JS/EXploit.CVE-2010-0806 trojan on Yahoo!

Discussion in 'ESET NOD32 Antivirus' started by xdrfinn, Mar 30, 2010.

Thread Status:
Not open for further replies.
  1. xdrfinn

    xdrfinn Registered Member

    Joined:
    Feb 5, 2010
    Posts:
    4
    Seems like each time I go to the Yahoo home page I am getting this error.

    ~Link removed. No links to possible malware are to be posted here on the forums.~

    JS/Exploit.CVE-2010-0806 trojan
    connection terminated
    Threat was detected upon access to web by the application:
    C:\Program Files\Mozilla Firefox\firefox.exe.


    Is this some problem with one of Yahoo's ads or is it a problem with my system?
     
    Last edited by a moderator: Mar 30, 2010
  2. rcash

    rcash Registered Member

    Joined:
    Dec 5, 2007
    Posts:
    56
    Same thing here but not just on Yahoo.
     
  3. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    We are getting a ton of these, too. Is this a false positive?
     
  4. knockknock

    knockknock Registered Member

    Joined:
    Oct 27, 2008
    Posts:
    5
    We just had this when some of my users in our business network visited the following site:

    ~Link removed~

    Kaspersky had information on this trojan since March 10th. A scan and upload to Virustotal is not seeing anything.

    ESET updated for this exploit on sig 4983.

    Need for admin to verify on this issue.
     
    Last edited by a moderator: Mar 30, 2010
  5. MiksIr

    MiksIr Registered Member

    Joined:
    Mar 30, 2010
    Posts:
    1
    Have positive reaction to persist.js - it's PersistJS library by Pablotron.
    All sites which using this library got troubles.
     
  6. sedell

    sedell Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    26
    I'm also getting a lot of these alerts from all over the network. I ran one of the files against Virus Total, and oddly enough, it reports clean by everything, including NOD32 with the same 4985 database I have.
     
  7. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    It looks like this is a 3rd party advertiser that is hosting malware (I doubt it is intentional, though). It's being served to the akamai.net caching network, so doing a IP block at your firewall is likely to have some bad unintended consequences.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I'm seeing a trend from several posts early today as some have pointed to Loomia as being the culprit.
    It is entirely possible that new content is being delivered via this content provider that is emerging only now.
    The folks at ESET will certainly monitor this and ad or remove items from that detection database as soon as possible.
    The below two threads point to this thread:
    https://www.wilderssecurity.com/showthread.php?t=268920
    https://www.wilderssecurity.com/showthread.php?t=268933
    Note: Both now closed for commenting.
     
    Last edited: Mar 30, 2010
  9. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    Got a bunch of these too. I put a block in our firewall on a.l.yimg.com and has stopped them from hitting users for now.
    The domain is owned by yahoo and I'm guessing yimg stands for yahoo imaging. I went to my yahoo home page and hit a few yahoo stories. Putting that block doesn't appear to present any problems surfing yahoo sites.

    Actually I found by putting a block on the url mentioned prevents yahoo search results from displaying properly. Apparently a lot of our people were using yahoo for searches.
     
    Last edited: Mar 30, 2010
  10. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Am getting them virtually every time I play a video on FoxNews.com home page

    See my screenshot

    ~Screenshot removed. Not needed.~

    QUESTION: Any preventive action needed on my part, or simply wait until ESET sorts through the matter?
     
    Last edited by a moderator: Mar 30, 2010
  11. SnakeByte

    SnakeByte Registered Member

    Joined:
    Nov 3, 2009
    Posts:
    4
    I'm getting these too, except it looks like from a different js script:

    ~Link removed.~

    contains JS/Exploit.CVE-2010-0806 trojan.


    I've attached the js file (renamed to .txt)
     
    Last edited by a moderator: Mar 30, 2010
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Detection will be temporarily removed in the upcoming update 4986 until the code is reviewed.
     
    Last edited: Mar 30, 2010
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    See my post here Supersnake
    As this is emerging do not visit Fox, Yahoo, WSJ sites and others cited in the link I posted to ad content provider Loomia.
     
  14. chvss

    chvss Registered Member

    Joined:
    Jan 28, 2010
    Posts:
    8
    ESET found this "trojan" in the .js file for our Lexis Nexis InterAction server this morning. It deleted the file and brought the service down.
     
  15. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    ESET has updated to 4986.
    No more loomia.com/JS script alerts.

    Thanks.
     
    Last edited: Mar 30, 2010
  16. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Marcos:

    1) I'm badly confused; please clarify: Detection of what will be removed? The detection of the JS/Exploit.CVE-2010-0806 trojan that comes from anywhere (e.g. Yahoo, or a site involving loomia, etc.), or detection of the JS/Exploit.CVE-2010-0806 trojan only from particular sites, e.g. Yahoo?

    2) Is there a decision yet about whether the JS/Exploit.CVE-2010-0806 trojan is real malware, or a false positive?

    Cordially, Roger Folsom
    ________________________________________________________________

    BACKGROUND
    Personally, I've never had NOD32 v4.0.x (or its predecessor 2.75) notice this JS/Exploit.CVE-2010-0806 trojan either in email or when I manually download a file.

    However, on Tuesday morning (PDT) 30 March I ran a routine demand-scan, which discovered and cleaned 58 intrusions of the JS/Exploit.CVE-2010-0806 trojan. Each intrusion was in a Wall Street Journal downloaded article _file folder (containing images, cascading style sheets, etc.) in a clixdom.js file, which is a routine part of those WSJ downloaded article folders --- that is, although I can't do an accurate count because my WSJ downloads are scattered all over my hard drive in relevant topic folders, my guess is that all my WSJ downloaded article _file folders contain a clixdom.js file (unless I edited the _file folder as part of editing the downloaded document, and while doing so deleted the clixdom.js file).

    I just now ran a search for clixdom.js, and I now have 217 WSJ downloaded _file folders containing a clixdom.js file, and I haven't downloaded and saved any WSJ articles since the demand scan. So NOD32 apparently discovered the JS/Exploit.CVE-2010-0806 trojan in only 58 of 217 clixdom.js files.

    To me, that suggests that perhaps my 58 trojan intrusions were NOT false positives.

    But that's a guess, since my collection of clixdom.js files vary in size from 25kb down to 11kb, so all clixdom.js files are not alike.

    I also did a search for loomia, and got only two hits: two "Recommendations by loomia" icons (in one WSJ downloaded article _file folder) for a WSJ article written in October 2007 but not downloaded until 19 November 2007.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Detection opf JS/Exploit.CVE-2010-0806 was adjusted about 2 days ago so that only actual exploits are detected. Previous detection might have flagged also some clean scripts.
     
  18. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Marcos:

    Thanks for that information. Can you tell me whether any of the actual exploits were contained in clixdom.js files, especially those that were not associated with loomia?

    Roger Folsom
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the files are not flagged with the current signature db version 4994, then they don't contain the exploit in question.
     
  20. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Marcos:

    Thanks.

    For backup reasons, those WSJ journal articles are not only on my computer, but also on my wife's computer, but NOD32 4.0.474 demand scans found intrusions on clixdom.js files only on my computer and not on hers. She ran her demand scan several hours after I did, so we're guessing that she ran her scan during the time interval when "Detection . . . [was] temporarily removed in the upcoming update 4986 until the code is reviewed."

    So we will run new scans, using today's update 4995 or later.

    Thanks again, for your clarifications.

    Roger Folsom
     
Thread Status:
Not open for further replies.