Sign of Nutcracker family in gif of gamespy.com

I went to gamespy.com, but when the main page was loading I got virus alert:

Sign of “Nutcracker family” has been found in “C:\Documents and Settings(User Name)\Local Settings\Temporary Internet Files\Content.IE5\PDOH6H8P\bg-tab-lft-0[1].gif” file.

I chose to delete it option. I cannot find it anymore. Should I still be worried? Was it a false positive? What could be some future advice? Should I still do a boot scan?

Try sending it to the quarantine next time. Viruses can do no harm within the quarantine.

After that, you could have uploaded the file to http://www.virustotal.com to see if it was a false positive.

If it was, you could then send it to avast to help improve detection rates.

I wouldn’t be worried about being safe or not, the virus was deleted.

If you feel that you are not sure if its delete then you can do your bootscan when you will go to sleep :slight_smile:

Thank you for the reassurance. I am curious about virus programming: If you delete the original file infected, can it still spread. Like can it become pandemic, not just epidemic? The main point is if a virus is found in Temporary, can you just delete it from there and you will be fine?

It was in the temporary folder. I use CC Cleaner like almost every ten minutes. I checked it again, but it has been empty.

Ok so yeah if you have clear your temporary files i can say you dont have to worry and if Avast! detected it too :slight_smile: But remember to do regulary some scan even if you think you didnt got virus just to be sure :slight_smile:

This is a secondary question: I get conflicting answers, but can a .gif file ever infected with a virus?

Yes a .gif or anything can be infected by a virus so that why Avast! scan everything on the web when you surf.

Correct me if im wrong :slight_smile: but i heard this from a guy here :slight_smile:

Mr.Agent

Hi Mr.Agent and ahhnoo,

Yes it is possible for malcreants to hide a PHP-exploit or a malicious Iframe attack inside a gif, read this how that can be performed: http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2008-02/msg00093.html
This malicious GIF file is usually infected by other malware, append with a hidden iframe. When a user visits a web page contains such GIF file, those hidden iframes may perform malicious routines in the affected system.

H.D. Moore explains here on how this could be performed:

The usual trick is to upload an ASP, ASPX, PHP, JSP, or other dynamic web page to the server. If the applications allows you to set the extension and the upload directory supports that scripting language, your job is done.

If the server changes the extension to .JPG/.GIF (or only allows those
extensions), then you need to be more creative. On Apache, you can name a
file something.php.jpg, and Apache will still treat it as PHP.

Another option you can try is by sending an upload request (with a tool or
a HTTP request editor) that embeds a NULL byte before the .JPG extension.
ASP scripts tend to be vulnerable to this – the script will see the
entire file name, but the underlying file operation will truncate the
name of the file after the NULL byte. So something.asp%00.jpg would
become something.asp.

Finally, one trick that might help, is to upload a HTML document, with a
JPG extension, and see whether the browser treats it as HTML or an image
when you browse to it. Some browsers handle this different, sometimes
ignoring the mime type in favor of the file magic (not sure if this works
with images in IE 7).

What this allows you to do is upload arbitrary HTML content to the server,
which can contain javascript, which in turn can read the domain-specific
credentials of users visiting that page. This still requires the ability
to send users to your not-really-a-jpeg HTML page (for example, by
emailing them a link).

So you see for protection you are best served by a browser with an extension that can block script altogether, like Firefox with NoScript, for the server part we are dependant on the security performed by the site admins and webmasters to prevent this from happening,

polonus

look like a false positive by avast!, because it’s only avast! engine that could detect it

attached file is scan result

Strangely enough using firefox I don’t get an alert on the gamespy.com home page ???

I see no reference to any bg-tab-lft-0 gif file or otherwise in the page source.

hxxp://media.gamespy.com/spy/imgs/bg-tab-lft-0.gif

Ah so it isn’t on the home page, which I thought from just the gamespy.com detail in the OP

I explored their servers directories and found it in that address, I don’t know if it’s linked in home page or not…

Strange if I go to that link directly it just displayed the small image and no alert so I downloaded it using Orbit and no detection, only when I scanned it with ashQuick.exe did I get an alert.

I have submitted it as a false positive, based on the VT results.

it’s still there … same file same path

it is false positive or real badware ?

Well I suspect a FP, as I mentioned in an earlier post and I submitted it as a possible FP. So I would suggest you also submit as a possible FP.