Results 1 to 6 of 6

Thread: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

  1. #1
    eliuri Guest

    Default Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Hello:

    On-access detection by ZAISS picked up: Trojan-Downloader.JS.Psyme.aim

    Attempt to repair failed, and the file is now in Quarantine. A full system scan by ZAISS Av and AS came out clean after this Quarantine. Event-Viewer log info is cut -n-pasted below.

    Questions:

    1) Are any further actions recommended. More Info gave no guidance on this.

    2) Can I simply delete this from the Quarantine? It seems to me to be a temporary IE file of sorts

    3) How might I have gotten this virus?

    Thanks in advance:

    -Eliuri

    Windows XP Pro SP3
    IE 7.0
    ZAISS 7.0.470.000

    ************************************************** **************

    Decription Anti-virus successfully quarantined a virus or viruses
    Date / Time 2008/06/01 17:56:50-4:00 GMT
    Type Treat
    Virus name Trojan-Downloader.JS.Psyme.aim
    Filename C:\Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Content.IE5\9UC2JQCA\1143155091@x40,x41,x42, x43,x44,x45,x46,x47,x49[1]
    Action Quarantined
    Mode Manual
    E-mail

    Operating System: Windows XP Pro
    Software Version: 7.0
    Product Name: ZoneAlarm Internet Security Suite

    Message Edited by eliuri on 06-01-2008 11:56 PM

    Message Edited by eliuri on 06-01-2008 11:56 PM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Trojan-Downloader.JS.Psyme.aim roughly translates into a javascript (.js or .JS) file based trojan.
    It is located in the internet temp folder which means it is cached when probably browsing with the browser.
    Many sites use javascripts to enhance the site appearance and interaction.
    Only this file has been detected by the AV to be malicious.
    When you were browsing, this file as with all files for the browser useage, got cached- this is how you got the file.

    Cleaning the browser cache in the IE and running the disk cleaning utility, both manually, should have also deleted the malicious file.
    Deleting the file in the quarantine will now remove the file (since it is now encased by the AV).

    Just blocking the javascripts in the Privacy of the ZA and only allowing the needed sites to accept javascripts will prevent any further or new possible malicious javascripts to enter your PC.

    The AV caught the malicious file in the temp folder and stopped it.
    If your later full scanning was clean and had no detections, then it is safe to assume your PC is clean and secure.

    Oldsod
    Best regards.
    oldsod

  3. #3
    eliuri Guest

    Default Re: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Thanks for your lucid
    explanation, Oldsod.

    <<<<Just blocking the javascripts in the Privacy of the ZA and only allowing the needed sites to accept javascripts will prevent any further or new possible malicious javascripts to enter your PC.














































































































































    >>>


    If I turn on the Mobile Script control in Privacy and/or block javascripts, will every site being blocked prompt me to accept JS , and will IE recall such acceptances once I choose to allow a site?
    Also, which of those options under Privacy-->Mobile Code
    Control---->Custom
    would you recommend so as to maximize protection w/o substantially
    impeding functionality?
    I use both IE 7 and Firefox 2.0.0.14
    Seems IE7 is less safe without that Mobile Code Control.....
    Thanks in advance:
    -Eliuri

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Yes I see the problem. While blocking the javascripts does greatly improve security, it does reduce site functionality. But ast the same time, so do many other scripts of the web pages. But these others along with the javascipts are all active and excutible scripts/files.
    You gave me a very big question and so you will get a good answer.<hr>

    Flash (or .swf), some banners and banner content, sounds, webbugs, site interactions, some of the ads, some of the site's presentations and so forth all use javascripts.
    Sometimes these can be malicious as you have already witnessed.

    On the other hand, javascripts is very much needed for logins, signins, password verifications, site interactions (banks, buy/sell sites, etc), web mail, and for the "good" and needed sites.
    In many ways the html code of the web sites are just the basis, the .css files are just the adjustments and generalizations but it is the javascripts that give many sites the "glamour" and the neat tricks.

    Other common types of scripts used by some sites to give it the "glamour" and some neat tricks are MIME, VBS and the IFRAMES.
    The MIME, VBScript and IFRAMES are, of course, all known to be also exploited by malware writers and as such these can be a risk/danger at unsafe/risky sites.
    The MIME and the VBScript can be also blocked in the Privacy.
    The IFRAMES cannot be blocked by/in the Privacy.
    However the NoScripts Addon of the Firefox can be used to block/allow IFRAMES & MIME and the Firefox by default does not use any VBScripts.
    I strongly suspect the about:config of the Firefox does have a feature to disable IFRAMES globally. The IFRAMES can be disabled globally in the IE's Internet Options, but I would advise against doing this and just leave this alone. ( scripts can be blocked off in the IE, but again leave this alone because it is easier to leave this task to the ZA Privacy).

    The ZA states:

    " In the Mobile Code Control area, specify the types of mobile code to block.
    Block JavaScript Blocks JavaScript content, including that required for common uses such as Back and History links, rollover images, and opening and closing browser windows.
    Block scripts (vbscript, etc.) Blocks scripts that execute automatically, including those required for displaying banners, pop-up ads, and dynamic menus.
    Block embedded objects (java, ActiveX) Blocks objects embedded in Web pages, including sound and image files.
    Block mime-type integrated objects Block mime-type integrated objects Blocks objects whose MIME-type indicates that they are applications.
    Note: This option also blocks legitimate executable files sent through the browser, including downloads that you may want to allow. When this occurs, you'll see the error "This object has been blocked" in the browser. For downloads initiated by you, it is safe to disable the Block mime-type integrated objects feature."

    Please, note the MIME referred by the ZA and myself is not actual SMTP/MIME, but it is actually properly known as MIME HTML.

    http://en.wikipedia.org/wiki/MHTML

    http://en.wikipedia.org/wiki/JavaScript

    http://en.wikipedia.org/wiki/VBScript

    http://en.wikipedia.org/wiki/IFrame


    The web site should (if properly designed) show a prompt to enable javascripts, if the javascripts are disabled/blocked in the Privacy Advisor.
    The Privacy Advisor itself is a useful tool for determining what content has been blocked and possible content needed to be allowed for the proper site use.
    Or just to show you what has been blocked and any possible risks which have been avoided.
    I have stopped long ago using the Privacy of the ZA and use alternative methods. But when I used the Privacy, immediately after a "fresh" install or "clean" install, I went to all needed and usual sites with all allowed in the Privacy.Once the needed and usual sites were added to the Privacy listing, I then set the blocking to High for everything. This method let me enjoy my sites with the needed content and block content from any new or "foreign" or risky sites.

    Mistakenly blocked content can be determined by the Privacy Advisor, or by trial and error or even with an online service such as a "browser check", like this one:

    http://www.heise-online.co.uk/securi.../browsercheck/

    I specifically used the above site as a reference because it does have advice and securities for both the IE and the Firefox under the "Changing settings" and "Security Holes" links. Since these are the two specific browsers that you are using.

    Last but not least, activeX is the last "security" threat to be mentioned.
    While the Firefox does not allow for any activeX installations (it will access applications which themsleves use activeX), the IE 7 in the default setting will prompt for the installation of any new activeX.

    http://en.wikipedia.org/wiki/ActiveX

    Java is another common threat, but the latest JAVA from SUN has improved, when considering security. What goes into the JAVA cached usually stays in the JAVA cache and does not spill over into the windows. Any trojans in the JAVA cache usually stays there and is deleted/removed by a file cleaner or manual clean of the JAVA cache. Most antiviruses now detect JAVA trojans and even the antiviruses that don't still are safe to use, since the JAVA is now realtively safe to use (as compared to a few years ago). Even something such as VUNDO (from emails or safe web browsing) will be removed from the JAVA cache by deletion or uninstall/reinstalling the JAVA. NOTE: there are other variants of VUNDO but these are not JAVA related and are only found from illegal media or "cracked" programs.


    Now comes a simple answer - the scripts are risks because they can be executed and run actively not just in the browser cache, but on the entire PC itself.
    If a malicious file was present, it could be dangerous and infect the PC.
    This does not really apply so much to the Firefox (or for Opera browser for that matter), but for the Internet Explorer. The IE is very much part of the windows kernel and tied directly into the windows, whereas the Firefox is not. Another reason for the Firefox and Opera being "safer" browsers than the IE.
    These scripts are in fact referring often to third party files or third party sites not associated with the main site.
    MIME and IFRAMES is used for introducing media content to the web page - but can be used maliciously to introduce malware files instead of the expected media.
    Both IFRAMES and JAVASCRIPTS are prone to cross-site scripting vulnerabilities.
    ActiveX can be be a malicious CODEC or .DLL, in disguise of the expected media content or embedded in the media content.
    Banners, certain active ads and flash although using .swf (and variants), and some popups all need javascript to be allowed in order to work. Hacked sites and "unknowingly" innocent sites will have malicious scripts in the banners, ads and flash.

    Private Headers (or commonly known as "refer" or "referrer") in itself is not a security risk, but a privacy risk.

    http://en.wikipedia.org/wiki/Referer

    HTTP cookies are not a security risk, but considered to be a privacy issue.
    Tracking cookies or the third party cookies traditional have been the privacy issue cookies (although it may well be the first and session cookies will soon be tracking - not just the site directly involved, but for other parties).

    http://en.wikipedia.org/wiki/HTTP_cookie

    Web trackers and site counters can be using cookies (just disable third party cookies) or webbugs (just disable the javascripts or webbugs in the Privacy). But not always. Some are using the server's logs or javascripts of that server (or third party server).

    http://en.wikipedia.org/wiki/Web_bug

    http://en.wikipedia.org/wiki/Web_counter

    However, even certain ads and banners and embedded scripts can act also act as web counters and trackers (with javascripts and others).
    The web counters and trackers are not security risks, but are often considered to be an invasion of privacy when these collect certain data of the user.
    Also see:

    http://www.geocities.com/yosponge/datacoll.html


    Further readings:

    http://www.junkbusters.com/cookies.html

    http://www.unwantedlinks.com/

    http://www.cknow.com/vtutor/VirusProtection.html

    http://bcheck.scanit.be/bcheck/

    http://cexx.org/

    http://msmvps.com/blogs/spywaresucks/Default.aspx

    http://www.us-cert.gov/cas/tips/

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  5. #5
    eliuri Guest

    Default Re: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Thank you, Olsod for your thorough answer. Useful information there....
    I'll save your response in case I have some follow up questions..

    When
    I did set the Privacy --&gt;Mobile Code
    Control
    to block JS,
    I received so many prompts from ZA
    Privacy Advisor that it became too much work
    and annoyance.
    Alternatively, I guess I can merely turn off the Privacy Advisor and go into the Site List when I suspect something I need/want is being blocked. But I'll leave it on the default OFF
    setting meanwhile....

    I set the security in IE to Medium-High and for the TIF to empty each time I close IE.
    I guess I'll have to trust the ZAISS Kaspersky-based malware definitions to continue
    detect such
    JS malware in the future in a timely way. As it did yesterday...
    If I continue to get such JS malware frequently
    in the future, I guess I'll just turn this Code Control setting back on and add sites to accept JS one site at a time.
    Thanks again:
    -Eliuri



    Message Edited by eliuri on 06-02-2008 08:18 PM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Trojan-Downloader in IE Temp Internet Files Quarantined: Further actions?

    Yes indeed, the Privacy Advisor is either a pest to the desktop to some users or gets ignored or gets disabled (and re-enabled when needed).
    I suppose you will have a mini reference, well, at least a bit of reading anyways.

    IFRAMES along with other scripts, including the javascripts, can be easily adjusted in the IE's Internet Options.
    Medium High should be safe or adequate - I do have the needed sites in the Safe sites of the IE and use a customized settings and more secure for everything else.
    But I would still advice to instead use the ZA Privacy for blocking the IE web content (this will avoid some mistakes that will require the IE zones to be reset to default for a remedy).

    But I generally use Opera for almost all browsing and use the IE mainly for the needed microsoft sites.

    Take a look here and look at one of the toolbars for enabling/disabling web content in my own browser (it has been very customized):

    http://forum.zonelabs.org/zonelabs/b...ssage.id=18576

    Very easy to use as it it always inside the browser (plus right click of the web site/page in the Opera allows for custom adjust/allowing content). This is still easier than clicking the F12 in the Opera and doing the adjustments. (the Iframes can be adjusted in the customizations or globally disabled in the opera:config).

    Best regards.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •