BankofAmerica trojan detection (This is strange, to say the least)

Discussion in 'NOD32 version 2 Forum' started by biggerbyte, Mar 1, 2006.

Thread Status:
Not open for further replies.
  1. biggerbyte

    biggerbyte Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    53
    I just went over to check my bank records at www.bankofamerica.com and NOD IMON says this:

    HTML/Phishing.gen trojan

    Anyone?
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Re: This is strange, to say the least.

    Hm well I get it also clicking that site - having a look around but not finding much so far. Anyway, regardless of the outcome, rest assured it's not just you.
     
  3. johnawash

    johnawash Registered Member

    Joined:
    Mar 1, 2006
    Posts:
    2
    IMON detection @www.bankofamerica.com

    OK, so I've sent this to Eset, but wanted to see if other Nod32 users were getting this warning when visting the bankofamerica homepage?
     

    Attached Files:

    Last edited by a moderator: Mar 2, 2006
  4. folklore

    folklore Registered Member

    Joined:
    May 10, 2005
    Posts:
    16
    bank of aamerica website

    getting phising.gen. trojan when connecting to this site.
    is this a real positve? or false positive that may have something to do with BOA website.

    just started today.
     
  5. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Re: IMON detection @www.bankofamerica.com

    Not with FireFox. It seems to only occur with Internet Explorer.
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Re: This is strange, to say the least.(Bankofamerica trojan detection)

    Hi jonhawash - I have merged your thread into a slightly older (few minutes lol) thread about the same subject. Also, I will mention that as I said earlier it is detecting the same for me - and I am using Firefox through the Proxomitron.
     
  7. folklore

    folklore Registered Member

    Joined:
    May 10, 2005
    Posts:
    16
    Re: This is strange, to say the least.(Bankofamerica trojan detection)

    wrong

    using firefox 1.5.1 here and I get the same error.
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Re: This is strange, to say the least.(Bankofamerica trojan detection)

    folklore - I have also merged your thread into this one. Hopefully we can keep the bankofamerica.com discussion in this one thread. I've also edited the thread title here to help other find this existing thread.
     
  9. johnawash

    johnawash Registered Member

    Joined:
    Mar 1, 2006
    Posts:
    2
    Thanks Detox....missed biggerbyte's post....
     
  10. biggerbyte

    biggerbyte Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    53
    I called BOA and let them in on this. Hopefully it will be taken care of soon by them, or ESET if it is a false positive. This just started today.
     
  11. biggerbyte

    biggerbyte Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    53
    Well, my roommates computer is running Norton Antivirus and his box does not detect this trojan on BOA.com. So, either NA really sucks at picking up on this, or NOD should not be.
     
  12. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I'm not seeing any reaction by IMON running in higher compatibility mode in Firefox 1.5.0.1. Do the folks using Firefox and getting a detection by IMON have the Firefox activeX plugin installed? (I don't and won't)
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    My son just got this a short while ago (that's his bank, too).

    He called me after the first alert, we tried both browsers - FireFox v.1.5.0.1 and IE v.6.0.2900.2180.xpsp_sp2_gdr.050301-1519 - and got the alert on both.


    Time Module Object Name Threat Action User Information
    3/1/2006 23:05:02 PM AMON file F:\Documents and Settings\spy1\Local Settings\Application Data\Mozilla\Firefox\Profiles\p3yc4z4n.default\Cache\D5BDE7BBd01 HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
    3/1/2006 23:04:46 PM IMON file http://www.bankofamerica.com/index.cfm?page_msg=signoff&showstatic=no HTML/Phishing.gen trojan Connection terminated STEVEN-KDHP68D1\spy1
    3/1/2006 23:00:44 PM AMON file F:\Documents and Settings\spy1\Local Settings\Application Data\Mozilla\Firefox\Profiles\p3yc4z4n.default\Cache\B3674D75d01 HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
    3/1/2006 23:00:42 PM IMON file http://www.bankofamerica.com/ HTML/Phishing.gen trojan Connection terminated STEVEN-KDHP68D1\spy1
    3/1/2006 23:00:40 PM AMON file F:\Documents and Settings\spy1\Local Settings\Application Data\Mozilla\Firefox\Profiles\p3yc4z4n.default\Cache\B3674D75d01 HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
    3/1/2006 23:00:38 PM IMON file http://www.bankofamerica.com/ HTML/Phishing.gen trojan Connection terminated STEVEN-KDHP68D1\spy1
    3/1/2006 23:00:07 PM AMON file F:\Documents and Settings\spy1\Local Settings\Application Data\Mozilla\Firefox\Profiles\p3yc4z4n.default\Cache\B3674D75d01 HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
    3/1/2006 23:00:05 PM IMON file http://www.bankofamerica.com/ HTML/Phishing.gen trojan Connection terminated STEVEN-KDHP68D1\spy1
    3/1/2006 22:59:50 PM AMON file F:\Documents and Settings\spy1\Local Settings\Temporary Internet Files\Content.IE5\WTMRO9YN\bankofamerica[1].htm HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
    3/1/2006 22:59:48 PM IMON file http://www.bankofamerica.com/ HTML/Phishing.gen trojan Connection terminated STEVEN-KDHP68D1\spy1
    3/1/2006 22:59:39 PM AMON file F:\Documents and Settings\spy1\Local Settings\Temporary Internet Files\Content.IE5\KPMF4T6B\bankofamerica[1].htm HTML/Phishing.gen trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.


    (Plus a few more <g> ). Odd, to say the least. Hopefully, BoA is locking up their vaults as we speak. Pete

    All detections were by AMON, not IMON, here. Did the about:plugins thing here with FireFox and I'm not seeing anything that's saying it's ActiveX-related. Running JRE 5.0 Update 6 here.
     
    Last edited: Mar 2, 2006
  14. CtlAltDelete

    CtlAltDelete Registered Member

    Joined:
    Dec 18, 2005
    Posts:
    64
  15. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Normally any malicious file cached by Firefox is inert because it is renamed as it is cached and even though your antivirus reacts to it, there should not be any danger to your system.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's actually a fp and will be fixed shortly.
     
  17. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    it is false positive
     

    Attached Files:

    • 11.jpg
      11.jpg
      File size:
      93.3 KB
      Views:
      646
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Read my previous message, I already confirmed it's a false positive which will be fixed shortly.
     
  19. Happy Bytes

    Happy Bytes Guest

    And for what you need to post this Screenshot here after Marcos confirmed it already?
     
  20. Happy Bytes

    Happy Bytes Guest

    Damnit :eek: You were 100ms faster in reply! :eek:
     
  21. biggerbyte

    biggerbyte Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    53
    Thanks guys for jumping on this... It has been fixed as of this reply.
     
  22. folklore

    folklore Registered Member

    Joined:
    May 10, 2005
    Posts:
    16
    not fixed here.
    using FF 1.5.1
     
  23. folklore

    folklore Registered Member

    Joined:
    May 10, 2005
    Posts:
    16
    my bad!

    cleared cache and no more problem

    good work ESET!!!!
     
  24. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Re: IMON detection @www.bankofamerica.com

    Nor Opera, I never us IE.
     
  25. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Re: IMON detection @www.bankofamerica.com

    Never say never, you need windows update ;) and multiple programs use IE to display pages in their help files.

    Alphalutra1
     
Thread Status:
Not open for further replies.