Avast WEBforum
Other => Viruses and worms => Topic started by: DavidR on August 25, 2007, 02:21:58 AM
-
The forums would appear to have been hacked and an iFrame tag inserted in to documents.
This iFrame tries to load a virus, see this post in particular but also read the whole topic as I was trying to find out why I was having problems posting.
See, http://forum.avast.com/index.php?topic=30118.msg248384#msg248384 (http://forum.avast.com/index.php?topic=30118.msg248384#msg248384)
-
I'm not seeing the virus (infection) but the forum is very very slow and I can't post easily... :'(
-
At first I didn't see any alert but this was more to do with using firefox as it didn't seem to be vulnerable to this attack, but when I tested using avant the web shield alerted as yours did.
Thankfully it appears fine now and the forums software has been updated to SMC 1.1.3 which had some security updates although it didn't mention what these were.
-
At first I didn't see any alert but this was more to do with using firefox as it didn't seem to be vulnerable to this attack, but when I tested using avant the web shield alerted as yours did.
Thanks for the info. I'm glad to be using Firefox 8)
Thankfully it appears fine now and the forums software has been updated to SMC 1.1.3 which had some security updates although it didn't mention what these were.
Any other cosmetic change?
Any other features?
-
I wasn't paying much attention to what the changes were when I visited the site I was looking to see what security patches were listed to see if the problem we had was fixed with SMC 1.1.3.
http://www.simplemachines.org/community/index.php?topic=178757.msg1137729#msg1137729 (http://www.simplemachines.org/community/index.php?topic=178757.msg1137729#msg1137729)
-
The forum was also infected with a JS Trojan which avast! doesn't detect:
Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.25 HTML/Shellcode.Gen
Authentium 4.93.8 2007.08.25 -
Avast 4.7.1029.0 2007.08.25 -
AVG 7.5.0.484 2007.08.25 -
BitDefender 7.2 2007.08.26 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.26 -
DrWeb 4.33 2007.08.26 VBS.Psyme.443
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 -
Ewido 4.0 2007.08.25 Downloader.Psyme.kt
FileAdvisor 1 2007.08.26 -
Fortinet 2.91.0.0 2007.08.26 VBS/Agent.U!tr.dldr
F-Prot 4.3.2.48 2007.08.25 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.26 -
Kaspersky 4.0.2.24 2007.08.26 -
McAfee 5105 2007.08.24 -
Microsoft 1.2803 2007.08.26 -
NOD32v2 2484 2007.08.25 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.25 -
Prevx1 V2 2007.08.26 -
Rising 19.37.61.00 2007.08.26 -
Sophos 4.21.0 2007.08.25 Mal/JSShell-C
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.26 -
TheHacker 6.1.8.173 2007.08.26 -
VBA32 3.12.2.3 2007.08.26 -
VirusBuster 4.3.26:9 2007.08.25 -
Webwasher-Gateway 6.0.1 2007.08.26 Script.Shellcode.Gen
Found this in my Firefox cache. The latest version of Firefox doesn't seem to be vulnerable, but anybody visiting the forum with an older version may have been infected.
AVG Anti-Spyware may pick up the file in your Google cache if you use it and haven't cleaned up the cache.
-
What could the virus/trojan do if you get infected as it blocked the first thing you mentioned but not the trojan?
-
The forum was also infected with a JS Trojan which avast! doesn't detect
Does it have a name, I mean, the file into Firefox cache?
Does cleaning the cache solves it?
-
Will they release definitions to fix these viruses that were on their site?
-
The forum was also infected with a JS Trojan which avast! doesn't detect
Does it have a name, I mean, the file into Firefox cache?
Does cleaning the cache solves it?
The name in the firefox cache will be different on every system as firefox doesn't store the file using the same name, but generates a random file name and it doesn't include a file type.
In my cache it was E580511Bd01, because of this change in the file name and no extension I don't know how it would be activated (called or run) from within the firefox cache. Clearing the cache should remove the file and any potential for harm. AVG-AS found nothing else outside the cache.
-
Will they release definitions to fix these viruses that were on their site?
First these were not on the avast forum but on another site, activated in an injected iframe tag. I suggest you read the other topic I created (link in my first post) if you haven't already done so. It should give you a better idea of what happened.
Since I and I assume Frank have sent samples to avast they will be included in due course.
-
Will they release definitions to fix these viruses that were on their site?
1. We all hope that.
2. The virus wasn't in their website but in a iframe redirected.
3. It was an exploit (vulnerability) more than an infection.
Oops... David won again in speed.
-
By vulnerability you mean that if your Windows system is patched up it should be fine?
-
By vulnerability you mean that if your Windows system is patched up it should be fine?
I think so. If the vulnerbility is infact... "Exploit-ANIfile.c", then KB925902 should have corrected this. My PC got this update in April, 2007.
http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx (http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx)
-
From my logs you are correct mate as the link you provided shows it was an animated cursor exploit
plus the trojan that was mentioned appears to only download other malicious code so be on the look out guys
-
my guess was right. the virus came from this site. well while i was browsing this forum avast detected a virus w/a name sysszxc.exe but could'nt removed it. if you click "move to chest" a pop-up tells you that "avast can't accessed the file because it is being used by another process". you have to disconnect first and do the scan. it was categorized by avast as a worm. here's the description:(i've got 4 of these)
name: 324123[1].htm
original location: C:\documents and settings\user\local settings\temporary internet files\content.IE5\ UVM98DB4
virus: CVE-2007-0038
the virus disabled my task manager preventing me to access it, even with all my security system alerted(winpatrol, avast, comodo FW). only spybot SD cleared my machine of this virus. it found kernelwind32.exe which avast did not(even w/thorough scan) spybot also fixed the task manager's registry that was modified by this vius. don't know if these 3 viruses are just actually one only with different names. BTW i disabled the web shield (maybe why i got infected). now im gonna activate the web shield from now on..
-
my guess was right. the virus came from this site.
The forum software has an exploit and this vulnerability was used by the worm to infect from OTHER SITE.
If you disable WebShield, that's the problem... Which is your Standard Shield sensibility?
Also, if avast can't detect something, no provider will caught it... (for instance kernelwind32.exe).