HTML:Iframe-inf exploit

Hi everyone, I’m new here. Just read Avast news on the above exploits on legit websites. Like to report the following website for Avast to look into. Cheers.

site: hxxp://www.learncpp.com

possible exploit detected:
file: hxxp://feeds.feedburner.com/LearnCpp{gzip}
Malware name: HTML:Iframe.inf
Malware type: Virus/Worm

Hello and welcome to forum.

please note that it’s better to write the link to infected sites in this format: hXXp://www.virus-site.com/

Well it shouldn’t be avast looking into it but the site owners, etc.

However, the learncpp.com loads OK for me and no alert, the detection is on the feedburner.com site. It is only when you click on the Entries RSS link that avast alerts having tried to load the hXXp://feeds.feedburner.com/LearnCpp page.

So it look like the feedburner.com site has been hacked as there has been a script inserted into that page right in the middle of a Sentence (see edited image to make it easier to see). This is a 1x1 sized iframe, suspicious.

Hi all

Posted on this forum as the ‘avast news’ April 29, 2009 mentions:

"If avast! displays this warning, you should discontinue your attempt to connect to that particular website and either report the infection to the relevant party so that it can be removed, or post a message on the avast! forum in the section Viruses and Worms so that it can be investigated to determine whether the website is really infected. "

True, avast detected the exploit as soon as the site learncpp was accessed. Not sure why others are not detecting it stright away.

Because avast basically is one of the few that even check and avast IMHO is the best, of all the ones reported in these forums that I have checked every one has proved to be a good detection.

avast is all over this latest fast growing exploit of injecting iframes or script (into legit sites) like a rash.

im not sure if this a iframe exploit…

avast! found it… i move to chest… if someone can help me get a little more info about this thx…

hxxp://www.gamespy.com

file name: bg-tab-lft-0[1].gif

malware name: nutcracker family

malware type:virus/worm

There is a topic on this one, which I have reported as a false positive.

Try a forum search for bg-tab-lft-0, you should find it.

I am new to this site as well, and need to let someone know I got the warning about hacked websites when trying to access Southwest DING! Will someone be able to check hxxp://www.southwest.com?

Nothing (no avast alert) on the URL you gave is that full URL ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx or URL, see #### below) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

Iwant to report another website with the HTML:lframe-inf virus, www.slingo.com… When attempting to download a number of different games I was told by Avast to disconnect…

Hi almac152,

Please, make the link non-clickable by putting wXw.slingo.com

Apparently not functioning, but this might be it:
Level: 2) Url checked: (script source)
hxtp://ad.yieldmanager.com/+rm_url+
Blank page / could not connect
No ad codes identified
Malicious software includes 178 trojan(s), 171 exploit(s), 49 scripting exploit(s).

This site was hosted on 6 network(s) including AS14778 (INKTOMI), AS36752 (YAHOO), AS14777 (INKTOMI).

It seems that ad.yieldmanager.com during the last 90 days been redirecting to infect 362 sites, including e.g. thepiratebay.org/, servimg.com/, xinhxinh.com.vn/

polonus

Where you should really be reporting it is the webmaster as it looks like their site has been hacked, very common now. I have had a very quick rummage around but didn’t find anything - Can you give the full path that avast is alerting on so we don’t have to go looking, note the comments #### below.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

ad.yieldmanager.com is blocked by hpHosts and MVPS HOSTS file.

Currently listening to
Hey You From The Album The Wall by Pink Floyd
http://4everfloyd.com

Hi readers of this thread,

Some general info on this parasite, you’ll find here:
http://www.wiki-security.com/wiki/Parasite/adyieldmanagercom
Not a link you like to have on any webpage, I guess,

pol