Interesting place for a virus

IMON popped up with this when I was logging out of Hotmail. Strange.

Infiltration details:

Web page:
http://login.passport.net/uilogout.srf?lc=1033&id=2&ru=http://signout.msn.com

Infiltration:
probably unknown POLY.CRYPT.COM virus

Description:
Access to the web page was blocked by IMON.

Well, regardless of how it got there, IMON blocked it.

 

hmm..... there's no virus on your link. But it can't be because it's the log off from your account. Have you tried logging on and off again?

Or...perhaps MS started posting viruses on their websites.

 

You know that wouldn't surprise me at all.

Actually it was probably a false positive of some sort.

 

Is Hotmail log off -MSN infected?

NOD32 antivirus system alert: IMON
Infiltration detected !


Infiltration details:

Web page:
http://login.passport.net/uilogout.srf?lc=1033&id=2&ru=http://signout.msn.com

Infiltration:
probably unknown POLY.CRYPT.TSR.COM virus

Description:
Access to the web page was blocked by IMON.

www.nod32.com

I posted about this on January 9th under post "Strange place for a virus". It popped up again tonight. Anyone have any idea of what is going on?

 

Using the link you provided I get nothing with NOD or KAV.

 

Well, I obviously did. I copied and pasted from the IMON popup. It does not happen all the time. So far just these two times.

 

Have a look in your logs to see the exact web page that is being blocked, as we can not get to it through a signin page for MSN.

Cheers

 

Blackspear, where in logs should I look? It is blocked by IMON and would not be in quarantine. The only reference to it is in the IMON "blocked-cleaned" list. It occurs sporadically when I am logging out of Hotmail. That takes one directly to MSN.com.
Ok, in the threat log I have this entry:

Time Module Object Name Threat Action User Information
1/20/2006 20:50:32 PM IMON archive http://login.passport.net/uilogout.srf?lc=1033&id=2&ru=http://signout.msn.com probably unknown POLY.CRYPT.TSR.COM virus

 

Do you have the following ticked?

Without knowing the exact website there is not much more that can be done.

Cheers

 

This is not part of your extra settings for NOD sticky. Should we be ticking that box anyway?

 

Oh it's there now I tick it so for cases like this thread we can see exactly where the intrusion attempt is coming from.

Cheers

 

Nope. I am wondering if this is maybe something connected with the new AH engine? I did read something about a new one recently didn't I?

 

It could be, but without knowing the actual website causing the issue it will be very hard to determine, as we can not get inside a UN and PW protected site to see what you see.

Cheers

 

Hello:

Same thing happened to me. Sent quarrantined information to ESET.

Firewall Logs revealed following:

202.56.94.93

inetnum: 202.56.80.0 - 202.56.95.255
netname: AIRZED
descr: Airzed Networks Sdn Bhd
descr: Broadband Wireless Internet Service Provider,
descr: Kuala Lumpur, Malaysia

64.54.183.195
64.4.19.250
65.54.183.192
209.62.176.187
72.246.50.22
64.4.19.250

Top IP was the last IP address shown after signing off Hotmail.com

Hope this is helpful.

Tried to upload .bmp of log itself, but unable to for some reason.

Devin