What do you think I should do?

Discussion in 'ESET NOD32 Antivirus' started by Engineeringfun, Jun 24, 2011.

Thread Status:
Not open for further replies.
  1. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    While I was at school, my Mum looked up an article on some incident in Australia and when she clicked on it, a warning from WOT indicated that the site was compromised, and she told me she then clicked out of it. When I came home, I looked in the Nod32 quarantine and it said it blocked two redirector trojans that obviously wanted it to redirect to a malware site, which it blocked. I did a scan of the computer and it found 1 thing, which was a HTML/Iframe.b.gen virus in the Mozilla Firefox Cache files.

    I did another scan with Malwarebytes and HitmanPro= nothing.

    Just wondering what the Iframe virus does, and has it taken any important data, as I will become a bit stressed if it has taken anything, as we are moving houses at the moment? My parents just don't know how to navigate the Internet safely, so I changed the WOT thing to block, not warn. Any ideas?
     
  2. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Open the detected file in notepad
     
  3. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    I think Nod32 deleted it, when it asked for the action to be taken, I pressed delete. Are there any sites that would have general information on this Iframe virus? Nod32's website says it's a HTML frame virus that redirects the user to a malicious site, where Nod terminated the Redirector trojans that attempted to do this.
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    It sounds like your fine to me. NOD did what it was supposed to do and MBAM and Hitman found zilch.
     
  5. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    But NOD only discovered this Iframe virus a week after the incident actually occurred, so that means it has been sitting there for a week.

    Should I be concerned that it has done anything? Wouldn't Nod detect something if this virus attempted to perform any malicious activity or execute?

    Thanks
     
  6. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    then nod has killed the file, before you have any chances of loading that file in your browser and get redirected to a malicious website, instead
     
  7. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    Yeah, that's really awesome, but what about the Iframe.b.gen virus? That wasn't blocked, that was just found sitting there a week after the actual trojan blocking procedure occurred.

    I am just concerned it has done something malicious in the background that I am unaware of, and there is not enough info on the Internet about what it actually does.

    Do you know anything about this strange virus?

    Thank you :)
     
  8. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    Bump.... anyone know anything about this Iframe virus? It could have been doing anything sitting there? Thanks
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I don't know anything about that virus but have you consulted Eset's online virus database or encylopedia? As far as whether or not the virus was doing anything I suspect Eset would have snuffed it out if it attempted to execute.
     
  10. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    Eset says it is:

    HTML/Iframe.B.Gen is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software

    That's all it says though, doesn't give a detailed description. Could the Iframe virus have become deactivated/non-executable due to the termination of the trojans, which supports the actual process of directing the host to the malicious website and then Nod32 detected the file?

    Thank you for your time
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    It's possible I suppose , however I don't know enough to say, so I'll leave the answer to someone with expertise in the field.
     
  12. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    under what web site the detection of the i frame occured? You can view it under log files - detected threats
    Maybe we can explain that detection ;)
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  14. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    The Iframe virus is not listed under detected threats, but the redirector trojans are. It says:

    -http://akooramak//au.... not writing all of the link as it may contain the HTML iframe virus. Threat: JS/Redirector.NID trojan- connection terminated

    When you type that website into google, it says this site may be compromised, so my Mum didn't see that and went straight ahead. The Iframe virus is listed in the quarantine though.
     
    Last edited by a moderator: Jun 26, 2011
  15. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You can view embedded webpages inside a webpage with iframes

    basically, that detection mean you are prevented from loading content in other sites

    if you open that HTML file in notepad you can view the external URLs in the iframe tag
     
  16. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    If nod32 deleted it, am I good now? Or is there a risk of something else? Does that type of infection pose any danger to the computer now?

    Thanks
     
  17. Engineeringfun

    Engineeringfun Registered Member

    Joined:
    Apr 8, 2011
    Posts:
    48
    Location:
    Australia
    Don't worry, I believe I am clean. I just read this on F-Secure which highlights that I am only affected if I actually visit the malicious website (which Nod blocked) and it will then execute, and Nod then deleted it.

    Additional Details
    This malware will only affect a user who is browsing a malicious website, or a legitimate website which has been compromised. Unlike more straightforward trojan-downloaders, this malware does not directly download the malicious files itself, but rather redirects the user to malicious websites which perform the actual download automatically.

    Upon execution, this malware uses Iframe tags to redirect the user to the malicious websites:

    -http://user1.jzm018.cn/[...]/fxx.htm - Trojan-Downloader.JS.Agent.ckl
    -http://jzm015.cn/[...]x.htm - redirects to ilink.html, flink.html
    -http://jzm015.cn/][...]c.htm - Trojan-Downloader.JS.Agent.ckk

    These sites will then subject the visitor to a drive-by download.

    Argh I don't know how to edit the link =.=
     
    Last edited by a moderator: Jun 27, 2011
Thread Status:
Not open for further replies.