvisor rates the site GREEN!!!!
http://www.siteadvisor.com/sites/xp-vista-update.net
As of this writing, user comments flag this as far back as Aug 5th. SiteAdvisor finds no problem with it. Huh.
_________________
I'm the ClipMate Guy!

[bluecollarpc]

Hi... I have posted from this news article:
Mystery web attack hijacks your clipboard
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
....at my forum here:
http://bluecollarpc.net/smf/index.php/topic,740.0.html
.....I am researching and cam across the possible way to backtrack this to origin perhaps in a rudimentary way that is not too hard. It is strange and is attracting the security news rooms. Hope this helps in the least as a starting place of a manual removal of a malware. Most likely, quality antivirus and antispyware will have it nailed within weeks tops.

From the idea of like a browser hijacker always setting its own Homepage, this is like tracking to the source of the "ownership"....

Apparently this may be an "in the wild threat" assuming these persons use quality antivirus and also have scanned with quality antispyware.

Let's try a manual clearing of the Clipboard...

EmptyClipboard Function
http://msdn.microsoft.com/en-us/library/ms649037(VS.85).aspx
The EmptyClipboard function empties the clipboard and frees handles to data in the clipboard. The function then assigns ownership of the clipboard to the window that currently has the clipboard open.

Syntax

BOOL EmptyClipboard( VOID
);Parameters

This function has no parameters.

Return Value
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.


Remarks
Before calling EmptyClipboard, an application must open the clipboard by using the OpenClipboard function. If the application specifies a NULL window handle when opening the clipboard, EmptyClipboard succeeds but sets the clipboard owner to NULL. Note that this causes SetClipboardData to fail.

For an example, see Copying Information to the Clipboard.

Function Information
Minimum DLL Version user32.dll
Header Declared in Winuser.h, include Windows.h
Import library User32.lib
Minimum operating systems Windows 95, Windows NT 3.1

See Also
Clipboard, OpenClipboard, SetClipboardData, WM_DESTROYCLIPBOARD
------------NEXT:

A clue here to back track to whatever is repeatedly entering the information to the clipboard may be here as the "Clipboard Ownership" .....


Clipboard Ownership
http://msdn.microsoft.com/en-us/library/ms649014(VS.85).aspx#_win32_Clipboard_Ownership

The clipboard owner is the window associated with the information on the clipboard. A window becomes the clipboard owner when it places data on the clipboard — specifically, when it calls the EmptyClipboard function. The window remains the clipboard owner until it is closed or another window empties the clipboard.

When the clipboard is emptied, the clipboard owner receives a WM_DESTROYCLIPBOARD message. Following are some reasons why a window might process this message:

The window delayed rendering of one or more clipboard formats. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had allocated in order to render data on request. For more information about the rendering of data, see Delayed Rendering.

The window placed data on the clipboard in a private clipboard format. The data for private clipboard formats is not freed by the system when the clipboard is emptied. Therefore, the clipboard owner should free the data upon receiving the WM_DESTROYCLIPBOARD message. For more information about private clipboard formats, see Clipboard Formats....
http://msdn.microsoft.com/en-us/library/ms649013(VS.85).aspx

The window placed data on the clipboard using the CF_OWNERDISPLAY clipboard format. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had used to display information in the clipboard viewer window. For more information about this alternative format, see Owner Display Format.
-------------NEXT:

So you may try to discover the ownership by....

Clipboard Sequence Number
The clipboard for each window station has an associated clipboard sequence number. This number is incremented whenever the contents of the clipboard change. To obtain the clipboard sequence number, call the GetClipboardSequenceNumber function....
http://msdn.microsoft.com/en-us/library/ms649042(VS.85).aspx
-----------------

It would help if persons may try a HiJackThis Log and post it, may reveal a start up process involved. Grab that info at my alternate www.BlueCollarPC.Org site here:
Submit HiJackThis Logs (Information)
http://www.bluecollarpc.org/_mgxroot/page_10736.html

I am webmaster of both www.BlueCollarpC.Net and www.BlueCollarPC.Org

you can email here bluecollarpc at yahoo.com (my Yahoo ID)
You'll find my groups/lists linked at my sites. Hope this may help and this is the strangest occurrence in security world I have seen since year 2001 on my first PC. Very strange and has some dark possibilites of greater attacks obviously. Let's hope the whole heads up gets the security software industry's help and removal signatures if indeed even a new catagory "Clipboard Hijacker". What a first... What next ? yuck !

gerald philly pa usa
(Administrators may contact my registration private address for sure)
_________________
Webmaster www.BlueCollarPC.Net

[bluecollarpc]

[Chris Thornton]

Hi BlueCollar,
The Clipboard owner shows as FireFox or IExplore, which isn't much help. ClipMate (my product) tracks the clipboard owner already, using the method that you describe. From the clipboard point of view, it's just regular data coming from the browser, as if the user had copied it.
_________________
I'm the ClipMate Guy!

[bluecollarpc]

Understood.... it was a shot in the dark to sift data from it. At least there was data. I am thinking tracing it back to any executable file installed or registry entry - or here, for the "ownership", to an actual installation of some rogue element malware program.

That was my hunch that it is coming through a browser as opposed to another application like Paint for instance. That seems a clue as indicating even it may be some browser plug in from a drive by malware installation. It may pay to check the browser plug in list .....

IE (Internet Explorer).... open browser > Tools > Internet Options > Programs > Add Ons ..... which will show the list of all plug ins including toolbars.

In this scenario it is possible it is a BHO Browser Help Object on Internet Explorer which includes minimumly a Active X entry in the registry - but that would not explain Firefox which does not allow this (Active X, Active X Object, Active X Helper Object, Active X Control, Active X Control Object).

I ran the one HiJackThis Log in the News article CLSID Root key through here (example {1234-567-89-10123} ) :

CastleCops - CLSID / BHO List / Toolbar Master List
http://castlecops.com/bhonew.html
(Identify Malware Toolbars) This is the Master BHO and Toolbar list copyrighted by Tony Klein and CastleCops.

The other mention that it is an Java exploit would then include it ocurring in Firefox. Thanks for the reply. I am definately following this story. A very unique and strange situation that obviously needs remedy.

Best 2 U,
gerald philly pa usa
_________________
Webmaster www.BlueCollarPC.Net

[Chris Thornton]

[Chris Thornton]

To make it easier for discussions among security professionals, discussion for non-ClipMate users has been moved to my clipboard blog:

http://www.clipboardextender.com/defective-apps/clipboard-virus-not-exactly-but-still-dangerous
_________________
I'm the ClipMate Guy!