Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Ray crchjr on April 06, 2013, 02:38:21 AM

Title: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Ray crchjr on April 06, 2013, 02:38:21 AM
I have a website that got hacked recently. It took us weeks to get it cleaned up. I still have one file that avast says contains a trojan. I had my host server scan the file and all other files on  my site and they say they are all clean. So is it avat thats wrong or are they wrong.  The file i have an issue with is for front page express 2003 and the file name is _vti_inf.html. any suggestions ?
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: jefferson sant on April 07, 2013, 04:17:41 AM
You could submit the file via email to avast lab
virus@avast.com  zipper and password, please.

Check the file VirusTotal - Multi engine on-line virus scanner  Maximum file size: 64 MB
https://www.virustotal.com/en/

and report the findings here in the topic.

Submitting files from the Virus Chest to avast! virus Lab

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: walzz on April 12, 2013, 02:39:55 AM
When visiting this URL - hxtp://www.409shop.com.hk/mic.htm  Avast blocks the page and reports 'HTML:Iframe-ZG [trj]'

This seems to be a false positive.  When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.

I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DavidR on April 12, 2013, 03:15:51 AM
Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

Avast isn't the only one to consider it infected:
http://sitecheck.sucuri.net/results/www.409shop.com.hk/mic.htm (http://sitecheck.sucuri.net/results/www.409shop.com.hk/mic.htm)
http://www.urlvoid.com/scan/409shop.com.hk/ (http://www.urlvoid.com/scan/409shop.com.hk/)

There is a hidden iframe after the closing html tag which in itself is suspicious, this iframe links to a site that is considered malicious by avast.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 24, 2013, 03:40:57 PM
I'm also getting the HTML:Iframe-ZG [Trj] popup on my site

http://sitecheck.sucuri.net/results/www.ksasintjozef.be

The code from the corfuparadise has been removed by me from all the pages that were infected. But still i get popups
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DavidR on April 24, 2013, 03:52:41 PM
Well a re-scan of the securi.net link you provided is still indicating the site is still infected, see attached image.

EDIT: Also see http://urlquery.net/report.php?id=2146441 (http://urlquery.net/report.php?id=2146441).
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 26, 2013, 12:20:57 PM
well, i realy don't understand it anymore. Only sucuri.net and avast give a positive result. Every other way says the site is clean. Nobody can help me to get rid of the "problem"?
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DavidR on April 26, 2013, 12:42:30 PM
Sucuri shows the files where these 'hidden' iframes tags are to be found, you have to either remove those pages relating to 404 and or find and remove the iframe tags.

The fact that this iframe tag is outside the closing HTML tag is also suspicious in its own right.

The first thing to ask yourself is, is that iframe tag legit, e.g. you created it and the location it is connecting to is correct (corfuparadise.gr).
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 26, 2013, 01:30:50 PM
there is NO iframe in the html. I removed it manually last week. Strangely sucuri still finds it.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DavidR on April 26, 2013, 01:36:05 PM
I can't account for it still being detected, but if you are using any content management software check its templates as it may be being inserted.

Are these two files that are being flagged by sucuri essential as I can't see why a javascript file would be required to handle a 404 error/issue. 404 errors can either be dealt with by default or the use of a custom 404 page and that doesn't require javascript.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pondus on April 26, 2013, 01:46:10 PM
VirusTotal
https://www.virustotal.com/nb/file/e5c231419ee990fb4f344b2de63557395a68601a96f65237a667362a33b9bf66/analysis/1366976693/

quttera
http://quttera.com/detailed_report/www.ksasintjozef.be

zulu analyser
http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366977999

Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 26, 2013, 02:14:38 PM
Hi Pleuris,

Of course they wouldn't provide you the iframe directly in the html. Then removing the malware would be somewhat easy, no?

DavidR is indeed correct. The 404 files still return the hidden iframe.

The report itself: http://www.UnmaskParasites.com/security-report/?page=www.ksasintjozef.be/404

Confirmed Malicious. See attached.

~!Donovan
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: polonus on April 26, 2013, 02:40:51 PM
Also see: http://sitecheck.sucuri.net/results/www.ksasintjozef.be
Here it is not detected or it must have been already cleansed: http://evuln.com/tools/malware-scanner/www.ksasintjozef.be/
But here 16 suspicious files are being listed: http://quttera.com/detailed_report/www.ksasintjozef.be
varous suspicious external elements flagged here: http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366979689
About cleansing counter.php malcode, read: http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html

polonus
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 26, 2013, 11:26:08 PM
Hi Polonus,

I do not think that evuln scanned a 404 page because this kind of iframe should've been detected. I tried to query the url with /404 but evuln itself returned a 404.

All links that were marked suspicious on Quttera lead to the 404 page, which is why they were detected.

~!Donovan
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: polonus on April 26, 2013, 11:57:31 PM
Hi !Donovan,

Makes sense, the more as Quttera is a realtime scanner, also http://evuln.com/tools/malware-scanner/corfuparadise.gr/

Damian
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 27, 2013, 09:37:16 AM
I'm happy you are helping me to solve the problem. But to be honest, you might as well talk chinese.

I can't seem to locate the 404 page on the server. When I start www.ksasintjozef.be I get a different popup from avast

http://www.avast.com/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fnl-be%2Fvirus-alert-default&p_vir=HTML:Iframe-ZG%20[Trj]&p_prc=C:\Program%20Files%20%28x86%29\Mozilla%20Firefox\firefox.exe&p_obj=http://ksasintjozef.be/favicon.ico&p_var=.%2Ffa%2Fnl-be%2Fvirus-alert-default&p_pro=0&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=114&p_lng=nl&p_lid=nl-be&p_elm=7&p_vbd=1483

In case you were wondering, it's the first time I'm trying to solve virus/malware on a site :)
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pondus on April 27, 2013, 09:40:48 AM
Sucuri will help you....for a fee   http://sucuri.net/signup

Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 27, 2013, 01:32:21 PM
If you would, please post the contents of your .htaccess file in your next reply. It is located at the root folder of your website and is a hidden file.

Thanks,
~!Donovan
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 27, 2013, 02:38:43 PM
This is it:

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_flag max_execution_time 500
php_flag max_input_time 500
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 27, 2013, 03:55:24 PM
Based on the information you provide, the default 404 files should be used.

Are you sure that you are unable to find a filename containing "404" anywhere on your server? Not even 404.php or 404.shtml?
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 27, 2013, 06:19:56 PM
There doesn't seem to be anything named (or containing) 404 on the site...

Maybe if I make a completely clean 404.html?

I'm trying to reach the helpdesk, but they haven't reported back to me the last few days.



Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 27, 2013, 06:32:07 PM
Hi Pleuris,

Please add the following code to your .htaccess:

Code: [Select]
ErrorDocument 404 /index.html
All urls returning the 404 error code should redirect to the homepage, thus preventing the default 404 page from being executed.

~!Donovan
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 27, 2013, 07:44:33 PM
Thanks a lot!

I rebooted my computer and opened the page. Not a single popup  :D

I hope it stays like this. If you are ever near, let me know. I owe you several beers.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on April 27, 2013, 07:48:11 PM
You're welcome. :)
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pondus on April 27, 2013, 07:50:24 PM
Quote
I owe you several beers.
hmmm.... you have to wait a copule of years then or his dad get mad at you   ;D


OBS...and Sucuri now give it clean   ;)   http://sitecheck.sucuri.net/results/www.ksasintjozef.be

Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pleuris on April 27, 2013, 07:57:56 PM
Indeed, nothing can be found. I'm a very happy guy now.

BTW, in Belgium you may start to drink when you are 16. The City we are in is worldfamous because of our Carnaval. Google oilsjt carnaval :)
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DeanZiegler on May 09, 2013, 11:09:27 PM
Hi guys,

I'm having the same issue on our site - systems2win.com.
Same iframe-zg trojan
Same 404 error behavior

I won't bore you with the other steps we have taken to remove the trojan from infecting our web menus...
The root problem is that the trojan still remains active -
and the way that it manifests now is by appearing whenever a 404 error is triggered anywhere on our site.

Adding the suggested line of code to the htaccess file in our FTP folder somehow prevents our users from using their password to access FTP,

and that solution doesn't do anything for all of the other folders on our site - which I don't believe have an htaccess file.

It seems that with this solution, the trojan is being allowed to continue to exist, while simply trying to avoid triggering it.
Does anyone have any ideas for how to completely eliminate the Trojan?

One clue...
I notice that Avast gives the warning dialog when the Google Toolbar version of the 404 error appears -
and does not give the warning dialog when the regular 404 error appears (immediately following the Google Toolbar version),
but I'm not sure whether this is just because it has already given the warning - or because the warning is actually associated with the Google Toolbar dialog itself.

Any thoughts?
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pondus on May 09, 2013, 11:25:06 PM
@DeanZiegler

virus and false positive problems should be posted in the virus and Worms forum section

Sucuri report for Your URL  http://sitecheck.sucuri.net/results/systems2win.com
Malware entry: MW:IFRAME:ENC1560   http://labs.sucuri.net/db/malware/malware-entry-mwiframeenc1560

and Virustotal give a 14/46 infected score
https://www.virustotal.com/en/file/1beea3ce441805a6b620114acf2bee5ae6b0da831960ebba32a02b680691170f/analysis/1368134652/


Quote
Does anyone have any ideas for how to completely eliminate the Trojan?
you may ask Sucuri for help?   http://sucuri.net/signup



Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: !Donovan on May 10, 2013, 12:03:56 AM
Hi DeanZiegler,

Yes, the code above merely prevents the default 404 page from being executed and thus stops the malicious code from being executed.

What other steps have you tried to remove this malware from your site?

~!Donovan
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Milos on May 10, 2013, 08:44:09 AM
When visiting this URL - hxtp://www.409shop.com.hk/mic.htm  Avast blocks the page and reports 'HTML:Iframe-ZG [trj]'

This seems to be a false positive.  When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.

I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.
Hello,
there is hidden iframe after ending html tag, which leads to "axcent-eshop.com/counter.php".

Milos
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: DeanZiegler on May 10, 2013, 06:56:59 PM
Thanks for your help, guys.
FYI, I am taking the advice, and have hired Securi.net to help eliminate the issue.
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: Pondus on May 10, 2013, 07:04:31 PM
good choise....they seems to be one of the best at this
also check there blog for info.   http://blog.sucuri.net/
Title: Re: HTML:Iframe-ZG [trj] False Positive maybe ??
Post by: polonus on April 10, 2015, 01:10:34 AM
Update,

Has been 365 days and still flagged by Bitdefender TrafficLight:
http://www.google.com/search?q=axcent-eshop.com
So site still blacklisted and
Ywo warnings on the asafaweb scan: https://asafaweb.com/Scan?Url=www.axcent-eshop.com
No DOM XSS sources detected.

polonus