[Resolved] Trojan: HTML-Iframe

Good morning!

Well, I just made a very foolish mistake. ::slight_smile: I had been searching links all night long via Google for about 4 hours and was only going to grab a couple more links. I was NOT watching my links very closely any longer, and all of a sudden, my Avast5 (Home Edition) ALERT sounded off after clicking a link on the search page, sending it to a new tab.

I had typed this phrase in the search box: map area of west kootenays in Canada and Idaho

The link in question was found on Google’s search page URL (page 20):
http://www.google.com/search?q=map+area+of+west+kootenays+in+Canada+and+Idaho&hl=en&ei=us9nTIT6EIugngfV5bDBBQ&start=190&sa=N

From the above search page, I clicked on the link below:
Canada Guide
In the west, it is bounded by the British Columbia province, in the east by … state of Alaska and in the south by U.S states of Idaho, Montana and Washington. … These are Glacier national Park, Kootenay National Park, Gulf Islands … in the first major change to Canada’s map since the incorporation of the …

canadaguide [DOT] biz/ - Cached - Similar :o

As you can see, my “foolish” mistake was NOT noticing it was NOT a COMPLETE URL, and THERE WASN’T ANY “http” or “www” listed! (I inserted the “DOT”)
Of course, had I actually taken a closer look at the link, I wouldn’t have clicked on it and simply would have bypassed it…BUT then I wouldn’t have been able to give my Avast a workout and return here to post my findings, right? ;D

Avast5 sounded off longer than usual for some reason. It said it had blocked a trojan in the HTML Iframe.
With that sort of a URL, I soon discovered that “UNMASK PARASITES” website couldn’t check/verify this link because it was not a real link.

Ok, I shall leave this in your hands, and I thank you for allowing me to post this!

P.S. I’m using Firefox:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8)Gecko/20100722 Firefox/3.6.8

Jepp that is a bad one

VirusTotal - canadaguide.biz.htm - 30/41
http://www.virustotal.com/file-scan/report.html?id=ce1021dc1200db107c2c30c4a251c4cf7b20731ed19dbc39e77a63b86ce367a5-1281886818

NovirusThanks - 14/16 - INFECTED
http://scanner2.novirusthanks.org/analysis/b781aa5d07d096611bc52490a62c4b02/aW5kZXg=/

This page seems to be 1 suspicious inline script found.
WordPress 2.7.1 - Warning: Old version of WordPress. It may be vulnerable. Please upgrade.
http://www.UnmaskParasites.com/security-report/?page=canadaguide.biz

Hi Shalimar,

The page you visited was infected with JS/Wonka according to M86Security URL scanner.
Several cases have been reported to AVERT as potential incorrect identifications of JS/Wonka, which turned out to be accurate hits. These observations were typically made upon visiting hacked web pages. These hacked pages have an IFRAME inserted that point to an external website containing malware such as Exploit-Codebase, Exploit-ANIFile, W32/Dumaru.gen, and Exploit-MhtRedir.gen.

This is a generic detection for highly obfuscated JavaScript. (see the image file I attached here)
The signature is based on specfic characteristics of the encryption.
Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files.

polonus

Wow…thank you, Pondus & Polonus!

I don’t know if this particular JS/WONKA trojan had anything or not to do with Avast sounding its alarm for such a long time, but I sure am glad I wasn’t allowed to download it!

In addition to some of my other great security apps:
I love Firefox… :-*
I love Avast… :-*
and I love “NoScript”! :-*

Again, thank you for being here…for being part of this great Avast community service! 8)

Hi Shalimar,

You may not realize it, but now that you have over 20 posts, you no longer need to type in your Signature information in your posts since you can do this:

Go to PROFILE on the top of the forum page > Modify Profile > Forum Profile Information > Signature. Enter information about your system like the Operating System (OS, 32 or 64-bit), browser, security software, what version/product of Avast and firewall you use and other items you wish to mention. See my signature or others as an example. The purpose of this is so that we can offer pertinent advice.

Also, when you feel that your issue is resolved/fixed, please go back to the open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. Thank you.

Since we are here 24/7, feel free to come back and ask us a question any time instead of searching for hours for answers or just for a new experience. :slight_smile: