HTML:Iframe-ZG [trj] False Positive maybe ??

[Ray crchjr]

I have a website that got hacked recently. It took us weeks to get it cleaned up. I still have one file that avast says contains a trojan. I had my host server scan the file and all other files on  my site and they say they are all clean. So is it avat thats wrong or are they wrong.  The file i have an issue with is for front page express 2003 and the file name is _vti_inf.html. any suggestions ?

[jefferson sant]

You could submit the file via email to avast lab
virus@avast.com  zipper and password, please.

Check the file VirusTotal - Multi engine on-line virus scanner Maximum file size: 64 MB
https://www.virustotal.com/en/

and report the findings here in the topic.

Submitting files from the Virus Chest to avast! virus Lab

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07

[walzz]

When visiting this URL - hxtp://www.409shop.com.hk/mic.htm  Avast blocks the page and reports 'HTML:Iframe-ZG [trj]'

This seems to be a false positive.  When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.

I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.

[DavidR]

Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

Avast isn't the only one to consider it infected:
http://sitecheck.sucuri.net/results/www.409shop.com.hk/mic.htm
http://www.urlvoid.com/scan/409shop.com.hk/

There is a hidden iframe after the closing html tag which in itself is suspicious, this iframe links to a site that is considered malicious by avast.

[Pleuris]

I'm also getting the HTML:Iframe-ZG [Trj] popup on my site

http://sitecheck.sucuri.net/results/www.ksasintjozef.be

The code from the corfuparadise has been removed by me from all the pages that were infected. But still i get popups

[DavidR]

Well a re-scan of the securi.net link you provided is still indicating the site is still infected, see attached image.

EDIT: Also see http://urlquery.net/report.php?id=2146441.

[Pleuris]

well, i realy don't understand it anymore. Only sucuri.net and avast give a positive result. Every other way says the site is clean. Nobody can help me to get rid of the "problem"?

[DavidR]

Sucuri shows the files where these 'hidden' iframes tags are to be found, you have to either remove those pages relating to 404 and or find and remove the iframe tags.

The fact that this iframe tag is outside the closing HTML tag is also suspicious in its own right.

The first thing to ask yourself is, is that iframe tag legit, e.g. you created it and the location it is connecting to is correct (corfuparadise.gr).

[Pleuris]

there is NO iframe in the html. I removed it manually last week. Strangely sucuri still finds it.

[DavidR]

I can't account for it still being detected, but if you are using any content management software check its templates as it may be being inserted.

Are these two files that are being flagged by sucuri essential as I can't see why a javascript file would be required to handle a 404 error/issue. 404 errors can either be dealt with by default or the use of a custom 404 page and that doesn't require javascript.

[Pondus]

VirusTotal
https://www.virustotal.com/nb/file/e5c231419ee990fb4f344b2de63557395a68601a96f65237a667362a33b9bf66/analysis/1366976693/

quttera
http://quttera.com/detailed_report/www.ksasintjozef.be

zulu analyser
http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366977999

[!Donovan]

Hi Pleuris,

Of course they wouldn't provide you the iframe directly in the html. Then removing the malware would be somewhat easy, no?

DavidR is indeed correct. The 404 files still return the hidden iframe.

The report itself: http://www.UnmaskParasites.com/security-report/?page=www.ksasintjozef.be/404

Confirmed Malicious. See attached.

~!Donovan

[polonus]

Also see: http://sitecheck.sucuri.net/results/www.ksasintjozef.be
Here it is not detected or it must have been already cleansed: http://evuln.com/tools/malware-scanner/www.ksasintjozef.be/
But here 16 suspicious files are being listed: http://quttera.com/detailed_report/www.ksasintjozef.be
varous suspicious external elements flagged here: http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366979689
About cleansing counter.php malcode, read: http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html

polonus

[!Donovan]

Hi Polonus,

I do not think that evuln scanned a 404 page because this kind of iframe should've been detected. I tried to query the url with /404 but evuln itself returned a 404.

All links that were marked suspicious on Quttera lead to the 404 page, which is why they were detected.

~!Donovan

[polonus]

Hi !Donovan,

Makes sense, the more as Quttera is a realtime scanner, also http://evuln.com/tools/malware-scanner/corfuparadise.gr/

Damian