Getting virus warning at a cooking website...

I receive a newsletter by email from Lidia Bastianich (Lidia’s Kitchen, on PBS) and in today’s edition there were numerous links to her website for further info, etc. No matter which link I tried, including the main homepage, I got a virus warning for this virus:

HTML:IFrame-DI [Trj]

Is this a false positive? Should I try to contact the webmaster for her site and let them know -assuming they are not aware?

I searched the archives here and also the virus info area and it seems like a hacker problem. Can anyone help me with this? Thanks in advance.

Very weird…

Michael

Hi MrMiker,

This is increasingly common nowadays with many legitimate sites becoming infected due to hackers etc.

Could you post the link(s) that avast alerted to?

Please modify the address to make it non-clickable to prevent others potentially becoming infected (i.e. change http to hXXp)

-Scott-

Thanks for responding Scott. I appreciate it.

Here’s one of the links:

hXXp://lidiasitaly.com

Michael

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Hi MrMiker,

One suspicious inline script found there, that goes like this (fragment)

  a=new Array('6e+1','1.15e+2','0.99e+2','0.114e+3','0.105e+3','0.112e+3','1.16e+2','6.2e+1','0.032e+...  

4 pages have been downloading and installing malicious software without user’s consent. The last time this was found was on 2009-07-09.

Malicious software includes 227 scripting exploit(s), 4 trojan(s), 4 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malcode is being hosted at 1 domain, e.g. 888admins.cn/.ZeuS host 888admins.cn

ZeuS host: 888admins.cn
IP address: 59.125.229.68
Host status: online
SBL: Not listed
Level: 4 (Unknown / not categorized)
AS number: 3462
AS name: HINET Data Communication Business Group
Country: Taiwan, Province of China (TW)
Date added: 2009-06-16 14:23:16
Last checked: 2009-06-26 09:24:52
Last updated: 2009-06-20 08:21:41
BL status: This host is beeing published on the ZeuS Blocklist!
and here: http://www.mywot.com/en/forum/3822-over-300-new-malicious-domains-to-blacklist

This site was hosted on 2 network(s) including AS6245 (NETWORK), AS15169 (GOOGLE),

polonus

Hi MrMiker,

As Polonus has said there is that script in the page, which has been obfuscated to hide the intent (even though,more often than not it makes it easier to find)

Here is an analysis of that site:
http://www.UnmaskParasites.com/security-report/?page=www.lidiasitaly.com

I would suggest that you avoid the site for a while, and if you want to (like you said in your first post) you could contact the webmaster and inform them of the attack (possible with a link to this thread.)

As you said that this is alerted to on all of the pages that you visited, it is not just this page that has been hacked.

Also be careful of clicking links, especially within emails (I know you may have considered this a legitimate site) as this is a very common attack method.

-Scott-

.