Author Topic: Virus on avast! Forums  (Read 12700 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Virus on avast! Forums
« on: August 25, 2007, 02:21:58 AM »
The forums would appear to have been hacked and an iFrame tag inserted in to documents.

This iFrame tries to load a virus, see this post in particular but also read the whole topic as I was trying to find out why I was having problems posting.

See, http://forum.avast.com/index.php?topic=30118.msg248384#msg248384
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Virus on avast! Forums
« Reply #1 on: August 25, 2007, 03:34:17 AM »
I'm not seeing the virus (infection) but the forum is very very slow and I can't post easily... :'(
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Re: Virus on avast! Forums
« Reply #2 on: August 26, 2007, 12:29:45 AM »
At first I didn't see any alert but this was more to do with using firefox as it didn't seem to be vulnerable to this attack, but when I tested using avant the web shield alerted as yours did.

Thankfully it appears fine now and the forums software has been updated to SMC 1.1.3 which had some security updates although it didn't mention what these were.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Virus on avast! Forums
« Reply #3 on: August 26, 2007, 12:57:08 AM »
At first I didn't see any alert but this was more to do with using firefox as it didn't seem to be vulnerable to this attack, but when I tested using avant the web shield alerted as yours did.
Thanks for the info. I'm glad to be using Firefox 8)

Thankfully it appears fine now and the forums software has been updated to SMC 1.1.3 which had some security updates although it didn't mention what these were.
Any other cosmetic change?
Any other features?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Re: Virus on avast! Forums
« Reply #4 on: August 26, 2007, 01:05:53 AM »
I wasn't paying much attention to what the changes were when I visited the site I was looking to see what security patches were listed to see if the problem we had was fixed with SMC 1.1.3.

http://www.simplemachines.org/community/index.php?topic=178757.msg1137729#msg1137729
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus on avast! Forums
« Reply #5 on: August 26, 2007, 07:59:51 AM »
The forum was also infected with a JS Trojan which avast! doesn't detect:

Antivirus     Version     Last Update     Result
AhnLab-V3   2007.8.25.0   2007.08.24   -
AntiVir   7.4.1.63   2007.08.25   HTML/Shellcode.Gen
Authentium   4.93.8   2007.08.25   -
Avast   4.7.1029.0   2007.08.25   -
AVG   7.5.0.484   2007.08.25   -
BitDefender   7.2   2007.08.26   -
CAT-QuickHeal   9.00   2007.08.25   -
ClamAV   0.91   2007.08.26   -
DrWeb   4.33   2007.08.26   VBS.Psyme.443
eSafe   7.0.15.0   2007.08.23   -
eTrust-Vet   31.1.5085   2007.08.24   -
Ewido   4.0   2007.08.25   Downloader.Psyme.kt
FileAdvisor   1   2007.08.26   -
Fortinet   2.91.0.0   2007.08.26   VBS/Agent.U!tr.dldr
F-Prot   4.3.2.48   2007.08.25   -
F-Secure   6.70.13030.0   2007.08.24   -
Ikarus   T3.1.1.12   2007.08.26   -
Kaspersky   4.0.2.24   2007.08.26   -
McAfee   5105   2007.08.24   -
Microsoft   1.2803   2007.08.26   -
NOD32v2   2484   2007.08.25   -
Norman   5.80.02   2007.08.24   -
Panda   9.0.0.4   2007.08.25   -
Prevx1   V2   2007.08.26   -
Rising   19.37.61.00   2007.08.26   -
Sophos   4.21.0   2007.08.25   Mal/JSShell-C
Sunbelt   2.2.907.0   2007.08.25   -
Symantec   10   2007.08.26   -
TheHacker   6.1.8.173   2007.08.26   -
VBA32   3.12.2.3   2007.08.26   -
VirusBuster   4.3.26:9   2007.08.25   -
Webwasher-Gateway   6.0.1   2007.08.26   Script.Shellcode.Gen

Found this in my Firefox cache. The latest version of Firefox doesn't seem to be vulnerable, but anybody visiting the forum with an older version may have been infected.

AVG Anti-Spyware may pick up the file in your Google cache if you use it and haven't cleaned up the cache.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Virus on avast! Forums
« Reply #6 on: August 26, 2007, 03:09:20 PM »
What could the virus/trojan do if you get infected as it blocked the first thing you mentioned but not the trojan?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Virus on avast! Forums
« Reply #7 on: August 26, 2007, 03:11:59 PM »
The forum was also infected with a JS Trojan which avast! doesn't detect
Does it have a name, I mean, the file into Firefox cache?
Does cleaning the cache solves it?
The best things in life are free.

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Virus on avast! Forums
« Reply #8 on: August 26, 2007, 03:17:40 PM »
Will they release definitions to fix these viruses that were on their site?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Re: Virus on avast! Forums
« Reply #9 on: August 26, 2007, 03:25:25 PM »
The forum was also infected with a JS Trojan which avast! doesn't detect
Does it have a name, I mean, the file into Firefox cache?
Does cleaning the cache solves it?

The name in the firefox cache will be different on every system as firefox doesn't store the file using the same name, but generates a random file name and it doesn't include a file type.

In my cache it was E580511Bd01, because of this change in the file name and no extension I don't know how it would be activated (called or run) from within the firefox cache. Clearing the cache should remove the file and any potential for harm. AVG-AS found nothing else outside the cache.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83750
  • No support PMs thanks
Re: Virus on avast! Forums
« Reply #10 on: August 26, 2007, 03:29:33 PM »
Will they release definitions to fix these viruses that were on their site?

First these were not on the avast forum but on another site, activated in an injected iframe tag. I suggest you read the other topic I created (link in my first post) if you haven't already done so. It should give you a better idea of what happened.

Since I and I assume Frank have sent samples to avast they will be included in due course.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Virus on avast! Forums
« Reply #11 on: August 26, 2007, 03:30:36 PM »
Will they release definitions to fix these viruses that were on their site?
1. We all hope that.
2. The virus wasn't in their website but in a iframe redirected.
3. It was an exploit (vulnerability) more than an infection.

Oops... David won again in speed.
The best things in life are free.

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Virus on avast! Forums
« Reply #12 on: August 26, 2007, 03:47:04 PM »
By vulnerability you mean that if your Windows system is patched up it should be fine?

Offline Rick F

  • Poster
  • *
  • Posts: 419
  • _______
Re: Virus on avast! Forums
« Reply #13 on: August 26, 2007, 03:56:28 PM »
By vulnerability you mean that if your Windows system is patched up it should be fine?

I think so.  If the vulnerbility is infact... "Exploit-ANIfile.c", then KB925902 should have corrected this.  My PC got this update in April, 2007.


http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline sanctuary24

  • Sr. Member
  • ****
  • Posts: 323
Re: Virus on avast! Forums
« Reply #14 on: August 26, 2007, 04:09:34 PM »
From my logs you are correct mate as the link you provided shows it was an animated cursor exploit

plus the trojan that was mentioned appears to only download other malicious code so be on the look out guys
« Last Edit: August 26, 2007, 04:18:08 PM by sanctuary24 »