Text of Virus in Web Page

Discussion in 'NOD32 version 1 Forum' started by linney, Oct 26, 2002.

Thread Status:
Not open for further replies.
  1. linney
    Offline

    linney Registered Member

    Hello, nice to find a NOD32 forum.

    The other day whilst checking the Security and Virus forum at CNET there was a posting about a virus called "Redolf.A virus".
    This posting included a full text of the virus exe file.

    AMON flagged this text as a virus and notified me. The page has since been withdrawn. I was surprised and pleased that NOD32 picked up on it.

    My questions are these: is there any danger from just reading the exe file of a virus in a Html web page? Other virus scanners did not alert to the text at all unless it was converted to a vbs file or similar and then opened.

    Was this detection intended by NOD32 or just an accident of programming?
  2. rodzilla
    Offline

    rodzilla Registered Member

    > The other day whilst checking the Security and Virus forum at CNET there was a posting about a virus called "Redolf.A virus". This posting included a full text of the virus exe file.

    > AMON flagged this text as a virus and notified me. The page has since been withdrawn. I was surprised and pleased that NOD32 picked up on it.

    > My questions are these: is there any danger from just reading the exe file of a virus in a Html web page? Other virus scanners did not alert to the text at all unless it was converted to a vbs file or similar and then opened.

    > Was this detection intended by NOD32 or just an accident of programming?

    It was deliberate.

    Many things you see/read online are downloaded to a temporary folder on your hard drive without you realizing it's happening. Amon flares up on malicious scripts on web pages or in Hotmail or in Google's Usenet Search ... and in newsgroups downloaded from an nntp server to your own hard drive, which are not monitored by the POP3 scanner.

    No antivirus program can guarantee to detect 100% of viruses 100% of the time ... but history shows that NOD32 puts you as close to the 100% mark as possible, and keeps you there.
  3. Primrose
    Offline

    Primrose Registered Member

    Hi linney,

    In my opinion, not a accident in programming but rather necessary. The same thing should happen with all good security products. It is one of the reason they removed the text/or page at cnet.

    NOD32 has been detecing this virus since 30Apr2002.

    NOD32 - 1.253 (20020430) / posted 20:57 (@831)
    Virus signature database updates:
    VBS/Redolf.A, Win32/Hobo.A, Win32/MyPower.A, Win32/Sowsat.A
    http://www.nod32.ch/support/info.stm


    This is an encrypted VBS virus which appends itself to HTM, HTT, VBS and JS files. It also attaches itself to MS Outlook"s default stationery files and sets the Blank.HTM as the default stationery.
    Any mail composed with MS Outlook subsequently will contain this virus and will infect the mail reciepients computer.


    Here is some more information on this virus. It is very active over in Mainland China even today. As you see some Identify it as REDLOF and others by REDOLF.

    VBS_REDLOF.A
    http://www.dslreports.com/forum/remark,4635735~root=security,1~mode=flat



    VBS/Redlof.A. Infección por medio del correo con formato
    http://www.vsantivirus.com/redlof-a.htm

    Nombre: VBS/Redlof.A
    Tipo: Gusano de Visual Basic Script
    Alias: VBS/Redlof@M, HTML.Redlof.A, VBS.Redolf, VBS_REDLOF.A


    A user can not get infected by just reading the text on the page.
  4. rodzilla
    Offline

    rodzilla Registered Member

    > In my opinion, not a accident in programming but rather necessary. The same thing should happen with all good security products. It is one of the reason they removed the text/or page at cnet.

    Yep.

    > A user can not get infected by just reading the text on the page.

    No he can't ... but in the (unlikely) event that he clicked on the downloaded .html page stored in the temp directory, the virus would leap into life.

    Windows periodically deletes the contents of temp directories, but I've seen a couple of instances where it "forgot". One guy had a 3GB+ folder filled with temporary downloaded files dating back months. As I'm sure you can imagine, wiping the HD of all this junk took quite some time ... but deleting it set Windows back to "normal", and it went back to periodically deleting temp files. I have no idea why this happens occasionally. Just another of the many little mysteries of Life with Microsoft. :)
  5. Primrose
    Offline

    Primrose Registered Member

    Your post brings up another thought.....

    Do not be surprised if NOD32 also alerts you on other instances of text even on your system ;) Many people are using on-line scans from various vendors. In that process they must download to you data for their scanner. Some of this you will find in your downloaded program files..the rest in other files. Just like in your case here..those files must contain enough info to ID and remove...none of it is malicious and will not infect your system surely..but it contains enough of the "signature" that a good AV product "resident" on your system will sometimes pick up on it. I keep on hearing people call this a "false positive " :). I call it smart scanning.
  6. JacK
    Offline

    JacK Registered Member

    Hi Rod,

    If I remember well there was such an issue with a webpage on Kaspersky site a year of so ago which NOD32 detected. No false positive either and also deliberate. I don't know whether Eugene removed the page.

    Best regards,
  7. rodzilla
    Offline

    rodzilla Registered Member

    > If I remember well there was such an issue with a webpage on Kaspersky site a year of so ago which NOD32 detected. No false positive either and also deliberate.

    Yep ... it was the full text of a batchfile which, if copied and pasted, would have trashed your hard drive.

    Roland Garcia was bleating in alt.comp.virus that NOD32 was false alarming on the KAV website. I told him to copy the text to his autoexec.bat and reboot, then come back and tell me what happened. He didn't reply. :)

    > I don't know whether Eugene removed the page.

    I don't know either.

    It's not a rare occurrence. One of my barrister clients here in Australia told me earlier this year that Amon had warned him about a script virus on a prominent Chinese law firm's website. I checked it out and found the Chinese pages were OK, but all the Japanese and English page on the site (dozens of them) were infected. Despite several emails from him, his Hong Kong partners, and myself (and I even emailed them a temporary NOD32 key so they could clean it up) the site was still infected months later. Go figure. :(
  8. linney
    Offline

    linney Registered Member

    Thankyou for all your informed replies.
Thread Status:
Not open for further replies.