HTML:Allaple-A [Wrm]...random alerts?

I keep getting ’ A VIRUS WAS FOUND’ alerts at random times when logged on.

HTML:Allaple-A [Wrm] from http://www.wadeauto.com/favicon.gif/

If I try just “http://www.wadeauto.com”…no alert.

Is this a false alarm?

Thanks


Welcome to the forums, Hosermike. :slight_smile:

At the first link, I get “Page can not be found.”

Second link works perfectly.


At the first link, I get "Page can not be found."

the first link, I get this… (image attached)

Kinda weird for a .gif file to be malicious like that. I didn’t think that they could be.


I guess that Opera would not load that page.


I guess not.

But seriously though, a “gif” file that’s a virus?

.scr’s, exe’s, bat’s, vbs’s, cmd’s, etc. can be viruses, but a gif?

Wouldn’t this be a FP?

Hosermike, have you possibly uploaded this file to http://virustotal.com yet?

The short answer is No, the site appears hacked and the favicon.gif isn’t a gif but has been replaced with an html page (which has an OLE Object in it ) called by that name.

So I have no idea what that OLE Object is doing but the action of replacing the .gif file contents or page with an html page is highly suspicious.

this replacement of favicon.gif and or favicon.ico is starting to become common as browsers when they visit a page go looking for the favicon to load into the space to the left of the address bar.

Update:
I uploaded the file to virus total and 15 of 39 scanners find it infected in some form or other most of them finding HTML/Allaple.A as avast did.

VT Results page http://www.virustotal.com/analisis/e451c7e0040eade7a6713b05fbd50197.

Thanks for all the responses.

FYI this poster is experiencing the EXACT same symptoms I have as far as behavior (different malware item tho):

http://forum.avast.com/index.php?topic=43970.0

Aproximately the same time frame also. I have not attempted any of the remedies listed.

The thing that really baffles me is why the alert will come on randomly when I’m using IE7 and NOT accessing the domain in the alert?

???

You’re welcome.

It’s a similar trick, replacing the favicon.gif file but the payload is potentially more serious with the iframes actually pointing at malicious sites as well.

You might not actually be using the domain but any domain you are in if it had a link to the site, depending on browser or any accelerator/pre-loader would/could be loading stuff in the background.

But to confirm there is nothing on your system that is actually trying to connect (which I would be surprised if it did) you can try SAS and MBAM as suggested in the other topic.

Welcome to the forums.

Hi malware fighters,

I get an “Empty source - Could not connect to site?” trying to check it,

pol

I checked that link by “AVIRA”, here is result:

The first link
HTML/Infected.WebPage.Gen - Malware


Requested URL: http://www.wadeauto.com/favicon.gif/
Information Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus


but second link loaded without any problem. just the ICON (favicon) of the web-site did not load.

Test result by virus Total:

File http__www.wadeauto.com_favicon.gi received on 04.24.2009 22:00:42 (CET)

Attached…

aahhh!! man! that’s not just that gif file… take a look at that address again… there are a “/” after the .gif address, so it would redirect to a sub-folder that is not possible to find and give “error 404”, and I think they have infected that error page :slight_smile:

Hi Omid Farhang,

Threat Analysis

* File is polymorphically encrypted.

* Copies itself to weakly protected network shared folders.

* Performs Denial of Service attacks on several websites.

Quarantine/delete files that are detected and replace infected files with clean backup copies,

Sophos has this malware info:

Troj/Allaple-A is a backdoor Trojan for the Windows platform.

The Trojan copies itself to numerous locations on the infected computer with randomly generated eight character filenames. These copies are all mutated to differ from the original Trojan.

Troj/Allaple-A drops numerous copies of a DLL component to the Windows system folder with randomly generated eight character filenames.

For each copy of the Trojan a registry entries such as the following are created:

HKCR\CLSID<randomly generated CLSID>\LocalServer32

HKCR\CLSID<randomly generated CLSID>\LocalServer32

The Trojan modifies existing registry entries to run the DLL components on startup. Entries are modified as follows:

HKCR<existing CLSID>\InprocServer32

<DLL filename>

The Trojan also modifies HTML files, prepending a line such as the following to the script:

<OBJECT type="application/x-oleobject"CLASSID=“CLSID:(randomly generated CLSID)”>

polonus