Author Topic: "HTML:IFrame-BB [Trj]"  (Read 6279 times)

0 Members and 1 Guest are viewing this topic.

fidmas

  • Guest
"HTML:IFrame-BB [Trj]"
« on: March 28, 2011, 04:57:57 PM »
Got an email with a .pps attached this morning.   Said it blocked what is "HTML:IFrame-BB [Trj]".  The log said the Delete operation failed.  The .pps was still attached.  Doesn't matter.  But, is there anywhere to find descriptions of these things.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37173
Re: "HTML:IFrame-BB [Trj]"
« Reply #1 on: March 28, 2011, 05:38:13 PM »
Quote
But, is there anywhere to find descriptions of these things.
as always.....google is you friend  ;)

HTML:Iframe-inf wordpress Infection
http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/
http://www.youtube.com/watch?v=HXzLgY2f01U
« Last Edit: March 28, 2011, 05:51:29 PM by Pondus »

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #2 on: March 28, 2011, 06:07:11 PM »
This was IFrame-BB in a .pdf email attachment.  Don't think it's the same thing.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37173
Re: "HTML:IFrame-BB [Trj]"
« Reply #3 on: March 28, 2011, 06:40:29 PM »
The info is about HTML-iframes in general, but if you want the exact info on your -BB version then it is more complicated..

Then you need to send it to someone that can analyse it and give you the exact info...

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #4 on: March 28, 2011, 07:08:38 PM »
Well, since HTML:iFrame anything is meaningless in a .pdf attachment, the whole thing is strange.  Probably a false allarm.  I didn't realize avast didn't keep a list of infection definitions.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37173
Re: "HTML:IFrame-BB [Trj]"
« Reply #5 on: March 28, 2011, 07:18:46 PM »
Quote
I didn't realize avast didn't keep a list of infection definitions.
There is a Signature release history  http://www.avast.com/en-no/virus-update-history

But they dont have a detailed description of all samples.....
that would mean lots of manpower i guess to write it with all the malware produced every day


The best malware descriptions is usually found at Microsoft and Kaspersky....just remeber the different AV vendors don`t always use the same name on malware
so the best way to search is if you have the MD5 for the sample

http://www.securelist.com/en/threats/detect
http://www.microsoft.com/security/portal/




Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33450
  • malware fighter
Re: "HTML:IFrame-BB [Trj]"
« Reply #6 on: March 28, 2011, 07:19:19 PM »
This particular form of malware has been designed to get website-hits up by having visits from infected computers
without the computer-user's consent or knowing...

It is so-called adjuggler iframe, a good write-up about this can be found here:
http://antivirus.about.com/od/spywareandadware/qt/TrojanClickerJSIframebb.htm

Removal instructions here: http://www.lodestarcomputer.com/content.php?347-Tips-On-How-To-Remove-The-Trojan-Clicker.JS.Iframe.bb
Also download and run Kaspersky's TDSSkiller, from here: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Does it detect any infections?
If yes, let TDSSkiller remove it, restart your computer and run it again.
Attach the file(s) beginning with TDSSKiller located in your c:\ directory to your next post....

Users with No-Script extension in Firefox or NotScripts extension in GoogleChrome are not vulnerable to
this malware,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37173
Re: "HTML:IFrame-BB [Trj]"
« Reply #7 on: March 28, 2011, 07:27:47 PM »
and in Polonus second link you see an example of the name problem...

The one kaspersky name Trojan-Clicker.JS.Iframe.bb is named HTML:Illiframe-D [Trj] by avast

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #8 on: March 28, 2011, 07:53:46 PM »
This was caught on my wife's computer by avast while downloading email.  A Malwarebytes and avast scan found nothing after that.

Are you saying download http://support.kaspersky.com/downloads/utils/tdsskiller.zip anyway?

I know the sender. She has passed the Malwarebytes scan.  Should I look further on their box?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: "HTML:IFrame-BB [Trj]"
« Reply #9 on: March 28, 2011, 08:03:31 PM »
Colour me confused as fidmas first reported this in a .pps attachment "Got an email with a .pps attached this morning."

Quote
Details for file extension: PPS - PowerPoint Slideshow (Microsoft Corporation)

Now that has changed to being in a pdf file, which is it ?

In either case iFrame injection into the file is possible so I wouldn't take it as an FP. PDFs are now being seen more in the viruses and worms forum as being infected, but not usually as iFrame infection.

If you still have the attachment, don't open it, save it to your hard disk and upload to virustotal for scanning.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder. Do this before you save the email attachment to this folder.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #10 on: March 28, 2011, 08:54:04 PM »
Sorry if there's any confusion guys.  This morning my wife downloaded her email.  Avast found the iFrame-BB while downloading an email and said "no further action required".  She doesn't mess around with this stuff.  She found the offending email and deleted it, and deleted it from the "Deleted Items".  Never opened it.  Never opened the offending .pdf attachment.  She ran a full scan with Malwarebytes and avast.  Clean as i expected.

My main concern is for the person who sent it, unless you think I'm too confidant?

Are you you folks saying there is something to test for this infection?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37173
Re: "HTML:IFrame-BB [Trj]"
« Reply #11 on: March 28, 2011, 09:01:39 PM »
Quote
Are you you folks saying there is something to test for this infection?
yes, suspicious file(s) can be uploaded to www.virustotal.com and tested with 43 malware scanners to see if any detect..
when you have the result you can then copy the url in the adressbar and feks post her for us to see..

Here is an example
http://www.virustotal.com/file-scan/report.html?id=b155f733a4a76a5f2f1cf2bedfa0cbf998d5ea483e7061f54d9d54a325ad1358-1284903634


Quote
My main concern is for the person who sent it, unless you think I'm too confidant?
well the mail "from adress" can be faked by the spammers, so do you know if this person have this mail...did she open the attachment ?
« Last Edit: March 28, 2011, 09:09:32 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86131
  • No support PMs thanks
Re: "HTML:IFrame-BB [Trj]"
« Reply #12 on: March 28, 2011, 09:11:58 PM »
First as an attachment, you have nothing to worry about if it isn't opened, which it wasn't.

As far as something to test for this infection, other than your current security applications (though I don't believe you actually need to run any other scans) ?

So I would suggest cleaning out the redundant stuff in your signature and just have it on a single line (let it break/wrap naturally) and not split it over 6 lines. Then include your avast version and any other security software, check other peoples signatures for an idea of what to include.

The idea of sending the sample to virustotal as I mentioned is to confirm the detection (or otherwise) as VT has 43 different scanners. Since it has been deleted that option is toast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #13 on: March 28, 2011, 09:39:56 PM »
Quote
Are you you folks saying there is something to test for this infection?
yes, suspicious file(s) can be uploaded to www.virustotal.com and tested with 43 malware scanners to see if any detect..
when you have the result you can then copy the url in the adressbar and feks post her for us to see..

Here is an example
http://www.virustotal.com/file-scan/report.html?id=b155f733a4a76a5f2f1cf2bedfa0cbf998d5ea483e7061f54d9d54a325ad1358-1284903634


Quote
My main concern is for the person who sent it, unless you think I'm too confidant?
well the mail "from adress" can be faked by the spammers, so do you know if this person have this mail...did she open the attachment ?

Thanks.  As I indicated, my wife deleted the mail with the attachment, so there is no file to test.

I do know the person who sent her the .pps and she indeed did send it.  She comes up clean on a Malwarebytes scan, and I think, an AVG scan.  I'll have to call back.

Is there something better to find that infection on her 9the sender's) box?

Just trying to help them before I have to go drive over and fix more.

/Bob
--

fidmas

  • Guest
Re: "HTML:IFrame-BB [Trj]"
« Reply #14 on: March 28, 2011, 09:46:01 PM »
First as an attachment, you have nothing to worry about if it isn't opened, which it wasn't.

As far as something to test for this infection, other than your current security applications (though I don't believe you actually need to run any other scans) ?

So I would suggest cleaning out the redundant stuff in your signature and just have it on a single line (let it break/wrap naturally) and not split it over 6 lines. Then include your avast version and any other security software, check other peoples signatures for an idea of what to include.

The idea of sending the sample to virustotal as I mentioned is to confirm the detection (or otherwise) as VT has 43 different scanners. Since it has been deleted that option is toast.

Yeah.  Someone just HAD to have it that way, so I did it a while back.  This'll be the 3rd change to that signature........