Yahoo email trojan alert

Discussion in 'ESET NOD32 Antivirus' started by enduser999, Dec 29, 2010.

Thread Status:
Not open for further replies.
  1. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Anyone else seeing the following alert from NOD32 4.2.67.10 when connecting to Yahoo mail Dec 29th? Seeing it in both Firefox and Chrome and Yahoo support are clueless:

    12/29/2010 10:47:30 AM HTTP filter archive http://mail.yimg.com/zz/...blue_922.css Win32/Exploit.CVE-2010-3962.A trojan connection terminated - quarantined
     
  2. MCote

    MCote Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    1
    I have been getting alerts like that all morning long (canada411.yellowpages.ca, provigo.ca, hockey.fantasysports.yahoo.com, ...).

    Looks like everyone is infected, or they are just false-positive.

    I checked the computers that got the alerts and they seem fine.
     
    Last edited by a moderator: Dec 29, 2010
  3. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Ok thanks. Seems some advertiser they all use is serving up malware in ads.
     
  4. spanishjohnny

    spanishjohnny Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    16
    I just went to make a post on Amazon and that warning popped up and dropped it straight to quarantine. Which is odd, as I just ran a scan and it found nothing.
     
  5. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Any idea if it was an ad banner being served up at Amazon? Wondering if this is a false positive? I submitted the file from here but do not know how quickly it will be fixed if it is a false positive.
     
  6. spanishjohnny

    spanishjohnny Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    16
    No banners at the top as it was on one of their forums. It threw me out fast, I had to back check via my history. Just seemed very odd as I was on there a bit this afternoon and got nothing, it only happened after I had my tea.
     
  7. Kiwi Guy

    Kiwi Guy Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    2
    NOD 32 is picking up this apparent trojan when I'm using Microsoft Live
    "Win32/CVE-2010-3962.A".
    Seems to pretty wide ranging!
    The Microsoft website refers to this trojan and advises to remove it - without actually saying how.
     
  8. spanishjohnny

    spanishjohnny Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    16
    I just ran a Google search and it seems to be everywhere. But how on earth can so many have got this Trojan? I've hardly been online today, only since about 2pm UK time. I haven't been anywhere dodgy just Amazon and a couple of baseball sites.

    Edit: 7.15pm - Have just ran a full virus scan and Malwarebytes and neither found any suspicious.
     
    Last edited: Dec 29, 2010
  9. duckdown

    duckdown Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    5
    Just got a notice from NOD32 while surfing the web in Firefox!

    Here is the line I cut and pasted from the NOD32 log


    Code:
    12/29/2010 2:03:56 PM	Real-time file system protection	file	C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\2fe5twru.default\sessionstore-1.js	Win32/Exploit.CVE-2010-3962.A trojan	cleaned by deleting - quarantined	VOSTRO1400\user	Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
    
    What the heck is going on? I signed up on this forum just to post and get more info about this

    Thanks
     
  10. duckdown

    duckdown Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    5
    Just want to add that I am *not* using Yahoo e-mail. The only tabs I have open at the moment are GMAIL, Wilders Security, Chowhound (food forum) and google search

    MSN Messenger is running but NOD32 says the threat is from Firefox
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Issue is under investigation. Thank you for your reports.

    Regards,

    Aryeh Goretsky
     
  12. duckdown

    duckdown Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    5
    Just got another one, 2:46PM EST as soon as I went to maps.google.com and was inputting an address for directions


    Code:
    12/29/2010 2:45:24 PM	Real-time file system protection	file	C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\2fe5twru.default\sessionstore-1.js	Win32/Exploit.CVE-2010-3962.A trojan	cleaned by deleting - quarantined	VOSTRO1400\user	Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
    
    Will submit file for analysis
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I just tried and nothing happened. Weird.
     
  14. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    No alerts with either my yahoo or ymail accounts.
     
  15. Aiidoneus

    Aiidoneus Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    1
    I get this same message when visiting zehrs.ca

    This happens in both chrome and firefox.

    EDIT: I have also submitted this for analysis.
     
    Last edited by a moderator: Dec 29, 2010
  16. Kasanak

    Kasanak Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    2
    I just got this as well on The Telegraph website (well known published newspaper in UK). It got quarantined, and I deleted it from there after (thats ok right?).
     
  17. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
  18. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I've seen things get blocked from Hulu and Youtube today as well.
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Updates were stopped a while ago. A new update with the exploit detection removed is being prepared right now. The detection will be then examined further to confirm or deny being a false positive.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I dont think they are FPs. From what I see they are indeed real, but I could be wrong.
     
  21. duckdown

    duckdown Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    5
    Please keep me posted, I've subscribed to this thread, I just got another one while visiting eBay at 4:30PM EST

    Thanks guys
     
  22. PhazeonPhoenix

    PhazeonPhoenix Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    1
    To the mods: I received this virus alert on a CSS file I am currently developing that is not even hosted anywhere live. After poking around with the file, commenting various rules and refreshing, I discovered it was a specific IE6/IE7 CSS hack that seems to be doing it.

    Here was the CSS rule in question:

    .visuallyhidden {
    position:absolute !important;
    clip: rect(1px 1px 1px 1px); /* IE6, IE7 */
    clip: rect(1px, 1px, 1px, 1px);
    }
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    that would explain why I am not getting it with IE9. Correct?
     
  24. cognizant

    cognizant Registered Member

    Joined:
    Dec 29, 2010
    Posts:
    2
    i just upgraded to ie9 beta ; went to provigo.ca where i had the trojan appear on the latest upgrades of opera firefox and chrome.
    i had the nod32 auto message on the trojan using ie9.
    oh well.
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    yep, I did to and got it. Sent it to Virustotal and no one, including Eset detected it.
     
Thread Status:
Not open for further replies.