Yahoo email trojan alert

Anyone else seeing the following alert from NOD32 4.2.67.10 when connecting to Yahoo mail Dec 29th? Seeing it in both Firefox and Chrome and Yahoo support are clueless:

12/29/2010 10:47:30 AM HTTP filter archive http://mail.yimg.com/zz/...blue_922.css Win32/Exploit.CVE-2010-3962.A trojan connection terminated - quarantined

 

I have been getting alerts like that all morning long (canada411.yellowpages.ca, provigo.ca, hockey.fantasysports.yahoo.com, ...).

Looks like everyone is infected, or they are just false-positive.

I checked the computers that got the alerts and they seem fine.

 

Ok thanks. Seems some advertiser they all use is serving up malware in ads.

 

I just went to make a post on Amazon and that warning popped up and dropped it straight to quarantine. Which is odd, as I just ran a scan and it found nothing.

 

Any idea if it was an ad banner being served up at Amazon? Wondering if this is a false positive? I submitted the file from here but do not know how quickly it will be fixed if it is a false positive.

 

No banners at the top as it was on one of their forums. It threw me out fast, I had to back check via my history. Just seemed very odd as I was on there a bit this afternoon and got nothing, it only happened after I had my tea.

 

NOD 32 is picking up this apparent trojan when I'm using Microsoft Live
"Win32/CVE-2010-3962.A".
Seems to pretty wide ranging!
The Microsoft website refers to this trojan and advises to remove it - without actually saying how.

 

I just ran a Google search and it seems to be everywhere. But how on earth can so many have got this Trojan? I've hardly been online today, only since about 2pm UK time. I haven't been anywhere dodgy just Amazon and a couple of baseball sites.

Edit: 7.15pm - Have just ran a full virus scan and Malwarebytes and neither found any suspicious.

 

Just got a notice from NOD32 while surfing the web in Firefox!

Here is the line I cut and pasted from the NOD32 log

Code:

12/29/2010 2:03:56 PM	Real-time file system protection	file	C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\2fe5twru.default\sessionstore-1.js	Win32/Exploit.CVE-2010-3962.A trojan	cleaned by deleting - quarantined	VOSTRO1400\user	Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

What the heck is going on? I signed up on this forum just to post and get more info about this

Thanks

 

Just want to add that I am *not* using Yahoo e-mail. The only tabs I have open at the moment are GMAIL, Wilders Security, Chowhound (food forum) and google search

MSN Messenger is running but NOD32 says the threat is from Firefox

 

Hello,

Issue is under investigation. Thank you for your reports.

Regards,

Aryeh Goretsky

 

Just got another one, 2:46PM EST as soon as I went to maps.google.com and was inputting an address for directions

Code:

12/29/2010 2:45:24 PM	Real-time file system protection	file	C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\2fe5twru.default\sessionstore-1.js	Win32/Exploit.CVE-2010-3962.A trojan	cleaned by deleting - quarantined	VOSTRO1400\user	Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

Will submit file for analysis

 

I just tried and nothing happened. Weird.

 

No alerts with either my yahoo or ymail accounts.

 

I get this same message when visiting zehrs.ca

This happens in both chrome and firefox.

EDIT: I have also submitted this for analysis.

 

I just got this as well on The Telegraph website (well known published newspaper in UK). It got quarantined, and I deleted it from there after (thats ok right?).

 

Security researchers warn that a new mass injection attack is underway directing the visitors of hundreds of websites to a malicious Java applet which downloads a trojan.

http://news.softpedia.com/news/Troj...ction-Attack-via-Java-Downloader-174971.shtml

 

I've seen things get blocked from Hulu and Youtube today as well.

 

Updates were stopped a while ago. A new update with the exploit detection removed is being prepared right now. The detection will be then examined further to confirm or deny being a false positive.

 

I dont think they are FPs. From what I see they are indeed real, but I could be wrong.

 

Please keep me posted, I've subscribed to this thread, I just got another one while visiting eBay at 4:30PM EST

Thanks guys

 

To the mods: I received this virus alert on a CSS file I am currently developing that is not even hosted anywhere live. After poking around with the file, commenting various rules and refreshing, I discovered it was a specific IE6/IE7 CSS hack that seems to be doing it.

Here was the CSS rule in question:

.visuallyhidden {
position:absolute !important;
clip: rect(1px 1px 1px 1px); /* IE6, IE7 */
clip: rect(1px, 1px, 1px, 1px);
}

 

that would explain why I am not getting it with IE9. Correct?

 

i just upgraded to ie9 beta ; went to provigo.ca where i had the trojan appear on the latest upgrades of opera firefox and chrome.
i had the nod32 auto message on the trojan using ie9.
oh well.

 

yep, I did to and got it. Sent it to Virustotal and no one, including Eset detected it.