HTML:IFrame-EW [Trj] - Trojan Horse

Yesterday I was on this page wXw.staznosti.sme.sk and when I browsed on this page bounced alert from avast!. Virus found HTML:IFrame-EW [Trj]. And what next? This page has over than million users per day. The infiltration was found on this path

wXw.staznosti.sme.sk/favico.ico

This is false virus. Please make something with that.

Please change www to wXw and http to hXXP to prevent any accidental exposure. In case there are any threats.

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

I changed this link and slovak or czech tech from avast! support can wirte some reactions on this problem. I wrote to sme.sk administrators and dont reply me.

:wink:

Well it looks like they have resolved the problem (likely to have been a hacked favico.ico file) even though they didn’t reply to you.

  • I don’t get an alert on the home page and the favicon appears in the address bar as normal.

I think it is still detected as of this moment (090826-0, 08/26 virus database)

Well I have the latest VPS and I don’t get an alert, that is with firefox 3.5.2.

As I said I went to the Home page and not as you have done directly to the favico.ico file.

If I do that the alert happens and the reason it happens is you get a 404 error page and at the bottom of the custom 404 page is the injected script tag containing the iframe tag, see images.

So more work to be done on the site, they may have removed the favico.ico file but a missing file has activated the 404 error page which has also been hacked.

Dear All,

I am just try this web page, and still got hacked by i-Frame

Regards,
Yanto Chiang