Trojan horse embedded in Youtube Video.

[shockwavesn1per]

I was just watching a video on Youtube talking about malware removal when out of no where avast! warned me...

-
I can't confirm if this is a FP or not, so I'll need your help. 

Thanks.

[Lisandro]

Time to abort the connection... seems infected
Do you have a link of the video? (maybe editing to hxxp:\\ ... to not post a live link).

[shockwavesn1per]

Tech, am I in any potential danger???
I don't know the link, all I know was that I was watching a video about Avast!'s removal and detection rate.
It was from (it's not infected, just simply a Youtube channel):
http://www.youtube.com/user/mrizos
-
One of them... It's really odd because I don't really expect attacks from a legitimate video.
Problem is that I can't bring up a log from the avast! Resident Shields (or I'm not aware of).

[DavidR]

The video in itself might not be infected, though there is no guarantee that ther isn't malware on the page that is kicked off when you elect to run or load the video.

It isn't unusual to find something like this hiding behind something that you run to try and help yourself and youtube is I would say a high risk area along with other social networking sites...

Fortunately this was intercepted by the web shield so nothing should have got on your system.

[shockwavesn1per]

Hm, that is possible. Possibly from an ad? Or like from the "source" it is streaming from (sounds vague I know : P).
David, would you suggest I run a full scan (Thorough)?

[Jtaylor83]

Hi, there. it might be the background on the user's page that's causing the Web Shield to trigger the alarm.

[shockwavesn1per]

Hi jtaylor. I can't be sure, but it's possible. The video(s) were still there, active, even though I clicked "Abort Connection". A full scan came back clean.

[Jtaylor83]

I found the video that has the malware link on the video's description. It appears you're not the only one. This YouTuber had the same encounter.

(Note: I disabled the link)

hxxp://www.youtube.com/watch?v=05UcZvug5-U

[Lisandro]

The video(s) were still there, active, even though I clicked "Abort Connection". A full scan came back clean.

Maybe the problem was not the video itself but other components of the webpage... I think webshield blocked it and the full scanning confirmed that.

[DavidR]

<snip>
David, would you suggest I run a full scan (Thorough)?

Sorry I missed your post, sleeping I most likely would have suggested a Standard scan not Thorough.

Hi jtaylor. I can't be sure, but it's possible. The video(s) were still there, active, even though I clicked "Abort Connection". A full scan came back clean.

The videos would still be on YouTube avast can't delete content, the Abort Connection only aborts the infected/suspect content, which as has been said might not have actually been the video, but something else trying to be downloaded to your system.

The actual media file is less likely to be infected, though there have been instances where it may be crafted in a way to exploit a media player vulnerability. However if this were the case the detected malware name I would have thought would have some exploit rather than BV:DelFiles-P [trg]

The clean scan confirms that the detected file didn't get saved on your system (or it would have been detected again), so the web shield appears to have done its job.

[shockwavesn1per]

Well, avast! saved the day. Thanks DavidR and Tech.
What does the BV category mean in "BV:DelFiles-P [trg]"?

[DavidR]

I haven't come across it before, but I would guess some form of script language file (basic perhaps) there are 1382 signatures in the virus database for BV:

However my friend google helps out, http://www.virustotal.com/dk/analisis/f1e172ccfd9dbacdc0d585b5ae21d491, although this isn't in English, some of the other malware names for the avast BV:DelFiles indicate that this is a Batch Virus, e.g. it carries out a batch action to infect/delete stuff.

[shockwavesn1per]

http://www.virustotal.com/analisis/f1e172ccfd9dbacdc0d585b5ae21d491
-
Wow, that's scary O_O. Thanks for the help again. I'm glad avast! blocked it.

[DavidR]

You're welcome, there are times when poking around for more information can bring you out in a cold sweat

[shockwavesn1per]

Yeah, it sure does... Well, thanks again.