Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: fidmas on March 28, 2011, 04:57:57 PM
-
Got an email with a .pps attached this morning. Said it blocked what is "HTML:IFrame-BB [Trj]". The log said the Delete operation failed. The .pps was still attached. Doesn't matter. But, is there anywhere to find descriptions of these things.
-
But, is there anywhere to find descriptions of these things.
as always.....google is you friend ;)
HTML:Iframe-inf wordpress Infection
http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/
http://www.youtube.com/watch?v=HXzLgY2f01U
-
This was IFrame-BB in a .pdf email attachment. Don't think it's the same thing.
-
The info is about HTML-iframes in general, but if you want the exact info on your -BB version then it is more complicated..
Then you need to send it to someone that can analyse it and give you the exact info...
-
Well, since HTML:iFrame anything is meaningless in a .pdf attachment, the whole thing is strange. Probably a false allarm. I didn't realize avast didn't keep a list of infection definitions.
-
I didn't realize avast didn't keep a list of infection definitions.
There is a Signature release history http://www.avast.com/en-no/virus-update-history
But they dont have a detailed description of all samples.....
that would mean lots of manpower i guess to write it with all the malware produced every day
The best malware descriptions is usually found at Microsoft and Kaspersky....just remeber the different AV vendors don`t always use the same name on malware
so the best way to search is if you have the MD5 for the sample
http://www.securelist.com/en/threats/detect
http://www.microsoft.com/security/portal/
-
This particular form of malware has been designed to get website-hits up by having visits from infected computers
without the computer-user's consent or knowing...
It is so-called adjuggler iframe, a good write-up about this can be found here:
http://antivirus.about.com/od/spywareandadware/qt/TrojanClickerJSIframebb.htm
Removal instructions here: http://www.lodestarcomputer.com/content.php?347-Tips-On-How-To-Remove-The-Trojan-Clicker.JS.Iframe.bb
Also download and run Kaspersky's TDSSkiller, from here: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Does it detect any infections?
If yes, let TDSSkiller remove it, restart your computer and run it again.
Attach the file(s) beginning with TDSSKiller located in your c:\ directory to your next post....
Users with No-Script extension in Firefox or NotScripts extension in GoogleChrome are not vulnerable to
this malware,
polonus
-
and in Polonus second link you see an example of the name problem...
The one kaspersky name Trojan-Clicker.JS.Iframe.bb is named HTML:Illiframe-D [Trj] by avast
-
This was caught on my wife's computer by avast while downloading email. A Malwarebytes and avast scan found nothing after that.
Are you saying download http://support.kaspersky.com/downloads/utils/tdsskiller.zip anyway?
I know the sender. She has passed the Malwarebytes scan. Should I look further on their box?
-
Colour me confused as fidmas first reported this in a .pps attachment "Got an email with a .pps attached this morning."
Details for file extension: PPS - PowerPoint Slideshow (Microsoft Corporation)
Now that has changed to being in a pdf file, which is it ?
In either case iFrame injection into the file is possible so I wouldn't take it as an FP. PDFs are now being seen more in the viruses and worms forum as being infected, but not usually as iFrame infection.
If you still have the attachment, don't open it, save it to your hard disk and upload to virustotal for scanning.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder. Do this before you save the email attachment to this folder.
-
Sorry if there's any confusion guys. This morning my wife downloaded her email. Avast found the iFrame-BB while downloading an email and said "no further action required". She doesn't mess around with this stuff. She found the offending email and deleted it, and deleted it from the "Deleted Items". Never opened it. Never opened the offending .pdf attachment. She ran a full scan with Malwarebytes and avast. Clean as i expected.
My main concern is for the person who sent it, unless you think I'm too confidant?
Are you you folks saying there is something to test for this infection?
-
Are you you folks saying there is something to test for this infection?
yes, suspicious file(s) can be uploaded to www.virustotal.com and tested with 43 malware scanners to see if any detect..
when you have the result you can then copy the url in the adressbar and feks post her for us to see..
Here is an example
http://www.virustotal.com/file-scan/report.html?id=b155f733a4a76a5f2f1cf2bedfa0cbf998d5ea483e7061f54d9d54a325ad1358-1284903634
My main concern is for the person who sent it, unless you think I'm too confidant?
well the mail "from adress" can be faked by the spammers, so do you know if this person have this mail...did she open the attachment ?
-
First as an attachment, you have nothing to worry about if it isn't opened, which it wasn't.
As far as something to test for this infection, other than your current security applications (though I don't believe you actually need to run any other scans) ?
So I would suggest cleaning out the redundant stuff in your signature and just have it on a single line (let it break/wrap naturally) and not split it over 6 lines. Then include your avast version and any other security software, check other peoples signatures for an idea of what to include.
The idea of sending the sample to virustotal as I mentioned is to confirm the detection (or otherwise) as VT has 43 different scanners. Since it has been deleted that option is toast.
-
Are you you folks saying there is something to test for this infection?
yes, suspicious file(s) can be uploaded to www.virustotal.com and tested with 43 malware scanners to see if any detect..
when you have the result you can then copy the url in the adressbar and feks post her for us to see..
Here is an example
http://www.virustotal.com/file-scan/report.html?id=b155f733a4a76a5f2f1cf2bedfa0cbf998d5ea483e7061f54d9d54a325ad1358-1284903634
My main concern is for the person who sent it, unless you think I'm too confidant?
well the mail "from adress" can be faked by the spammers, so do you know if this person have this mail...did she open the attachment ?
Thanks. As I indicated, my wife deleted the mail with the attachment, so there is no file to test.
I do know the person who sent her the .pps and she indeed did send it. She comes up clean on a Malwarebytes scan, and I think, an AVG scan. I'll have to call back.
Is there something better to find that infection on her 9the sender's) box?
Just trying to help them before I have to go drive over and fix more.
/Bob
--
-
First as an attachment, you have nothing to worry about if it isn't opened, which it wasn't.
As far as something to test for this infection, other than your current security applications (though I don't believe you actually need to run any other scans) ?
So I would suggest cleaning out the redundant stuff in your signature and just have it on a single line (let it break/wrap naturally) and not split it over 6 lines. Then include your avast version and any other security software, check other peoples signatures for an idea of what to include.
The idea of sending the sample to virustotal as I mentioned is to confirm the detection (or otherwise) as VT has 43 different scanners. Since it has been deleted that option is toast.
Yeah. Someone just HAD to have it that way, so I did it a while back. This'll be the 3rd change to that signature........
-
I do know the person who sent her the .pps and she indeed did send it.
If you find the mail in the inbox/sendt item then as suggested you may upload the attachment to VirusTotal and test it
did she forward the mail or did the machine to this all by itselfe ?
She comes up clean on a Malwarebytes scan....
was Malwarebytes updated before the scan ?
-
I do know the person who sent her the .pps and she indeed did send it.
If you find the mail in the inbox/sendt item then as suggested you may upload the attachment to VirusTotal and test it
did she forward the mail or did the machine to this all by itselfe ?
She comes up clean on a Malwarebytes scan....
was Malwarebytes updated before the scan ?
It was another forwarded email, attachment an all. Just like they all do.........
Malwarebytes was updated the night before. That's about 9 hours earlier.
-
Malwarebytes was updated the night before. That's about 9 hours earlier.
Malwarebytes can have 10 updates on a day