Tons of IFrame.B.Gen hits today

We haven't received such a file yet at samples[at]eset.com. The only link we've got wasn't detected by our v4, only access to the site was blocked.

 

I will try to get some of these files harvested..

 

Getting bp.specificclick.net hits from bing.com non stop.

bp.specificclick.net at one point was responsible for malaware from the research I did.

 

afe.specificclick.html

different [1][2] on each one.. Trying to \\computername\c$ into some boxes to harvest, but getting access denied any time I try to copy/paste.. Think NOD32 has it locked down.. I can copy others fine..

 

We are getting nothing but unable to clean.. Most of our users are non-local administrators..

 

try this link:

[noparse]hxxp://afe.specificclick.net/?l=5381&sz=728x90&wr=j&t=j&u=http://tv.blogs.pressdemocrat.com/10859/bourdain-hits-streets-of-san-francisco/&r=http://www.pressdemocrat.com/&rnd=302624[/noparse]


edit: I'm not sure how to capture the htm file as it's only on some page loads and nod32 is just blocking it randomly, it really needs to be figured out though, i've got about 100 of these so far today

 

Ok, I just noticed it's only my clients with 2.7 who are getting the HTML/IFrame.B.Gen Virus message, v 4.0 are getting the "Site blocked" message without a virus alert.

Never deployed 3.x anywhere so not certain on that version.

hxxp://afe.specificclick.net/?l=2309&sz=300x250&wr=h&t=h

that link reports as a virus every single time with 2.7

 

i've just sent a sample password protected zip file in

 

Still getting alerts as well. Have no idea when the new update is coming out. I know this is off topic but is anyone else fed up with ESET support? I would like to hear your experiences dealing with ESET direct support.

 

ESET NOD32 Antivirus - Alert
Access denied !

Details:

Web page:
h[I]tt[/I]p://afe2.specificclick.net/adserv/

Description:
Access to the web page was blocked by ESET NOD32 Antivirus.
The web page is on the list of websites with potentially dangerous content

 

Add WeatherUnderground.com as a victim. You have to get through three or four Nod32 HTML/Iframe.B.Gen warnings to get the weather. All related to specificclick.net.

6:38PM Central time...

 

I was not getting these when i tried it while using definitions i still had from yesterday.I just updated signatures right now and went to all links posted and am now getting the same warnings.

 

I'm using Nod32 v2.7 and v4323 signatures.... Still getting it.

6:54 PM Central

WR

 

UPDATE: 10:30PM August 10

Just received signatures v3424. Everything back to normal now. Crisis appears over.

 

I would really like to know why this occurred. Was this due to a 'bad' signature file or did ESET have a legitimate reason for blocking these ads? I have been hearing things, but I want to know what you think first.

 

It was not a FP, but we've stopped blocking the url for now. This does not mean that it won't be blocked again if another piece of malware turns out to be related with the site.

 

Thanks Marcos I don't mind it being blocked however it sucks if it is unable to clean it off.