Miscellaneous

IFrame code injection by Virus/Trojan, Whats the solution?
By Richard Clark
05-Aug-09
Views: 21906

If you website is attacked and you see malicious code being injected into the script. This article will help you find and get rid of this trojan/spyware
 
IFrame code injection by Virus/Trojan, Whats the solution? (Page 1 of 1)

Whats the problem ?

Thousands of websites are being attacked on daily basis. Malicious code is being injected in PHP, Javascript and HTML scripts. Website users are downloading malicious code and infecting others.

Who is compromised?

Your computer is compromised, don't blame you hosting company for this.

How does it work ?

When you open a website (most probably in IE) which is infected with malicious code, your browser downloads malicious code (which is a trojan/spyware) from the URL specified in the iframe tag or in the source of a script tag ( some times your browser also opens Acrobat Reader). Most of the anti-viruses don't detect this trojan, some only give a warning but don't block it. So when your computer is infected, a trojan residing in your computer steals your ftp passwords when you type them in your ftp program. Using these ftp accounts, the trojan scans all the directories on your ftp server and find files having any of following words in their name
  • main
  • default
  • index
  • home
  • and all the files included at the top of index file
The trojan then injects malicious code into these files and also infects the users visiting your website.

Are you also infected?

To check to see if your computer is infected. You can download HijackThis the free utility from TrensSecure's website. http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

HijackThis is a utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

After you have downloaded and performed a scan, locate the highligted entry shown in the image below

Click Here for full preview image


There could be other suspecious entries indicated by HijackThis, but the above entry is sure shot trojan which is infecting you websites.

How to remove this trojan?

  • Update your adobe acrobat reader, never use a version of Acrobat Reader less than 9.3.1
  • Update your flash player, use the latest version 10 of flash browser plugin
  • Scan your computer with MalwareBytes (http://www.malwarebytes.org/). If you are unable to run a scan of MalwareBytes, this is beacuse of the malware, You should consider reinstalling your os
  • Fix all the suspecious entries indicated by HijackThis. If you find an entry ending with AcroIEHelper.dll then you computer is definitly infected with the trojan. Fix this with HijackThis and also remmove AcroIEHelper.dll from your computer. This file will be located in the Acrobat Reader directory. After deleting this file restart your computer and again scan with HijackThis, if you again find this entry and you are unable to remove it. Then you should install a fresh copy of Windows.

Comments
Dániel Dékány
[11-Aug-2009]
#1

Note that this malware can steal FTP passwords used on clean computers too (see: http://soyouwillfindit.blogspot.com/2009/08/virus-steals-ftp-passwords-and-insert.html). This can cause some surprises after cleaning the computer from which the FTP account was used and changing the password... another infected computer on the LAN can still steal the new password.
Kalyan
[13-Aug-2009]
#2

My site also infected with some iframe virus i followed all the above steps. I found the .dll file after scanning with hijackthis software which i removed and after restart of system there is no such file.Thx for this tutorial and let me check whether this solved my problem or not with finger's cross.
Webber
[13-Aug-2009]
#3

Thank you i will try this...
Kaushik
[18-Aug-2009]
#4

i tried this but there is still an 'application extension' by the same name. This does not get deleted. Is this ok..?
subi
[23-Aug-2009]
#5

the script is not working it says Fatal error: Call to a member function read() on a non-object in /home/****/public_html/virus-detect.php on line 5

brian
[26-Aug-2009]
#6

This script never fails.... what is it exactly looking for? I tried "testing" it with a made up iframe and it doesn't detect,...
jimmy
[13-Oct-2009]
#7

this is happening to me also in Leopard (Mac). Can this trojan work in a Mac or is the server (hosting company) the one who is infected? If this may happen in a mac, the trojan must have another extension instead of .dll, doesn't it? thanks
balu
[03-Nov-2009]
#8

hi this is very good article. i keep this article in my fourm also www.hackerswings.com thank you.
boballoo
[07-Nov-2009]
#9

I was also infected with this and had a very tough time getting rid of the AcroIEHelper.dll file and associated registry entries until I changed permissions on all of them. For registry entries right click and choose permissions>allow all For the dll files Right click and choose Properties>Security>allow all (sometimes you will have to click Advanced and then allow all)

Sasikiran
[19-Nov-2009]
#10

Hi, The code you provided is very good except a slight modification. The code is not working as it is. You forgot to read the file before you pass it to preg_match function. I added the missing parts. Add the following code after line 12 //------------------------------------ $contents = ''; $file = fopen($entry, "r"); while(!feof($file)) { $contents = $contents. fgets($file, 4096); } fclose ($file); //--------------------------------
S.Anbarasu
[26-Nov-2009]
#11

I also suffered with the script Injection and this article is very use full to me to protech myself
astpne9
[18-Jan-2010]
#12

Well i have also written an article on my blog. There is a script in PHP which automaticly scans and cleans you hosts and all index files infected with a iframe code. It is easy to use, if you would like you can inlcude it in you site. My post URL is
http://hotfixes.edibra.com/webmasters/clean-iframe-virus
Stephen
[06-Mar-2010]
#13

Yes always make sure that you have latest version of Adobe Acrobat Reader and Flash Player
LGP
[07-Mar-2010]
#14

And after all that don't forget to uncheck the system restore feature before restarting your windows.See this page for details:

http://support.microsoft.com/kb/310405/en-us

Cheers

LG (Brazil)
Peter
[07-Mar-2010]
#15

I was wondering are there any variations?  Because I have a file simliar but I also have Reader 9.  The file that showed in Hijackthis was AcroIEHelper.dll.  Also I was wondering, would the infected file show a creation/modify date of when it was created/infected?  Thanks for your help.
DonJuan
[07-Mar-2010]
#16

better be carefull when deleteing stuff.

"acroiehelper.dll" is an Internet Explorer helper application. It allows you to display Adobe Acrobat (PDF) files directly within your web browser, rather than having to launch Acrobat Reader

 
migliori Jackpot dei
[29-Mar-2010]
#17

There are hundreds of possible reasons for iframe injection, you do not have "the" solution, you have 1 possible solution for a small percentage of the users.Most of the times it's probably because of out of date scripts being used that are easily exploited via a web attack.

http://www.jackpot-dei-casino.com

 
http://www.jouons-au
[03-May-2010]
#18

i haven't any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.i found this informative and interesting blog so i think so its very useful and knowledge able

http://www.jouons-au-poker.fr/

<A href="

http://www.jouons-au-poker.fr">

mostafa
[06-May-2010]
#19

yes, that's realy useful post. thanks Rich.
IT Outsourcing
[19-May-2010]
#20

Thanks for providing such useful information. I really appreciate your professional approach.
Wicker Furniture Sof
[25-May-2010]
#21

Wonderful post! I like your blog, and am a regular follower. I will be back  monday!
http://www.gioca-int
[25-May-2010]
#22

I have a file simliar but I also have Reader 9.  The file that showed in Hijackthis was AcroIEHelper.dll.  Also I was wondering, would the infected file show a creation/modify date of when it was created/infected..

Thanks for your help.....
singapore seo
[15-Jul-2010]
#23

Hate this, recently my colleague affected by this virus. Luckily we are mac user so is not affected.
Leave a Comment
Age (Required, will not be shown)
Name
Email (Required, will not be shown)
Website (Optional, starting with http://)
 
Are you human ?

Enter the code shown above


 
Contact Us | Suggest an Article | Website Design and Development