Real or False Positive

Moments ago I received a virus alert for Downloader.SWF.Agent.bv on a user’s web request.
Referer: http://www.real.com/player/index.html
Destination: http://ke-el.com/download/checkout_confirmation.php?s=ZJxmRSLB&id=3
That either means the user clicked on a link on real.com that took them to a virus page or the virus page is a element of the real.com page. Either way not good. I went to the real.com page and didn’t see any funny business. It would be a good story if Real.com was infected. I think it had to be for my user to get this result, but I couldn’t spot the trouble myself.
Next I checked out the ke-el site. Scansafe detected that page as Gumblar.x. I opened the page up using a online HTTP viewer and say the following
ke-el.PNG

3 Comments

  1. Gumblar has been a massive thing this year, infecting more than hundred thousand websites. If I remember right it originally infected users PCs on the fly by exploiting an acrobat reader bug; when the users read a malicious pdf document the pc was infected. It then took ftp passwords stored at the users PC and sent these to the hackers. The hackers then infected the web sites by http://ftp... I might err in some detail, I guess you find enough info in the web. Make sure to clean your system!

  2. Gumblar has been a massive thing this year, infecting more than hundred thousand websites. If I remember right it originally infected users PCs on the fly by exploiting an acrobat reader bug; when the users read a malicious pdf document the pc was infected. It then took ftp passwords stored at the users PC and sent these to the hackers. The hackers then infected the web sites by http://ftp... I might err in some detail, I guess you find enough info in the web. Make sure to clean your system!

Comments are closed.