Author Topic: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?  (Read 30303 times)

0 Members and 1 Guest are viewing this topic.

Rodnev

  • Guest
I was browsing with firefox just now, and I came upon a site (through google) I haven't visited in a long time, but which I tought was to be trusted.

So I clicked on the link through google, and the Avast scanner popped up stating the warning you see in the attachment (or the screenshot hosted on flickr it you fancy it: http://farm3.static.flickr.com/2567/3746850517_03986e49f8_o.jpg)

So my questions are:

- Avast said not to panic, by pressing 'Abort connection ' (Connectie afbreken) it would stop the virus before downloading the file to my computer (which i offcourse did). Can i be confident that the file did not find its way on to my computer?

- Second, it is a virus/worm? The file name (bestandsnaam) it blocked came from h**tp://netter.nl/mint/?js
Is mint not some software to analyse visitor statistics etc? Could this be a false alert?

First time i came upon this. Should i alert the webmaster?
« Last Edit: July 23, 2009, 01:10:59 PM by Rodnev »

cinchez

  • Guest
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #1 on: July 23, 2009, 12:59:58 PM »
avast! blocked the malicious script and ur PC is safe^^

Cheers!^^

-AnimeLover^^

Offline Confused Computer User

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 700
  • The answer is 42
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #2 on: July 23, 2009, 02:33:49 PM »
- Avast said not to panic, by pressing 'Abort connection ' (Connectie afbreken) it would stop the virus before downloading the file to my computer (which i offcourse did). Can i be confident that the file did not find its way on to my computer?

Yes. Avast just showed it's remarkable efficiency at stopping viruses from getting on your computer.

- Second, it is a virus/worm? The file name (bestandsnaam) it blocked came from h**tp://netter.nl/mint/?js
Is mint not some software to analyse visitor statistics etc? Could this be a false alert?

This could be true... Unfortunately I am not a very advanced user so I would suggest waiting for some posts from the forum Gurus.

First time i came upon this. Should i alert the webmaster?
I would simply inform him that your Avast Antivirus (build 4.8... with the latest updates) gave you a warning message. I would also attach the photo you have in your post.

Cheers
Computer Systems:

Intel Pentium 4 641 / 2GB RAM / Vista Home Basic SP2 / avast! 5.0 Home / SAS Free / MBAM Free / Windows Defender / Windows Firewall / Spyware Blaster/ Secunia PSI / Firefox 3.6 / Opera 10.5

Core2Duo T8300 / 4GB RAM / Vista Home Premium SP2 (32 bit version) / Same Software.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #3 on: July 23, 2009, 04:09:53 PM »
Well the actual .jpg image you gave the link to isn't infected, see image, so it is something behind the scenes hxxp://netters.nl/mint/?js in the alert image.

So the log-on script has been hacked as there is a hidden iFrame tag at the bottom of the page that tries to go to a Russian domain, see image3, so it looks like the netters.nl\mint site has been hacked.

http://www.mywot.com/scorecard/q3o.ru and http://www.google.com/interstitial?url=http://www.q3o.ru/, so this is also what avast is blocking.
« Last Edit: July 23, 2009, 04:11:41 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Rodnev

  • Guest
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #4 on: July 23, 2009, 04:16:23 PM »
The image i attached is a screenshot i took with prtsc which i then saved in paint :)
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #5 on: July 23, 2009, 04:19:26 PM »
DavidR is not referring to the pic you have attached but to the one you have mentioned in your first post..
« Last Edit: July 23, 2009, 04:33:36 PM by nmb »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #6 on: July 23, 2009, 04:28:09 PM »
The image i attached is a screenshot i took with prtsc which i then saved in paint :)
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

As nmb said my reference was to the link being clean.

The site with the problem is netters.nl/mint as the log-on script appears to have been hacked. So I hope it is that site to whom you sent the email to the webmaster.

Welcome to the forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Rodnev

  • Guest
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #7 on: July 23, 2009, 05:58:33 PM »
DavidR is not referring to the pic you have attached but to the one you have mentioned in your first post..

Ah thx

Rodnev

  • Guest
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #8 on: July 23, 2009, 05:59:24 PM »
The image i attached is a screenshot i took with prtsc which i then saved in paint :)
Could that have become infected then??

I've sent the webmaster an email about it. It's up to him now to fix the problem.
I'm just sooo glad Avast got a hold of it, i'm so paranoid when it comes to spyware etc ...

As nmb said my reference was to the link being clean.

The site with the problem is netters.nl/mint as the log-on script appears to have been hacked. So I hope it is that site to whom you sent the email to the webmaster.

Welcome to the forums.

Yep, I've sent an email to the netters.nl webmaster.

Thanks for the welcome and the explanation!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #9 on: July 23, 2009, 06:15:54 PM »
No problem, glad I could help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #10 on: July 23, 2009, 07:30:08 PM »
Ha Rodnev,

Diagnostische pagina voor q3o.ru

Wat is de huidige status van q3o.ru?
Deze site is als verdacht aangemerkt - het bezoeken van deze site kan uw computer beschadigen.

Een deel van deze site is in de afgelopen 90 dagen 1 keer aangemerkt wegens verdachte activiteiten.

Wat is er gebeurd toen Google deze site bezocht?
Van de 3 pagina's die we in de afgelopen 90 dagen op de site hebben getest, hebben 0 pagina('s) zonder de toestemming van de gebruiker schadelijke software gedownload en geïnstalleerd. De vorige keer dat Google deze site bezocht, was op 2009-07-22. De vorige keer dat verdachte inhoud op deze site werd aangetroffen, was op 2009-07-22.
Malicious software includes 1 exploit(s).

This site was hosted on 15 network(s) including AS16276 (OVH), AS35470 (XL), AS20773 (HOSTEUROPE).

Heeft deze site gefungeerd als een tussenschakel en geleid tot verdere verspreiding van malware?
Het lijkt erop dat q3o.ru in de afgelopen 90 dagen heeft gefunctioneerd als tussenschakel voor de infectie van 1 site(s), waaronder ssail.ru/.

Heeft deze site malware gehost?
Ja, deze site heeft in de afgelopen 90 dagen schadelijke software gehost. Deze software heeft 4 domein(en) geïnfecteerd, waaronder eyewk.com/, ssail.ru/, qjunk.com/.

Hoe is dit gebeurd?
In bepaalde gevallen kunnen derden schadelijke codering toevoegen aan echte sites, waarna wij deze waarschuwing weergeven.

De oorspronkelijke link schijnt schoon volgens de Wepawet scanner:
http://wepawet.iseclab.org/view.php?hash=6fa5526260cf478087189bf287c70c40&t=1248370103&type=js

Bad Stuff Detektor vindt:

No zeroiframes detected!
Check took 2.50 seconds

(Level: 0) Url checked:
hxtp://netter.nl/mint/?js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (frame source)
hxtp://netter.nl/?pagesection=body
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
/unique/track.js?referrer=hxtp://netter.nl/mint/?js
Blank page / could not connect  (Dit zou de kwaadaardige doorverwijzer hebben kunnen zijn)
No ad codes identified

De pagina netter.nl etc. geeft geen alerts meer van avast, dus is waarschijnlijk schoongemaakt,

groetjes,

polonus




« Last Edit: July 23, 2009, 08:24:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #11 on: July 23, 2009, 07:40:35 PM »
Quote
(Level: 0) Url checked:
http://netter.nl/mint/?js
Zeroiframes detected on this site: 0
No ad codes identified

Well they clearly missed the one in the second image I posted in Reply #3 above ;D

So the flaw is looking for 0x0 iframes (zeroiframes) this one has an iframe 191x116, but has the attribute, style="visibility: hidden" So we can't take that analysis on face value if it is only looking for 0x0 but other width and hight values when the iframe is also hidden.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #12 on: July 23, 2009, 08:22:23 PM »
Hi DavidR,

You referring to this:
Code: [Select]
^script type="text/javascript"^
........ if(window.top != window) { document.write('<img src="/frame......../track.gif?referrer=about%3Ablank" style="height : 0; width : 0; border-width : 0; display: none" alt="" /^'); }
^/script><script type="text/javascript" src="/unique/track.js?referrer=about%3Ablank"^^/script^

And then there is this"

Code: [Select]
^frameset rows="100%,*" frameborder="no" border="0" framespacing="0"^.....
^frame src="hXttp://netter.nl/?pagesection=body" noresize="noresize" /^
^noframes^
^p^^a href="hXtp://netter.nl/?pagesection=body">Click Here</a> to continue</p>
^/noframes^

Your redirect I cannot trace there anymore....

polonus
« Last Edit: July 23, 2009, 08:26:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #13 on: July 23, 2009, 09:18:06 PM »
No neither of those as it was an iframe tag and not a script tag or frameset.

I downloaded the file in the OPs image, hXXp://netters.nl/mint/?js (the one I referred to and quoted from your results) and that has the iframe tag at the bottom. In fact I have just downloaded and saved it again and the iframe is still there, but now pointing to a different domain hxxp://xb4.in and same style hidden.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?
« Reply #14 on: July 23, 2009, 10:43:44 PM »
Hi DavidR,

Redirect to: No zeroiframes detected!
Check took 0.33 seconds

(Level: 0) Url checked:
hXtp://xb4.in
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!