curem.net virus

Portal Home > Knowledgebase > Articles Database > curem.net virus

Posted by uasuas, 02-05-2011, 01:00 PM
anyone know about the curem.net virus this ad the following frame in the index file of the website
Posted by iTom, 02-05-2011, 01:06 PM
Usually it's done via code injection through other un-secure pages, such as eMail submission forms. Seen it done quite a few times, normally on windows servers.
Posted by uasuas, 02-05-2011, 01:15 PM
yes there are too much email submissions in the website the online server is linux but these files are also run on windows server (internal) how to cure this ???
Posted by enkapsulate, 02-05-2011, 01:26 PM
Remove the code and secure your contact form.
Posted by uasuas, 02-05-2011, 02:44 PM
the forms are for internal communication
Posted by jjk2, 02-05-2011, 02:51 PM
this is a zero day remote browser exploit. Basically when the iframe loads, 30~40% of our visitors will be automatically and silently infected with trojan. Doesn't matter if you scan your computer since they are already FUD meaning fully undetectable by 95% of AntiVirus software. My suggestion is to always run browsers in a virtualized environment like VirtualBox. Sandboxie is bypassable and a joke.
Posted by zotium, 02-10-2011, 11:26 PM
Got hit too. Anybody find out how this code got injected?
Posted by Driver01, 02-11-2011, 11:53 AM
Which Browser is vunerable? Why is it that only 30~40% get infected? Sorry for all the questions but Im interested to know what the other 5% of AV's do that the 95% don't? Could you tell us what 5% will detect it? How long do zero day exploits last until they are added to AV databases? I thought sandboxie was quite a good and widely used software? How does Virtualbox differ?, so virus's can bypass sandboxie and load in kernal level whilst using sandboxie? How do you know your infected? Phew! thanks for you answers in advance I do like to keep ahead so to avoid infections to my PC..
Posted by artemirk, 02-13-2011, 09:27 PM
You can check file time modification for index file with injection. And after check modification time in access.log and found unsecure page. And after fix you page with form and check other form too.
Posted by jjk2, 02-15-2011, 08:02 PM
Almost all browsers. IE are almost always vulnerable. Firefox and Chrome as well. Although most exploits focused on IE & Firefox since they have the largest market shares. Most exploits are aimed at Windows. Infection rate ranges. Some browser versions are not affected. Sorry, it's actually 100%. Very good viruses and trojan have almost 100% stealth. Avira seems to be the fastest to catch new trojans. Depends. Less than a week to months. Usually very fast. Note that new exploits are always being released. A good trojan or virus can easily defeat sandboxie. Virtualbox seems to a safer choice but doesn't mean it's perfect. Hard to know. If there's lot of outgoing connection when idle and you have nothing else running is a sure sign. Np. Turn off javascript when accessing websites in firefox. This is the most safest way. Disable any media being open in firefox, like pdf. Avira seems to be the fastest in new malicious code discovery. If you run suspicious files, make sure to do it on Virtualbox. Safer method is running windows in Virtualbox on your Linux distro.
Posted by kotram, 02-20-2011, 01:35 PM
Hi, i too have started seeing these lines on my wordpress blogs. The problem is that the index file is auto-generated at runtime at wordpress and hence there is no "physical" file from which i can remove these lines. What can i do to clean this up on wordpress? thanks in advance.
Posted by tonoortiz, 03-01-2011, 09:28 PM
The infected file is the index.php that is on your root of wordpress installation. At the end of that file you will see the iframe code. My web site was infected, i erase that code and problem solved.... for a while, because i dont know how it get infected...