Trojan:JS/Iframe.AP Severe Allowed

Horlock

I'm a little confused.

Last night I ran microsoft security essentials on a full system scan.

Returned tonight to see the outcome, nothing on main screen, so I don't really know what convinced me to look further, but I did.

I clicked the History tab

There were two things detected.

Exploit:Java/CVE-2011-3544.A which is supposedly a severe alert level, discovered this morning at 05:05 and action taken is removed.

Trojan:JS/Iframe.AP which is supposedly a severe alert level, discovered last night at 22.02 and the action taken is allowed.

So the question is what is it, and why if MS security essentials view it as severe threat is it allowed.

Is there anyway to get it removed? And should I?

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AJS%2FIframe.AP

Doesn't seem to give a lot of helpful info really.

I don't think I want to install more antivirus stuff at the moment - I tend to prefer to deal with viruses when they come than run a slow PC in the eventuality that they may come - by the time they come the computer generally is ready for a fresh install and I don't really keep a lot of sensitive info.

MS security essentials offers this info:

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Users\Doc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1HOAUWL6\afr[1].htm
file:C:\Users\Doc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X6DTK14W\afr[2].htm
file:C:\Users\Doc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X6DTK14W\afr[4].htm
file:C:\Users\Doc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X6DTK14W\afr[5].htm

waddler_8

Go ito program settings > default actions.

What are all the settings for Severe, High, medium & low?

.

johnmc

To start with it is in your Temporary Internet folder.

Assuming Internet Explorer; run Tools > Safety > Delete Browsing History.

Run your AV again.

C:\Users\Doc\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Low\Content.IE5\

Does this mean that your Internet Security is set to "Low"? Worth setting to at least "Medium".

waddler_8

You've visited a webpage that's been compromised & had malicious code injected that redirects you. Maybe as a result of that, code has been run that has attempted exploit Java - so long as your version of Java is up to date, then the exploit would have failed. Had the exploit have been successful, then it's possible that malware could have been downloaded & installed - but then MSE may well have detected the malware in that scenario and blocked it at that point.

Trojan:JS/Iframe.** is a malicious JavaScript file that is embedded into malicious or compromised webpages, usually via SQL injection or through Blackhat search engine optimization (SEO) poisoning.

If a user visits a website that contains this malicious JavaScript, it redirects them to another website that may download other malware into the computer.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier...

http://www.java.com/en/download/installed.jsp

http://blogs.technet.com/b/security/archive/2011/11/28/millions-of-java-exploit-attempts-the-importance-of-keeping-all-software-up-to-date.aspx

http://www.microsoft.com/security/sir/keyfindings/default.aspx#!section_3_2

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FCVE-2011-3544.A

http://secunia.com/vulnerability_scanning/online/

.

Horlock

waddler_8 wrote: »

Go ito program settings > default actions.

What are all the settings for Severe, High, medium & low?

.

All settings are "recommended action"

Horlock

johnmc wrote: »

To start with it is in your Temporary Internet folder.

Assuming Internet Explorer; run Tools > Safety > Delete Browsing History.

Run your AV again.


Does this mean that your Internet Security is set to "Low"? Worth setting to at least "Medium".

I've tried the IE thing

Successfully I hope

I've run AV again - nothing new

Does this mean Internet security is set to "low"? No idea - where would it be set to low?

Incidentally why is MS so secretive about the tempory internet files. Ie when I browse to a root directory it is empty, then when browse up another layer that is empty, then the next layer all empty - and the filenames are hardly obvious to guess?

Thanks everyone for the suggestions though.

waddler_8

Horlock wrote: »

All settings are "recommended action"

Then someone has to have chosen "Allow" for the Recommended action. With severe threats set to Recommended action, there are 3 to choose from in the drop down box, Remove, Quarantine & Allow.

Click the thumbnails below.



http://windows.microsoft.com/en-GB/windows/understanding-alert-levels?mkt=en-us