Avast WEBforum

Other => General Topics => Topic started by: OrangeCrate on May 30, 2006, 01:56:12 PM

Title: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 01:56:12 PM
I've never really paid attention to the myriad of Firefox extensions, but recently I added NoScript, AdBlock Plus (with the dutchblock feed) and Fasterfox. (Boy, does the combo of those three extensions speed Firefox up!)

It's been so long that I've had avast warn me of anything, that I almost forgot that it is supposed to.

I did a search this morning on Google for the cost of contact lenses, and low-and-behold, avast popped up with a warning on a trojan installed on one of the prefetched links on the Google results page.
Title: Re: avast detects prefetched trojan...
Post by: Lisandro on May 30, 2006, 02:08:04 PM
avast popped up with a warning on a trojan installed on one of the prefetched links on the Google results page.
Are you sure it was an avast message? Wasn't it from NoScript?
Which were the name of the virus and the addressed webpage of that link?
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 02:16:51 PM
avast popped up with a warning on a trojan installed on one of the prefetched links on the Google results page.
Are you sure it was an avast message? Wasn't it from NoScript?
Which were the name of the virus and the addressed webpage of that link?

Yes, it was avast. Here are the details you requested:

http://  acuvuecontacts.ds4a.com/robots.txt

Win32:Small-SK [Trj]

Trojan Horse

0622-1, 05/29/2006

Edit: Removed the active link.
Title: Re: avast detects prefetched trojan...
Post by: Lisandro on May 30, 2006, 02:21:40 PM
http://  acuvuecontacts.ds4a.com  /  robots.txt
Please, do not post a live link to an infected file  :P
Yes, it's infected but it does not seem to be 'prefetched' but it is a WebShield message detecting the infection on that page.
Do you have this file saved in your computer?
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 02:28:24 PM
I know. I was removing the link the same time you were posting. Sorry.

To answer your question, no.  I didn't open the page, and avast aborted the connection.

Since I got no further than the Google results page for the search when avast warned me, and then by clicking the option button avast aborted the connection, it certainly must have been prefetched by Fasterfox. I didn't click on any links on the search page.
Title: Re: avast detects prefetched trojan...
Post by: Lisandro on May 30, 2006, 02:30:48 PM
Since I got no further than the Google results page for the search when avast warned me, and then by clicking the option button avast aborted the connection, it certainly must have been prefetched by Fasterfox. I didn't click on any links on the search page.
avast WebShield should 'blocked' the connection (did you set it to work on Silent Mode? See the provider settings, Advanced tab) and the file shouldn't be saved or prefetched... this is the purpose of WebShield.
Can you schedule a boot time scanning with avast and see if any infection remains in your computer?
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 02:52:40 PM
I do not have avast set to run in the silent mode.

To repeat - I did not click on the link, so I'm pretty sure it's not on my computer. The link was on the Google results page.

Fasterfox prefetches pages, links, whatever, so, out of curiosity, why do you think that the link wasn't prefetched?

I'll post again after I run a scan...
Title: Re: avast detects prefetched trojan...
Post by: DavidR on May 30, 2006, 03:37:44 PM
Yes, it was avast. Here are the details you requested:

http://  acuvuecontacts.ds4a.com/robots.txt

Win32:Small-SK [Trj]
I would say that it is quite possible this could be correct as I find it strange that you would be directed to robots.txt as this is a text file containing instructions on how a search engine's searchbot/s is allowed to search your site (so I would say it is certainly strange and I would treat it with suspicion). The robots.txt file isn't usually placed in a location accessible to the public.

How/why were you trying to access this file/web location e.g. redirected, link on a web page or email, etc. ?
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 05:37:34 PM
Tech - I run the Home version, not the Pro version, so I don't have the option to run a boot time scan. I have run a standard scan, and there are no infected files. (If you can schedule one from the Home version please advise how. I don't see it in the avast! documentation.)

David - As mentioned earlier in this thread, I searched Google for the price on contact lenses. As soon as Google returned the first page of results, the avast warning came up. Here's the rest of the story from the previous post:


To answer your question, no.  I didn't open the page, and avast aborted the connection.

Since I got no further than the Google results page for the search when avast warned me, and then by clicking the option button avast aborted the connection, it certainly must have been prefetched by Fasterfox. I didn't click on any links on the search page.

I have no idea why a robots.txt file showed up in the warning, but it must have been triggered by the prefetch action of Fasterfox, and that bothers me a lot.

Title: Re: avast detects prefetched trojan...
Post by: Lisandro on May 30, 2006, 05:48:51 PM
Why do you think that the link wasn't prefetched?
Because WebShield should block the file BEFORE it is even saved into the disk.

Tech - I run the Home version, not the Pro version, so I don't have the option to run a boot time scan.
Home version has boot time scanning too.

If you can schedule one from the Home version please advise how. I don't see it in the avast! documentation.
Start avast! > Right click the skin > Schedule a boot-time scanning.

Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.
Title: Re: avast detects prefetched trojan...
Post by: DavidR on May 30, 2006, 05:58:14 PM
Quote
I have no idea why a robots.txt file showed up in the warning, but it must have been triggered by the prefetch action of Fasterfox, and that bothers me a lot.

Sorry missed the bit about fasterfox prefetch.

Well I have the prefetch function disabled in fasterfox as I'm on dial-up and if anything for me it slowed browsing, taking longer to load the originating page. I'm still surprised that there would be a link to the robots.txt in the acuvue index (default) page and I'm not sure what depth the prefetch goes in links to additional pages.

So I did a little test as the acuvuecontacts is a subdomain of ds4a.com, trying to connect to ds4a.com causes avast to alarm so that may have been the cause rather than robots.txt ???
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 06:07:42 PM
Tech - I'm busy on some other projects at the moment, but I'll try that later before I shut down my computer. Thanks.

David - Thanks for the confirmation. As mentioned, I personally didn't visit the site, but obviously Fasterfox did on my behalf.

Thank goodness avast caught it. Good job team! Makes me wonder if I should continue to use Fasterfox...
Title: Re: avast detects prefetched trojan...
Post by: DavidR on May 30, 2006, 06:22:24 PM
FasterFox does more than the prefetch function and disabling just the prefetch should be fine.

I did another test on ds4a.com using DrWeb firefox extension but got a 404 error
Quote
Error

Can`t fetch file pointed by your url. This may be caused by several reasons:
    * Remote file is not available (not found, requires authentication, permission denied)
    * Remote site is down, or very slow, or busy
    * No network connectivity between Dr.Web online server and remote web-site
See details below:

Details:
404 Not Found

Could just be slow but avast still alerts even though DrWeb can't load the page.
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 07:34:10 PM
David - I've disabled prefetching in Fasterfox. This experience has just taught me, that that is probably a good idea.

Tech - Thanks, I didn't know that. I thought I had read that setting up a boot time scan was only available in the Pro version, and that in the Home Edition, it was only available when a virus was found during the standard scanning process. I'm going to scan now.

I'll post again when done...
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 30, 2006, 07:54:23 PM
I'm currently using kaspersky(trial).I entered the site to see if kaspersky detects anything and nothing happened...no virus warning...
So am i now infected with something kaspersky doesn't detect  ???  :-\
this is the page
htt p:// ds 4a .co m /
Title: Re: avast detects prefetched trojan...
Post by: justin1278 on May 30, 2006, 07:57:18 PM
It is possible, or it is also possible that this is a False Positive detected by avast! there is really no way to tell. But regardless I would not risk this.
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 30, 2006, 08:04:21 PM
Well when i opened the page there was an error the selected page was not found 303 304(not the whole page but some part of it)
I have KIS so there is a firewall included and no any alert for outbound connection.
Winpatrol doesn't detect any changes (as I too no new processes and startup items.)
I guess there's nothing to worry about  ::)

BTW I think it's not false positive because siteadviros was red
Title: Re: avast detects prefetched trojan...
Post by: justin1278 on May 30, 2006, 08:07:33 PM
Ya I noticed that SiteAdvisor gave it a red flag too. Maybe Kespersky blocked it. I'm not sure, but it sounds like the trojan didn't get to you.
Title: Re: avast detects prefetched trojan...
Post by: justin1278 on May 30, 2006, 08:13:45 PM
After testing the link I have found that this site gives free websites supposedly. http://ds4a,com is connected to http://freewebsites,com and both contain the same malware found by avast! I no longer want to put my system at a risk so I have blocked both sites on my system using the avast! Web Shield module.
Title: Re: avast detects prefetched trojan...
Post by: DavidR on May 30, 2006, 08:17:21 PM
Quote from: Neron
I entered the site to see if kaspersky detects anything and nothing happened...no virus warning...
Well there is no way I would have tried it without the web shield as a back-up and been using firefox and also running it via DropMyRights. So if the worst came about any potential damage would be limited, not to mention regular hard disk images as a final fall back option.

I also checked ds4a.com using site advisor http://www.siteadvisor.com/sites/ds4a.com which has links to sites with suspect spyware/adware.

Whilst this detection of Win32:Small-SK [Trj] hasn't been positively confirmed, you might want to schedule a boot-time scan and or run Ewido Security Suite (http://www.ewido.net/en/) If using winXP. or a-Squared free (http://www.emsisoft.com/en/software/free/) if using win98/ME, preferably in safe mode.
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 30, 2006, 08:26:43 PM
Dr.Web antivirus link checker returned clean message for both sites(ds4... and freeweb...) Scan with Bitdefender 8 free(updated) returend 0 found.
Did you reciever the same message 303 304 not found??

P.S OK now I'm pretty sure I'm no infected
This is e-mail from kaspersky labs(they are very fast 2-3 hours untill return repport for infected object :)  )
Quote
Hello.

No malicious software was found on sites, only 404 error pages.

--
Regards, Sergey Golovanov
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on May 30, 2006, 09:04:40 PM
The boot time scan came back clean, and as mentioned, I've disabled prefetching in Fasterfox.

Thanks for the help guys. I learned a lot.  :)
Title: Re: avast detects prefetched trojan...
Post by: justin1278 on May 30, 2006, 09:11:07 PM
OrangeCrate,

Thats great! please come back to learn more and maybe help someone!
Title: Re: avast detects prefetched trojan...
Post by: YLAP on May 30, 2006, 09:30:26 PM
It really can be a false positive. I'll send it to ALWIL.



Title: Re: avast detects prefetched trojan...
Post by: Omar on May 31, 2006, 12:46:42 PM
I sent it to antivir they said:


We found a new virus in the attachment you have sent us.
The signature will be integrated in one of our next updates.
The signature of the virus will be detected as PHISH.CitiBkfrau.AQ
Title: Re: avast detects prefetched trojan...
Post by: YLAP on May 31, 2006, 01:41:48 PM
Oh, seems to be a new phishing tool or something... When I can say GOOD JOB ALWIL!  ;D Detected it in first place!
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 31, 2006, 01:47:55 PM
I sent it to antivir they said:


We found a new virus in the attachment you have sent us.
The signature will be integrated in one of our next updates.
The signature of the virus will be detected as PHISH.CitiBkfrau.AQ

Omar,can you please send me this file at jorasik@abv.bgThank you
Title: Re: avast detects prefetched trojan...
Post by: Omar on May 31, 2006, 02:51:15 PM
I sent it to antivir they said:


We found a new virus in the attachment you have sent us.
The signature will be integrated in one of our next updates.
The signature of the virus will be detected as PHISH.CitiBkfrau.AQ

Omar,can you please send me this file at jorasik@abv.bgThank you

I am happy to send it to you!

would you like it in a password protected zip file?
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 31, 2006, 06:50:24 PM
Thank you Omar,file recieved.It's just a .txt file isn't it?
Title: Re: avast detects prefetched trojan...
Post by: Omar on May 31, 2006, 06:54:04 PM
Neron, yes you are correct it is just a txt file!

I sent it to kaspersky, they said it does not contain a virus or trojan!

But antivir said it did. I`m bit confused!
Title: Re: avast detects prefetched trojan...
Post by: Neron on May 31, 2006, 07:27:18 PM
Hey i did the same and recieved the e-mail just 2 minutes ago.The same message-this file is clean.An I think it's really clean.It's just report.Maybe something in it makes avast trigger the alarm but this is not a dangerous object
Title: Re: avast detects prefetched trojan...
Post by: Omar on June 01, 2006, 09:11:02 AM
antivir had added

HISH/CitiBkfrau.AQ


http://www.avira.com/en/threats/section/vdfhistory/vdf_no/6.34.01.169/6.34.01.169.html

Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on June 01, 2006, 11:09:38 AM
Well, I'm glad that the trojan has been identified. Now back to the original point of the thread.

If you have the Fasterfox extension installed on Firefox, and you have enabled the enhanced prefetching option, be cautious.

Fasterfox can, and did prefetch this trojan from the search results on Google, and I assume any of the other search engines. If avast! had not caught it, I would have been infected.

Following DavidR's lead (though his was for a different reason), I have disabled the enhanced prefetching. Firefox seems to run pretty much the same as with it on (with NoScript and Adblock Plus still installed), which seems to be much faster than Firefox alone.

As they say, "an ounce of prevention is worth a pound of cure." Though avast! caught it this time, no program has a 100% success rate, so thinking ahead might be a good thing.
Title: Re: avast detects prefetched trojan...
Post by: Omar on June 01, 2006, 11:53:13 AM
how exacyly do you disable enhanced prefetching?


in realtion to that trojan, antivir e0mailed and now say:


We found a new virus in the attachment you have sent us.

The signature will be integrated in one of our next updates.

The signature of the virus will be detected as HTML.Dldr.180Solutions.

We thank you for your assistance.

Attachment(s) you sent:
robots.zip

Title: Re: avast detects prefetched trojan...
Post by: OrangeCrate on June 01, 2006, 12:28:12 PM
If you are using the Fasterfox extension for Firefox, open the extensions page under tools on Firefox. Highlight Fasterfox, and then click on the options button.

That will open the Fasterfox options page. Click on the second tab "Fasterfox", and if the "Enable Enhanced Prefetching" option is checked, uncheck it.

Edit:

If anyone decides to leave the prefetching option turned on, please do your web friends a favor, and change the preset from "Turbo Charged" to "Optimized". The "Turbo Charged" prefetching hammers the **** out of sites with small monthly bandwidth usage limits.