scanner-c517d_2015.exe

i'm new to all this and this is probably an obvious question... has my mac been infected by this thing if it popped up (protection-check07.com from the NYT page)? i cancelled, clicked out of it, and restarted my computer. is there anything else i should do? or am i ok?

Same problem as the rest: reading a NYT article and the pop-up comes, & any click starts it. Tried to quit safari as fast as I could, but still ended up with the scanner.exe file downloaded (from the sex-and-the-city url). Moved it to the trash & when I tried to empty the trash, my back-up drive starts going nuts. Stopped empty trash, & don't know what to do now!

http://protection-check07.com/1/?sess=%3Dm2y9jDxMiZpcD03MC4xMTQuMjAxLjExNSZ0aW1l PTEyNTU4MUcMNQkN

http://sex-and-the-city.cn/go.php?id=2015&key=ace6725ec&p=1

WARNING: Clicking on those links above will take you to the malware site lock up your browser.

PLEASE PEOPLE, no need to post a direct, active link to the malware site in question.

Glad to see that everyone's experience here corroborates this as a possible problem from nytimes.com

My guess is that our Macs are safe. I've emailed the the nytimes.com addresses that I could find, with a description of the problem. We'll see!

-sm

SM
I am sure you will post any replies from NYTimes? Also anyone hearing about a Mac patch for this too. Thanks.
LR

Found this post from today on another thread on this problem. For what it is worth. LR
================
I just spoke with a customer representative at the main New York Times office in New York. They are aware of the problem and their IT folks are working to resolve the attack on their website. I asked if NYT would please post something on their main page to communicate about this issue with their readers, and the individual I spoke with assured me that they would do that.

The New York Times Company
620 Eighth Avenue
New York, NY 10018
General Inquiries:
(212) 556-1234

I asked to speak with "security" and was eventually transferred to customer relations.

We experienced the same problem with //protection-check07.com this morning on the International Herald Tribune website. This site is the international arm of NY Times. Using "Force Quit" from the Apple menu is probably the safest exit path when a suspicious pop-up window appears.

I checked the internet "cookies" list via Safari>Preferences then clicking the "Security" tab then clicking "Show Cookies". I entered "sex" in the search line and found a cookie identified as follows: Website| sex-and-the-city.cn; Name| go; Path| /; Expires| September 14, 2009 7:30AM; Contents| 1. Wonder why it expires in 24 hours? We had changed the Safari preferences regarding cookies to "Accept Always" to allow us to register on a legitimate site, but forgot to change the setting back to "Only from sites I visit". I would be interested to hear if anyone else using the cookie setting of "Only from sites I visit" has the telltale cookie. This would help us understand further how successful the intrusion may have been.

I checked my cookies - setting was "only from sites..." and the cookie was there...

Yes, I see that I have this cookie in my Safari Preferences, too. Interestingly I have always had "Only accept cookies from sites I have visited" checked ON. At no point have I clicked anything except the "cancel" button on any of these popups. I wonder if they are spoofing "cancel" so that it is really some sort of "accept" button? Otherwise, why does safari allow the site to write the cookie?

I wonder if they are spoofing "cancel"

Yes, these popups always do that. NEVER click any button in those windows.

it's diabolical because the popup has the Safari icon and looks at a glance like a bona fide notification.

I'm not much of a techie. I had "only accept cookies from sites I've visited" checked, yet found this one on my mac. I imagine deleting it is the only thing to do.

The page my wife saw has green progress bar as it "scans" your hard drive. This is fake, it is showing a fake list of Windows files. However, if you get the .exe file downloaded to your machine (which is real), just delete it, even though it is not dangerous to your mac.

The Times has posted this on their Twitter feed:

Attn: NYTimes.com readers: Do not click pop-up box warning about a virus -- it's an unauthorized ad we are working to eliminate.