Why me, Psyme?

I noticed something weird going on with our website these past few days. On occasion, my antivirus software, AVG, would detect a virus when I load a page from Palabok.com. I just ignored the warning whenever it came up. I figured it might be one of the embedded pages I have on the website that’s causing the problem or my antivirus software just returning false positives.

But then, Godie from the Corrupted Partition blog left a comment saying the following:

Godie Says:
August 24th, 2007 at 9:06 pm e

This page has an embedded JS/Psyme virus, if your anti-virus didn’t catch it, MAKE A FULL SCAN NOW WITH ANOTHER ANTI-VIRUS

Reading that comment made me worried. It means that it’s just not AVG messing up. After a bit of investigation, I discovered that there was a bit of foreign Javascript code inserted at the bottom of index.php pages in my website!

I copied the unknown code and pasted it into my text editor, saved it and allowed AVG to scan the saved file. AVG reported that the file was indeed infected by the JS/Psyme virus. The little piece of Javascript code was the reason AVG was alerting me to a virus whenever I browse through our own website.

Here is a short description of JS/Psyme as taken from the Sophos website, if you are interested:

Name: JS/Psyme-AN
Type: Trojan
How it spreads: Web browsing
Affected operating systems: Windows
Side effects:
– Downloads code from the internet
– Exploits system or software vulnerabilities

JS/Psyme-AN attempts to load a web page infected with Troj/Psyme-AN by creating a new object element within the current document/HTML page.

For further information please refer to the Troj/Psyme-AN description.

I have since removed the malicious bit of code from our website. The virus should no longer pose a threat to our readers.

Even so, I feel sort of violated by the existence of this virus code in my webpages. I certainly didn’t put it there. So how did the code get there? Did some hacker guess my password and inserted the code in my index.php pages? Was it an insider working for my web host who ran a sort of batch file that inserted the malicious code to all index.php pages hosted there? Did a hacker place the code in the Fantastico installer used by my web host?

Adding in malicious code for a low level trojan isn’t so bad, in my opinion. But if that person could do that, he or she might have accessed more important personal stuff in my hosted space. I’ll definitely investigate further. I don’t want this kind of thing to happen again.

Published in: on August 24, 2007 at 3:15 pm  Comments (1)