Author Topic: HTML:Iframe-ZG [trj] False Positive maybe ??  (Read 28091 times)

0 Members and 1 Guest are viewing this topic.

Pleuris

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #15 on: April 27, 2013, 09:37:16 AM »
I'm happy you are helping me to solve the problem. But to be honest, you might as well talk chinese.

I can't seem to locate the 404 page on the server. When I start www.ksasintjozef.be I get a different popup from avast

http://www.avast.com/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_80_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fnl-be%2Fvirus-alert-default&p_vir=HTML:Iframe-ZG%20[Trj]&p_prc=C:\Program%20Files%20%28x86%29\Mozilla%20Firefox\firefox.exe&p_obj=http://ksasintjozef.be/favicon.ico&p_var=.%2Ffa%2Fnl-be%2Fvirus-alert-default&p_pro=0&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=114&p_lng=nl&p_lid=nl-be&p_elm=7&p_vbd=1483

In case you were wondering, it's the first time I'm trying to solve virus/malware on a site :)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #16 on: April 27, 2013, 09:40:48 AM »
Sucuri will help you....for a fee   http://sucuri.net/signup


Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #17 on: April 27, 2013, 01:32:21 PM »
If you would, please post the contents of your .htaccess file in your next reply. It is located at the root folder of your website and is a hidden file.

Thanks,
~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Pleuris

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #18 on: April 27, 2013, 02:38:43 PM »
This is it:

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_flag max_execution_time 500
php_flag max_input_time 500
« Last Edit: April 27, 2013, 02:40:58 PM by Pleuris »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #19 on: April 27, 2013, 03:55:24 PM »
Based on the information you provide, the default 404 files should be used.

Are you sure that you are unable to find a filename containing "404" anywhere on your server? Not even 404.php or 404.shtml?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Pleuris

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #20 on: April 27, 2013, 06:19:56 PM »
There doesn't seem to be anything named (or containing) 404 on the site...

Maybe if I make a completely clean 404.html?

I'm trying to reach the helpdesk, but they haven't reported back to me the last few days.




Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #21 on: April 27, 2013, 06:32:07 PM »
Hi Pleuris,

Please add the following code to your .htaccess:

Code: [Select]
ErrorDocument 404 /index.html
All urls returning the 404 error code should redirect to the homepage, thus preventing the default 404 page from being executed.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Pleuris

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #22 on: April 27, 2013, 07:44:33 PM »
Thanks a lot!

I rebooted my computer and opened the page. Not a single popup  :D

I hope it stays like this. If you are ever near, let me know. I owe you several beers.
« Last Edit: April 27, 2013, 07:48:54 PM by Pleuris »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #23 on: April 27, 2013, 07:48:11 PM »
You're welcome. :)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #24 on: April 27, 2013, 07:50:24 PM »
Quote
I owe you several beers.
hmmm.... you have to wait a copule of years then or his dad get mad at you   ;D


OBS...and Sucuri now give it clean   ;)   http://sitecheck.sucuri.net/results/www.ksasintjozef.be


Pleuris

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #25 on: April 27, 2013, 07:57:56 PM »
Indeed, nothing can be found. I'm a very happy guy now.

BTW, in Belgium you may start to drink when you are 16. The City we are in is worldfamous because of our Carnaval. Google oilsjt carnaval :)

DeanZiegler

  • Guest
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #26 on: May 09, 2013, 11:09:27 PM »
Hi guys,

I'm having the same issue on our site - systems2win.com.
Same iframe-zg trojan
Same 404 error behavior

I won't bore you with the other steps we have taken to remove the trojan from infecting our web menus...
The root problem is that the trojan still remains active -
and the way that it manifests now is by appearing whenever a 404 error is triggered anywhere on our site.

Adding the suggested line of code to the htaccess file in our FTP folder somehow prevents our users from using their password to access FTP,

and that solution doesn't do anything for all of the other folders on our site - which I don't believe have an htaccess file.

It seems that with this solution, the trojan is being allowed to continue to exist, while simply trying to avoid triggering it.
Does anyone have any ideas for how to completely eliminate the Trojan?

One clue...
I notice that Avast gives the warning dialog when the Google Toolbar version of the 404 error appears -
and does not give the warning dialog when the regular 404 error appears (immediately following the Google Toolbar version),
but I'm not sure whether this is just because it has already given the warning - or because the warning is actually associated with the Google Toolbar dialog itself.

Any thoughts?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #27 on: May 09, 2013, 11:25:06 PM »
@DeanZiegler

virus and false positive problems should be posted in the virus and Worms forum section

Sucuri report for Your URL  http://sitecheck.sucuri.net/results/systems2win.com
Malware entry: MW:IFRAME:ENC1560   http://labs.sucuri.net/db/malware/malware-entry-mwiframeenc1560

and Virustotal give a 14/46 infected score
https://www.virustotal.com/en/file/1beea3ce441805a6b620114acf2bee5ae6b0da831960ebba32a02b680691170f/analysis/1368134652/


Quote
Does anyone have any ideas for how to completely eliminate the Trojan?
you may ask Sucuri for help?   http://sucuri.net/signup



« Last Edit: May 09, 2013, 11:29:18 PM by Pondus »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #28 on: May 10, 2013, 12:03:56 AM »
Hi DeanZiegler,

Yes, the code above merely prevents the default 404 page from being executed and thus stops the malicious code from being executed.

What other steps have you tried to remove this malware from your site?

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #29 on: May 10, 2013, 08:44:09 AM »
When visiting this URL - hxtp://www.409shop.com.hk/mic.htm  Avast blocks the page and reports 'HTML:Iframe-ZG [trj]'

This seems to be a false positive.  When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.

I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.
Hello,
there is hidden iframe after ending html tag, which leads to "axcent-eshop.com/counter.php".

Milos