Two days ago I tried opening a very well known online store and got a heuristics detection warning by Avira (HEUR/Exploit.HTML). After some snooping around I found a 0x0px iframe in the source loading an ad serving company URL (zedo.com) which is essentialy a obfuscated JS file which I have no idea how to deobfuscate. The url of the store is www. n e i m a n m a r c u s .com -> remove spaces to visit, since it could turn out to be an actual exploit there I rather not make it clickable / easily openable. Anyone who knows what they are doing willing to let me know if they get the same detection?

The javascript it is loading is c1 . ze do . com/ pbar / v1-600 / c1/ jsc / bh_iframe.js

I somehow don't like the sound of "bar" and "bh" in a 0x0 obfuscated JS script url, but maybe I'm just paranoid.

Any enthusiasts feel like taking a closer look? I would really like to know if the machine got something through a real exploit or was it Avira doing it's job too enthusiastically and taking the 0x0 iframe with a obfuscated JS in it as a good enough of a reason to call it shady?

Any input on the matter would be highly appreciated.

I just went there with Avira premium and clicked all the links and sections and got no warnings. Here are my version stats. you might have a false positive. you could put it in virustotal if you have it.

Thanks,

After I got that detection warning I did an "Access deny" tried running a full system scan which resulted in a black screen and buggy mouse movement which made me shut down that pc and not turn it on untill I know whats happening, so I don't have the file that was supposedly infected. I'm using the free version but afaik the detection engine and rules are the same as in Premium?

I am not sure if Avira will run in safe mode but If I were you I would try a full scan in safe mode to see if it will detect and remove the problem. Or you might do a System restore to before the problem.

{QUOTE-> I am not sure if Avira will run in safe mode but If I were you I would try a full scan in safe mode to see if it will detect and remove the problem. <-QUOTE}

I will do that now and see what happens. Will report back with results. Thanks!

you might also try one of the online scans that can be found here http://www.google.com/search?client=opera&rls=en&q=online+av+scans&sourceid=opera&ie=utf-8&oe=utf-8

Full scan in safe mode didn't find anything. Funny thing is the file that was supposedly infected (found the name in event log) is no longer in IE7 Low cache folder, while the rest of the temporary files from that day are still there. Why/how did it go away on its own?

If Avira denied access it might not have allowed it to remain on the comp.

I decided to download the freeware version of AVIRA (i.e. AntiVir Personal Edition Classic v 7.0.6) and see by myself. Keep in mind three (3) things:
1) I had just formated my pc (with just WinXP Pro SP2 and installed Drivers from some manufacturers' CDs: MotherBoard, Monitor etc.)
2) avira.com was the only site I visited before installing avira.
3) On purpose, I did NOT change any setting of the configuration.

I updated Avira and started a FULL scan.
The result? Fast enough BUT FULL of False Positives :thumbd::thumbd::thumbd:
To be fair, this is something I also faced when I tried BitDefender AV 2008!:thumbd: :thumbd: :thumbd:

A few hours ago, I downloaded the trial version of G DATA AntiVirusKit 2007.
This is a superior product!:thumb::thumb::thumb: No comparison at ALL with AVIRA:thumbd::thumbd::thumbd:
After the problems of NOD32 v3 and KAV 7.0, I am seriously thinking of buying
G DATA AntiVirusKit 2007!

Hi bigc and hek
This is strange .... I got the same notification from APSS and I had to deny.
I think it must be a FP
195255

bigc is usually accurate, and that is why I think it is strange
Cheers

I decided to download the freeware version of AVIRA and see by myself. Keep in mind three (3) things:
1) I had just formated my pc (with just WinXP Pro SP2 and installed Drivers from some manufacturers' CDs: MotherBoard, Monitor etc.)
2) avira installer was on CD so I didn't use internet at all
3) On purpose, I did NOT change any setting of the configuration.

I updated Avira and started a FULL scan.
The result? Fast enough (under 12 mins.) and not a single false positive. *****:thumb: :thumb:

This was done on 10/24/2007 with services on power user (http://www.blackviper.com/WinXP/servicecfg.htm) settings, so no system restore. YMMV

{QUOTE-> Hi bigc and hek
This is strange .... I got the same notification from APSS and I had to deny.
I think it must be a FP
195255

bigc is usually accurate, and that is why I think it is strange
Cheers <-QUOTE}

Fredra,

Do you have a copy of the file from your browser cache or did it get booted? Im curious as to what's triggering the heuristic engine to flag it.

Just looked at the site in FF & OE7, then ran a squared free, it didn't find anything, so it's a FP.

A Zedo iframe on a site sound like bad news to me. What the heck is a bh_js? Some browser helper thing? ???
Although I'm not expert, that sounds suspicious.

I don't get that detection on my computer. I'm using Avira Security Suite, latest VDF.

Hi
@hek
No I don't have the file

When bigc and pykko found nothing, I KNEW something else was wrong.
I updated APSS and it found nothing, so it WAS a false positive and the update fixed it.

Much ado about nothing..lol
Sorry to all :-X
I will now go back to my corner.
Cheers :)

I just went to neimanmarcus.com and no word from Antivir. However, that particular .js file was nowhere to be found in the page source. Haven't tried the exact url to the js iframe.

{QUOTE-> I decided to download the freeware version of AVIRA and see by myself. Keep in mind three (3) things:
1) I had just formated my pc (with just WinXP Pro SP2 and installed Drivers from some manufacturers' CDs: MotherBoard, Monitor etc.)
2) avira installer was on CD so I didn't use internet at all
3) On purpose, I did NOT change any setting of the configuration.

I updated Avira and started a FULL scan.
The result? Fast enough (under 12 mins.) and not a single false positive. *****:thumb: :thumb:

This was done on 10/24/2007 with services on power user (http://www.blackviper.com/WinXP/servicecfg.htm) settings, so no system restore. YMMV <-QUOTE}

What about the ones who want to download and try AVIRA CLASSIC?
Do we have to use avira installer on CD?
After downloading it, I didn't use internet at all. (I am on adsl dial up).

{QUOTE-> What about the ones who want to download and try AVIRA CLASSIC? <-QUOTE} What about them???
{QUOTE-> Do we have to use avira installer on CD? <-QUOTE} Do whatever you want.
{QUOTE-> After downloading it, I didn't use internet at all. (I am on adsl dial up).
<-QUOTE} I was pointing out that the same experience with a couple of variations produced entirely different results. Hence YMMV (your mileage may vary)
I wasn't suggesting anyone to re4mat, save installers to CD or trust anyone's results.

The script is not obfuscated. I've only taken a cursory look at it, but the script itself isn't an exploit. My first impression of it was that it's used to serve tracking cookies to the user instead of trojan horses; will take another look at it when I get home.

As for how to interpret Avira's HTML "heuristic", it just triggers on any iframe with width = height = 0. Do keep this in mind before panicking.

i also got the warning message when using antivirPEPremium, but just after reloading above mentioned webpage (heuristics at medium settings). File already sent using the 'quarantine manager' ;D

Thanks for the reply and your insight, solcroft. I have tested this the moment after getting the warning though and can positively state that Avira's heuristic engine that detected that site as loading a baddie does not treat 0x0 iframes as exploit-warning worthy, maybe it does add to the final suspiciousness score a bit though. Try uploading a page with a 0x0 remotely loading iframe + a few 0x0 images somewhere and load it - avira will not make a sound, at least it didn't for me. Something else must be setting it off.

{QUOTE-> i also got the warning message when using antivirPEPremium, but just after reloading above mentioned webpage (heuristics at medium settings). File already sent using the 'quarantine manager' ;D <-QUOTE}

Could you please be so kind as to post the results here once Avira investigates it? Thanks

{QUOTE-> Could you please be so kind as to post the results here once Avira investigates it? Thanks <-QUOTE}
It's been 2 days but i haven't received reply yet, it's the first time i submit to them through quarantine manager so i don't know if that's an usual delaying. :)

i see the same results it pops up as a hueristic exploit. medium settings and just updated...i close ff and re-open it and re-load the page and it goes through fne now with no warnings..

what does re-loading it do? should it not result the same way?

{QUOTE-> i see the same results it pops up as a hueristic exploit. medium settings and just updated...i close ff and re-open it and re-load the page and it goes through fne now with no warnings..

what does re-loading it do? should it not result the same way? <-QUOTE}
That's what i wonder too. :)

{QUOTE-> It's been 2 days but i haven't received reply yet, it's the first time i submit to them through quarantine manager so i don't know if that's an usual delaying. :) <-QUOTE}well normally you should get a mail directly after sending it that you won't get an answer.

{QUOTE-> well normally you should get a mail directly after sending it that you won't get an answer. <-QUOTE}
i guess so, its 'quarantine manager' works in a different manner then..
btw, i always get quick responses when i submit samples through e-mail and its website.

Meh :( I'd really like to know what the file is trying to do that sets Avira off.

Maybe it isnt the file.::)

Well, send the reported file as encrypted archive to heuristik2@avira.com and I will have a look at it. ;-)

Avira was alerting on the same sort of iframe file a few weeks ago at, of all places, GRC.com. First it alerted on an iframe on the Shields Up page and then it started alerting on the main GRC.com page and one could not even enter the site without disabling Avira or just clicking through the alerts.

Finally, the analysis results of this heuristic detection (courtesy of Stefan Kurtzhals):
{QUOTE-> Hi!

The HTML uses quite some dirty tricks but is harmless in the end. The tricks are used for advertisement.

bye, Stefan Kurtzhals

--
Avira GmbH <-QUOTE}