Exploit iFrame?

[Nurk]

Various online scans (Bit Defender, Panda) tell me I am infected with an
"Exploit iFrame" vulnerability, which has coincided nicely with the ongoing glut
of Swen messages. Pardon my stupidity, but I can't find a removal tool and would
appreciate it if anyone could direct me to one.

I'm running XP, FWIW.

 

[FromTheRafters]

Various online scans (Bit Defender, Panda) tell me I am infected with an
"Exploit iFrame" vulnerability, which has coincided nicely with the ongoing glut
of Swen messages. Pardon my stupidity, but I can't find a removal tool and would
appreciate it if anyone could direct me to one.

I'm running XP, FWIW.

Exploit iFrame vulnerability?

Infected with a vulnerability?

Infected with an exploit?

I thought viruses infected stuff, and exploits were trojans.

Confusing terminolgy they use huh?

I don't quite understand, but the "vulnerability" is something
that is patched (a patch from Microsoft ~ not an e-mail
worm pretending to be a patch from Microsoft ~ of course
you knew that already). The "exploit" is something the AVs
probably found in your temp files, but if you are patched
you don't have to worry about it anyway.

The swen worm uses the incorrect MIME type vulnerability
I think, and uses an iFrame to implement it in the "returned
mail" form of the sent e-mail. The AVs may be detecting
this and calling it the "iFrame vulnerability" because they
don't know any better.

 

[mhagen]

Exploit iFrame vulnerability?

Infected with a vulnerability?

Infected with an exploit?

I thought viruses infected stuff, and exploits were trojans.

Confusing terminolgy they use huh?

I don't quite understand, but the "vulnerability" is something
that is patched (a patch from Microsoft ~ not an e-mail
worm pretending to be a patch from Microsoft ~ of course
you knew that already). The "exploit" is something the AVs
probably found in your temp files, but if you are patched
you don't have to worry about it anyway.

The swen worm uses the incorrect MIME type vulnerability
I think, and uses an iFrame to implement it in the "returned
mail" form of the sent e-mail. The AVs may be detecting
this and calling it the "iFrame vulnerability" because they
don't know any better.

Been getting the same message from Panda. The identification is either
Gibe C/SWen or an exploit/iFrame vulnerability. Panda's website links
the two lables basically as the same virus.

Since I use Mozilla set to no javascript/text only mail, I'm a bit
puzzled when the the virus (disinfected) is reported to be in my Inbox
after I've deleted it. The spam filter is moving 90% of it to trash and
that's deleted as well. What's left of a deleted file to trigger the AV?

Down to 5-10 per hour. Not bad.

 

[FromTheRafters]

Been getting the same message from Panda. The identification is either
Gibe C/SWen or an exploit/iFrame vulnerability. Panda's website links
the two lables basically as the same virus.

One is probably a detection of the exploit code in the returned
message form of the worm e-mail, and the other a detection of
the worm code in an attachment of the other e-mail form.

Same malware, but differing exploit methods.

Since I use Mozilla set to no javascript/text only mail, I'm a bit
puzzled when the the virus (disinfected) is reported to be in my Inbox
after I've deleted it.

The exploit code (or at least the iFrame container tags) are in the
message body, and the worm code is in the MIME encoded "inline"
or "attachment" content. Maybe the exploit is still detected even
though the "attachment" has been neutered. The entire e-mail should
be deleted, but maybe the combination of AV and e-mail client makes
this a bit problematic.

The spam filter is moving 90% of it to trash and
that's deleted as well. What's left of a deleted file to trigger the AV?

That depends on what is and is not being deleted, and what
being deleted actually means with regard to the program
doing the deletion. If the entire e-mail is being "deleted" by
moving it to the trash folder, then it is still possible for a
scanner to see it in an indexed data file (which is what many
of the mailbox and trashcan e-mail client files are). Even when
emptying the "trash" indexed data file, the recognizeable strings
could still be detected unless and until the data is overwritten
by new data.

 

[mhagen]

One is probably a detection of the exploit code in the returned
message form of the worm e-mail, and the other a detection of
the worm code in an attachment of the other e-mail form.

Same malware, but differing exploit methods.




The exploit code (or at least the iFrame container tags) are in the
message body, and the worm code is in the MIME encoded "inline"
or "attachment" content. Maybe the exploit is still detected even
though the "attachment" has been neutered. The entire e-mail should
be deleted, but maybe the combination of AV and e-mail client makes
this a bit problematic.




That depends on what is and is not being deleted, and what
being deleted actually means with regard to the program
doing the deletion. If the entire e-mail is being "deleted" by
moving it to the trash folder, then it is still possible for a
scanner to see it in an indexed data file (which is what many
of the mailbox and trashcan e-mail client files are). Even when
emptying the "trash" indexed data file, the recognizeable strings
could still be detected unless and until the data is overwritten
by new data.

Very interesting! Thanks much. Must have recieved over a thousand and
none activated. The flood of these buggers seems just about over. That
is till all those returning to work tomorrow turn on their office
machines and start clicking away.

 

[Ian Kenefick]

Hi,

iFrame exploit is html code whereby code can be downloaded within the
e-mail from a remote source 'href' the iframe itself isnt malicious but
the code which it intends to download can be. This is part of the Swen
epidemic. Patched versions of MS Outlook/Express are unaffected by this
exploit.

Regards,

Ian.

--

__________________________
Ian Kenefick
E-Geek-Ian[dot]com
Webmaster - Researcher
Mobile: +353879116187
E-Mail: (e-mail address removed)