Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hmm? Any ideas?


  • Please log in to reply
8 replies to this topic

#1 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 24 June 2011 - 09:47 PM

My Mum looked up an article on some incident in Australia and when she clicked on the site, a warning from WOT indicated that the site was compromised and said to leave the site, and she told me she then clicked out of it. When I came home, I looked in the Nod32 quarantine and it said it blocked two redirector trojans that obviously wanted to redirect us to a malware site from this article, which Nod32 terminated. I did a scan of the computer and it found 1 item, which was a HTML/Iframe.b.gen virus in a Mozilla Firefox Cache file.

I did another scan with Malwarebytes and HitmanPro and they did not find anything.

Just wondering what the Iframe virus does, and has it taken any important data, as I will become a bit stressed if it has taken anything, as we are moving houses at the moment? My parents don't really know how to navigate the Internet safely, so I changed the WOT settings to block, not warn, so the site wouldn't load in the background. Any ideas of what I should do? I really don't want to do a system restore.

Thanks!

BC AdBot (Login to Remove)

 


#2 Blathnat

Blathnat

  • Members
  • 224 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:01:36 PM

Posted 24 June 2011 - 09:54 PM

You should be able to clear the browser cache by (Firefox) clicking tools>clear recent history. In Internet Explorer go to tools>internet options>delete browsing history. Then you can scan again to see if anything is found. Both browsers can be set to clear automatically when closed.

Edited by Blathnat, 24 June 2011 - 09:56 PM.


#3 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 24 June 2011 - 10:14 PM

Okay,

I have done that. I scanned and nothing was found. But should I be concerned that the Iframe virus has done anything malicious in the background or something? Nod hasn't detected any malicious activity until I scanned yesterday, and the incident happened a week ago, so I am unsure what to do next?

Thanks

#4 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 25 June 2011 - 02:35 AM

Bump

#5 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 25 June 2011 - 10:07 PM

Still no reply? :( Anybody have an answer?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:36 PM

Posted 25 June 2011 - 10:38 PM

HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software

Looks like Nod blocked it and pulled the HTML/Iframe malware and did it quarantine,c;ean or Delete it...??? If so you are clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 25 June 2011 - 10:44 PM

Well this Iframe virus was found 7 days after the initial attempted trojan redirecting, but Nod terminated those trojans. Just wondering if the Iframe virus was disabled when the trojans were terminated and a non executable file was left and Nod detected it, or could it have been a false positive? I mean, there have been no signs of the virus executing which is pretty strange, and then Nod just happened to detect it a week after the terminated trojans.

Haha it's kinda weird. Any suggestions?

Thanks

#8 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:36 PM

Posted 25 June 2011 - 11:05 PM

Hi Curiousp,

NOD has probably prevented the execution of the malware, or it was a false positive was detected only now due updating of virus definitions or other parts of the software.
If the other scans found nothing, most likely your computer is clean

Anyway I recommend you to change all your passwords in use, some may have been stolen if there was a real infection.

Edited by Clairvoyant, 25 June 2011 - 11:05 PM.


#9 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:36 AM

Posted 27 June 2011 - 09:32 PM

Hi Curiousp,

NOD has probably prevented the execution of the malware, or it was a false positive was detected only now due updating of virus definitions or other parts of the software.
If the other scans found nothing, most likely your computer is clean

Anyway I recommend you to change all your passwords in use, some may have been stolen if there was a real infection.



Hey, I don't think I need to worry about the situation anymore, and I believe I am clean. I just read this on F-Secure's site which says that the file only executes if you visit a malicious website (which Nod blocked) and then Nod killed the virus.

Additional Details
This malware will only affect a user who is browsing a malicious website, or a legitimate website which has been compromised. Unlike more straightforward trojan-downloaders, this malware does not directly download the malicious files itself, but rather redirects the user to malicious websites which perform the actual download automatically.

Upon execution, this malware uses Iframe tags to redirect the user to the malicious websites:

hxxp://user1.jzm018.cn/[...]/fxx.htm - Trojan-Downloader.JS.Agent.ckl
hxxp://jzm015.cn/[...]x.htm - redirects to ilink.html, flink.html
hxxp://jzm015.cn/[...]c.htm
- Trojan-Downloader.JS.Agent.ckk

These sites will then subject the visitor to a drive-by download.

Yeah, I am not sure how to edit the links... frustrating

Edited by elise025, 29 June 2011 - 01:36 AM.
deactivated links ~Elise





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users