HTML/FakeAlert.DV trojan

Discussion in 'other anti-virus software' started by boredog, Jul 27, 2016.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    Not sure this the right spot for this post.
    I guess reason I picked here is because of NOD 32.
    I am posting for your advice. Not sure I am still infected or not. I was just amazed none of my security software ware made a peep at all.

    yesterday while trying to down a torrent, I got a web page open and it also had sound. the page said I was infected with zues and if I closed the page my hard drive would be erased. I used task manager and closed it anyway. I was using IE with all security apps enabled except for ADGuard because my lic ran out yesterday and had not renewed it yet. I did not have Quietzone enabled and I did have foolishly my recovery USB inserted. I then downloaded NOD 32 trial and here is what it said it found and deleted.
    Eset Log
    C:\Users\Bruce\AppData\Local\Microsoft\Windows\INetCache\Low\IE\MQW4OPHA\websolutions[1].htm - HTML/FakeAlert.DV trojan - cleaned by deleting [1]

    Doesn't any of my security programs check that location?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file should not be functional as it likely contains only relative references to files. It most likely looks as follows:

    fakealert_dv.png
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,095
    "infected with zues" or infected with zeus?
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    Marcos. yep that is it!!!!! had sound too. Didn't they have to use an exploit to do that?

    anon , zeus but I left the page and do not notice anything yet.

    not sure if this was happening before since I have not used it since updating to win 10 but I can not get into safe mode for some reason.
     
  5. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    784
    It is just a Fake Alert HTML trojan, you are not infected.

    None of your security setup reacted because it isnt a real infection, but a traditional antivirus should had stopped the loading of this fake alert with its web scanner.

    Ps: In my opinion your security setup is "too much of a good thing", very redundant and lacks a good "traditional" antivirus like Eset (that would had stopped this fake alert for sure)
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    I hear that but Malwarebytes didn't and still wondering why antiexploit didn't peep either?
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    I think the clue is in the term 'fake'. Not all AVs will detect fake webpages in the same way not all AVs detect PUA/PUPs.

    Anti-exploit probably didn't trigger because you're patched up, that is, the programs most commonly used to exploit are up to date, plus there may well have been no exploit there anyway.
     
    Last edited: Jul 27, 2016
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Because you abended IE, the crap was since in your browser cache. That is why Eset detected it. If you would have manually flushed your browser catch afterwards which you should do in these instances, the crap would have been deleted.

    Appears this was a phishing attack with the purpose of panicking the user into calling the phone number for service to clean the bogus malware.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    I understand it was a fake but somehow it still managed to freeze the browser. what does a common user do when they see that sort of thing? If I would not have known how to use task manager, autoruns, process explorer and was a normal house hold user, I would either called the number or fearfully pushed the power button. I guess I could be wrong but still think my other software should have stopped the browser hijack too.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    sorry itman posting at same time. it was a drive by not phishing. clicked to down load a torrent and bang. went back a second time for more and nothing.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I believe if you would have clicked on either of the buttons on the crapware web page is when you would have been nailed by the drive-by download. That is when the security solution should kicked in. However, there is malware now that runs entirely from the web page. Hence a need for a security solution with a strong web filter at the network level like Eset. And if the malware was delivered from a HTTPS web site, a need to unencrypt the traffic so it can be scanned by the web filter.
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    I am now wondering if I would have renewed adguard if that would have stopped it too. they have a pretty good web filter also. it ran out yesterday before I had a chance to renew. I think you are right about the clicking on either button but then I didn't. what if a home user would have? would it still have been a fake pay up site?
    also what is strange is when I went back for a second look I did not get hit again. same page same download.

    here is the site in case you want to sniff around. http://extratorrent.cc/
     
    Last edited: Jul 27, 2016
  13. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I believe your adguard (or any adblocker) would have stopped it.

    I too saw these fake buttons on torrent sites, when I have disabled uBO.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Based on this comment over at Reddit, perhaps you should renew your AdGuard subscription:

    Ref.: https://www.reddit.com/r/torrents/comments/2xlwzk/how_to_torrent_safely_without_getting_viruses_or/

    I just browsed to that web site and received no alerts from Eset or Emsisoft. I did try to download anything.

    Do you have IE's SmartScreen Filtering enabled? Perhaps you disabled that when you installed AdGuard and forgot to re-enable it? SmartScreen filtering did block two services on that web site.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Just scanned that web site using Zulu. Web site is OK. Must have been something w/the download you were doing:

    Zulu_Scan_7-27-2016.png
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    yes I have smart screen enabled. still scratching head on this one.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Run a scan with AdwCleaner to make sure you're clean.
     
    Last edited: Jul 29, 2016
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  19. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    558
    Location:
    Baden Germany
    It possibly depends on which browser you use,
    how many users visited the site before,
    which referer you have,
    how long since the Google spider came around,
    ....., if the scam popup is delivered, or not.

    These are all popular techniques, to hide from being discovered quick.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    itman yes I had looked at that page a while ago but you noticed peak activity was 7/25/2016? yes it would have been nice to have eset installed before hand but as I mentioned I had adguard but had expired same day. now isn't that strange? I think adguard would have stopped it also with it's web filter. with all my other security software I didn't se how it could touch my hard drive at all but then again this seems to be a new variant.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    That webpage produces random ADs, so I would say, you were a victim of malvertising. If it were a stable AD, it would get removed ASAP.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Only way to know for sure is to install AdGuard as a trial and repeat what you did when you received the fake malware alert.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    itman I do have it still installed, just have not renewed it yet. I have gone back and tried to repeat it and nothing. even used comodos inspector and still nothing.

    http://app.webinspector.com/
    not sure if site figured it out or if they bad guys pulled the plug since they were busted.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
Loading...