Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?

[Rodnev]

I was browsing with firefox just now, and I came upon a site (through google) I haven't visited in a long time, but which I tought was to be trusted.

So I clicked on the link through google, and the Avast scanner popped up stating the warning you see in the attachment (or the screenshot hosted on flickr it you fancy it: http://farm3.static.flickr.com/2567/3746850517_03986e49f8_o.jpg)

So my questions are:

- Avast said not to panic, by pressing 'Abort connection ' (Connectie afbreken) it would stop the virus before downloading the file to my computer (which i offcourse did). Can i be confident that the file did not find its way on to my computer?

- Second, it is a virus/worm? The file name (bestandsnaam) it blocked came from h**tp://netter.nl/mint/?js
Is mint not some software to analyse visitor statistics etc? Could this be a false alert?

First time i came upon this. Should i alert the webmaster?

[cinchez]

avast! blocked the malicious script and ur PC is safe^^

Cheers!^^

-AnimeLover^^

[Confused Computer User]

- Avast said not to panic, by pressing 'Abort connection ' (Connectie afbreken) it would stop the virus before downloading the file to my computer (which i offcourse did). Can i be confident that the file did not find its way on to my computer?

Yes. Avast just showed it's remarkable efficiency at stopping viruses from getting on your computer.

- Second, it is a virus/worm? The file name (bestandsnaam) it blocked came from h**tp://netter.nl/mint/?js
Is mint not some software to analyse visitor statistics etc? Could this be a false alert?

This could be true... Unfortunately I am not a very advanced user so I would suggest waiting for some posts from the forum Gurus.

First time i came upon this. Should i alert the webmaster?

I would simply inform him that your Avast Antivirus (build 4.8... with the latest updates) gave you a warning message. I would also attach the photo you have in your post.

Cheers

[DavidR]

Well the actual .jpg image you gave the link to isn't infected, see image, so it is something behind the scenes hxxp://netters.nl/mint/?js in the alert image.

So the log-on script has been hacked as there is a hidden iFrame tag at the bottom of the page that tries to go to a Russian domain, see image3, so it looks like the netters.nl\mint site has been hacked.

http://www.mywot.com/scorecard/q3o.ru and http://www.google.com/interstitial?url=http://www.q3o.ru/, so this is also what avast is blocking.

[Rodnev]

The image i attached is a screenshot i took with prtsc which i then saved in paint
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

[nmb]

DavidR is not referring to the pic you have attached but to the one you have mentioned in your first post..

[DavidR]

The image i attached is a screenshot i took with prtsc which i then saved in paint
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

As nmb said my reference was to the link being clean.

The site with the problem is netters.nl/mint as the log-on script appears to have been hacked. So I hope it is that site to whom you sent the email to the webmaster.

Welcome to the forums.

[Rodnev]

DavidR is not referring to the pic you have attached but to the one you have mentioned in your first post..

Ah thx

[Rodnev]

The image i attached is a screenshot i took with prtsc which i then saved in paint
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

As nmb said my reference was to the link being clean.

The site with the problem is netters.nl/mint as the log-on script appears to have been hacked. So I hope it is that site to whom you sent the email to the webmaster.

Welcome to the forums.

Yep, I've sent an email to the netters.nl webmaster.

Thanks for the welcome and the explanation!

[DavidR]

No problem, glad I could help.

[polonus]

Ha Rodnev,

Diagnostische pagina voor q3o.ru

Wat is de huidige status van q3o.ru?
Deze site is als verdacht aangemerkt - het bezoeken van deze site kan uw computer beschadigen.

Een deel van deze site is in de afgelopen 90 dagen 1 keer aangemerkt wegens verdachte activiteiten.

Wat is er gebeurd toen Google deze site bezocht?
Van de 3 pagina's die we in de afgelopen 90 dagen op de site hebben getest, hebben 0 pagina('s) zonder de toestemming van de gebruiker schadelijke software gedownload en geïnstalleerd. De vorige keer dat Google deze site bezocht, was op 2009-07-22. De vorige keer dat verdachte inhoud op deze site werd aangetroffen, was op 2009-07-22.
Malicious software includes 1 exploit(s).

This site was hosted on 15 network(s) including AS16276 (OVH), AS35470 (XL), AS20773 (HOSTEUROPE).

Heeft deze site gefungeerd als een tussenschakel en geleid tot verdere verspreiding van malware?
Het lijkt erop dat q3o.ru in de afgelopen 90 dagen heeft gefunctioneerd als tussenschakel voor de infectie van 1 site(s), waaronder ssail.ru/.

Heeft deze site malware gehost?
Ja, deze site heeft in de afgelopen 90 dagen schadelijke software gehost. Deze software heeft 4 domein(en) geïnfecteerd, waaronder eyewk.com/, ssail.ru/, qjunk.com/.

Hoe is dit gebeurd?
In bepaalde gevallen kunnen derden schadelijke codering toevoegen aan echte sites, waarna wij deze waarschuwing weergeven.

De oorspronkelijke link schijnt schoon volgens de Wepawet scanner:
http://wepawet.iseclab.org/view.php?hash=6fa5526260cf478087189bf287c70c40&t=1248370103&type=js

Bad Stuff Detektor vindt:

No zeroiframes detected!
Check took 2.50 seconds

(Level: 0) Url checked:
hxtp://netter.nl/mint/?js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (frame source)
hxtp://netter.nl/?pagesection=body
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
/unique/track.js?referrer=hxtp://netter.nl/mint/?js
Blank page / could not connect  (Dit zou de kwaadaardige doorverwijzer hebben kunnen zijn)
No ad codes identified

De pagina netter.nl etc. geeft geen alerts meer van avast, dus is waarschijnlijk schoongemaakt,

groetjes,

polonus

[DavidR]

(Level: 0) Url checked:
http://netter.nl/mint/?js
Zeroiframes detected on this site: 0
No ad codes identified

Well they clearly missed the one in the second image I posted in Reply #3 above

So the flaw is looking for 0x0 iframes (zeroiframes) this one has an iframe 191x116, but has the attribute, style="visibility: hidden" So we can't take that analysis on face value if it is only looking for 0x0 but other width and hight values when the iframe is also hidden.

[polonus]

Hi DavidR,

You referring to this:

Code: [Select]

^script type="text/javascript"^
........ if(window.top != window) { document.write('<img src="/frame......../track.gif?referrer=about%3Ablank" style="height : 0; width : 0; border-width : 0; display: none" alt="" /^'); }
^/script><script type="text/javascript" src="/unique/track.js?referrer=about%3Ablank"^^/script^
And then there is this"

Code: [Select]

^frameset rows="100%,*" frameborder="no" border="0" framespacing="0"^.....
^frame src="hXttp://netter.nl/?pagesection=body" noresize="noresize" /^
^noframes^
^p^^a href="hXtp://netter.nl/?pagesection=body">Click Here</a> to continue</p>
^/noframes^
Your redirect I cannot trace there anymore....

polonus

[DavidR]

No neither of those as it was an iframe tag and not a script tag or frameset.

I downloaded the file in the OPs image, hXXp://netters.nl/mint/?js (the one I referred to and quoted from your results) and that has the iframe tag at the bottom. In fact I have just downloaded and saved it again and the iframe is still there, but now pointing to a different domain hxxp://xb4.in and same style hidden.

[polonus]

Hi DavidR,

Redirect to: No zeroiframes detected!
Check took 0.33 seconds

(Level: 0) Url checked:
hXtp://xb4.in
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

polonus