JS/EXploit.CVE-2010-0806 trojan on Yahoo!

Seems like each time I go to the Yahoo home page I am getting this error.

~Link removed. No links to possible malware are to be posted here on the forums.~
JS/Exploit.CVE-2010-0806 trojan
connection terminated
Threat was detected upon access to web by the application:
C:\Program Files\Mozilla Firefox\firefox.exe.


Is this some problem with one of Yahoo's ads or is it a problem with my system?

 

Same thing here but not just on Yahoo.

 

We are getting a ton of these, too. Is this a false positive?

 

We just had this when some of my users in our business network visited the following site:

~Link removed~

Kaspersky had information on this trojan since March 10th. A scan and upload to Virustotal is not seeing anything.

ESET updated for this exploit on sig 4983.

Need for admin to verify on this issue.

 

Have positive reaction to persist.js - it's PersistJS library by Pablotron.
All sites which using this library got troubles.

 

I'm also getting a lot of these alerts from all over the network. I ran one of the files against Virus Total, and oddly enough, it reports clean by everything, including NOD32 with the same 4985 database I have.

 

It looks like this is a 3rd party advertiser that is hosting malware (I doubt it is intentional, though). It's being served to the akamai.net caching network, so doing a IP block at your firewall is likely to have some bad unintended consequences.

 

I'm seeing a trend from several posts early today as some have pointed to Loomia as being the culprit.
It is entirely possible that new content is being delivered via this content provider that is emerging only now.
The folks at ESET will certainly monitor this and ad or remove items from that detection database as soon as possible.
The below two threads point to this thread:
https://www.wilderssecurity.com/showthread.php?t=268920
https://www.wilderssecurity.com/showthread.php?t=268933
Note: Both now closed for commenting.

 

Got a bunch of these too. I put a block in our firewall on a.l.yimg.com and has stopped them from hitting users for now.
The domain is owned by yahoo and I'm guessing yimg stands for yahoo imaging. I went to my yahoo home page and hit a few yahoo stories. Putting that block doesn't appear to present any problems surfing yahoo sites.

Actually I found by putting a block on the url mentioned prevents yahoo search results from displaying properly. Apparently a lot of our people were using yahoo for searches.

 

Am getting them virtually every time I play a video on FoxNews.com home page

See my screenshot

~Screenshot removed. Not needed.~

QUESTION: Any preventive action needed on my part, or simply wait until ESET sorts through the matter?

 

I'm getting these too, except it looks like from a different js script:

~Link removed.~

contains JS/Exploit.CVE-2010-0806 trojan.


I've attached the js file (renamed to .txt)

 

Detection will be temporarily removed in the upcoming update 4986 until the code is reviewed.

 

See my post here Supersnake
As this is emerging do not visit Fox, Yahoo, WSJ sites and others cited in the link I posted to ad content provider Loomia.

 

ESET found this "trojan" in the .js file for our Lexis Nexis InterAction server this morning. It deleted the file and brought the service down.

 

ESET has updated to 4986.
No more loomia.com/JS script alerts.

Thanks.

 

Marcos:

1) I'm badly confused; please clarify: Detection of what will be removed? The detection of the JS/Exploit.CVE-2010-0806 trojan that comes from anywhere (e.g. Yahoo, or a site involving loomia, etc.), or detection of the JS/Exploit.CVE-2010-0806 trojan only from particular sites, e.g. Yahoo?

2) Is there a decision yet about whether the JS/Exploit.CVE-2010-0806 trojan is real malware, or a false positive?

Cordially, Roger Folsom
________________________________________________________________

BACKGROUND
Personally, I've never had NOD32 v4.0.x (or its predecessor 2.75) notice this JS/Exploit.CVE-2010-0806 trojan either in email or when I manually download a file.

However, on Tuesday morning (PDT) 30 March I ran a routine demand-scan, which discovered and cleaned 58 intrusions of the JS/Exploit.CVE-2010-0806 trojan. Each intrusion was in a Wall Street Journal downloaded article _file folder (containing images, cascading style sheets, etc.) in a clixdom.js file, which is a routine part of those WSJ downloaded article folders --- that is, although I can't do an accurate count because my WSJ downloads are scattered all over my hard drive in relevant topic folders, my guess is that all my WSJ downloaded article _file folders contain a clixdom.js file (unless I edited the _file folder as part of editing the downloaded document, and while doing so deleted the clixdom.js file).

I just now ran a search for clixdom.js, and I now have 217 WSJ downloaded _file folders containing a clixdom.js file, and I haven't downloaded and saved any WSJ articles since the demand scan. So NOD32 apparently discovered the JS/Exploit.CVE-2010-0806 trojan in only 58 of 217 clixdom.js files.

To me, that suggests that perhaps my 58 trojan intrusions were NOT false positives.

But that's a guess, since my collection of clixdom.js files vary in size from 25kb down to 11kb, so all clixdom.js files are not alike.

I also did a search for loomia, and got only two hits: two "Recommendations by loomia" icons (in one WSJ downloaded article _file folder) for a WSJ article written in October 2007 but not downloaded until 19 November 2007.

 

Detection opf JS/Exploit.CVE-2010-0806 was adjusted about 2 days ago so that only actual exploits are detected. Previous detection might have flagged also some clean scripts.

 

Marcos:

Thanks for that information. Can you tell me whether any of the actual exploits were contained in clixdom.js files, especially those that were not associated with loomia?

Roger Folsom

 

If the files are not flagged with the current signature db version 4994, then they don't contain the exploit in question.

 

Marcos:

Thanks.

For backup reasons, those WSJ journal articles are not only on my computer, but also on my wife's computer, but NOD32 4.0.474 demand scans found intrusions on clixdom.js files only on my computer and not on hers. She ran her demand scan several hours after I did, so we're guessing that she ran her scan during the time interval when "Detection . . . [was] temporarily removed in the upcoming update 4986 until the code is reviewed."

So we will run new scans, using today's update 4995 or later.

Thanks again, for your clarifications.

Roger Folsom