Real Estate Blog - New Virus ~ Actns/Swif.T ~ YouTube Alert

Home : Blogs : Gail MacMillan - CRS, e-PRO, GRI ~ Titusville FL Real Estate Brevard County : Titusville FL Real Estate by Gail MacMillan

New Virus ~ Actns/Swif.T ~ YouTube Alert - Update #2

NOT AGAIN ~ Yes again!!!! I'm looking into this now as it just appeared this morning. It was picked up by CA Anti-Virus. So far not much information coming from the net, except it seems to be invading our systems from embedded YouTube video. The only YouTube I viewed was late yesterday from an A|R member's site. I have 4 infected items all located in Temporary Internet Files\Content.IE5\08HP35PG\l[1].swf. I'm performing the required scans, etc. but nothing is showing up!

Bottom line for now is don't embed from YouTube, please pass along any information you might have and I will do the same as I work to clean up this latest threat.

I'm following the chatter over at:

http://www.bleepingcomputer.com/forums/topic183428.html
but so far no help is available.

See comments for UPDATES

HSH Logo - Real Estate Titusville FL

Posted by Gail MacMillan - CRS, e-PRO, GRI ~ Titusville FL Real Estate Brevard County on 12/02/2008 08:44 AM

Comments (35)

Virus Warning! in the ActiveRain Channel

spam virus malware spyware, gail macmillan, home sweet home florida

Originally posted at: My Titusville FL Real Estate Blog: New Virus ~ Actns/Swif.T ~ YouTube Alert - Update #2

This post has been included in Florida Information Brevard County, FL Information Titusville, FL Information
Post is included in group: Tech Corner
Post is included in group: Realtors®
Post is included in group: Dedicated Bloggers
Post is included in group: Addicted to Active Rain
Post is included in group: Active Rain Newbies

35 Comments on New Virus ~ Actns/Swif.T ~ YouTube Alert - Update #2

DEC

Thanks for the heads up Gail! There is always a new and more malicious virus right around the corner, isnt there?

Hi Leesa - yes and this one seems to be replicating as I now have 6 infections. Last time I had a virus like this it took almost 2 days to purge it. It's such a waste of precious time :-(

Gail, thanks for the alert. Hope this one gets fixed soon by the YouTube folks.

Hi Gary- Good grief - I'm now up to 8 infections. It might be time to send my log over to HijackThis

Gail download Avira immediately and perform a full scan of your computer. http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=10901492

Also uninstall your current AV because it obviously has failed. Once you perform a few full scans and it shows up empty you should be ok. Those are just temp files.

Viruses can not be embedded in video at this point so its not from that. You most likely ran into a html script virus off a web page that was infected.

Hi Shane- I'm not so sure about YouTube not containing viruses. Bugs in the FlashPlayer can, apparently allow a virus to enter. Also there are new reports of fake YouTube videos. CA did pick up the infection but did not (could not) remove them. I will try Avira, I've heard good things about it. Thanks, I'll let you know how it goes!

a .mpg or .mov or .mp4 or any other known video file format at this time can not run as one of those files if a virus is embedded. The same goes for music files such as .mp3. Currently most viruses take on the form .exe as an executable file. Once you insert a virus into most file formats the format changes. It just cant contain both files and still function. Viruses can be injected into your computer through the manipulation of flash or java as far as I know and I dont honestly know exactly how it works. But youtube is basically a link to a movie file located on a server. For someone to be able to manipulate that would be pretty tough. I have never heard of this being performed. A much easier approach would be to infect the html code of a webpage so that when you visit it your browser basically "clicks" on the file and infests your computer. I have seen this type of virus on many major sites including msnbc.com just last week.

Thanks for the warning, I have been perusing youtube for some things to upload lately and will wait until this passes! Hope your doing well!

Thank you Shane- I'm in the process of the second scan on Avira. It did pick up a virus, but it's confusing. It was a dropper called DR/FraudTool.RegistrySmartA, but when I clicked for more information, Avira could not find that virus. Not much on Google either from a cursory look. There was an executable called Setupxv.exe which I deleted and hoping that was the source. I had several warnings which appear to be files Avira could not scan (I'll not worry about those at the moment). From what I see, Avira performs much better than CA as an anti-virus program - YAY!!!

I appreciate your concern and help :-) As I learn more (if I need to learn more) I'll post the comments here. Meantime, fingers crossed that I'm cured!!!

Hi Russell- if you read Shane's comments, he feels there is not much worry about embedding YouTube, but it's always wise to be prudent. I'll keep you posted. Congrats on being featured in the A|R newsletter :-)

We embed youtube video on our website. CA reports the actns/swift.T virus in a temp cache file and kills it. However, each time you visit the website with the embeded video, it downloads the l(1).swf file to the cache, the CA detects it and kills it again. We removed the embeded video and the problem went away. Put it back, it comes back. We also found a video on a Yahoo page that has the same virus. If you go directly to youtube and play the video, there are no problems. It appears to be only in the embeded websites.

Hello Indiana- A second scan with Avira seems to be all clear. I had the same file as you, but it seems to be gone. CA did not report deleting it however, which is what I was looking to see happen. Now I have a question, if you're still monitoring. If you had the embedded video with the virus on your computer and I clicked to watch that video, could I then become infected? I ask because I suspect this is how I got it, but would like to know for sure. There seems to be uncertainly as to the ability to get a virus this way. Thanks for your comment.

Gail,

What site were you viewing when you got the virus warning?

It appears that it may be a false positive from the CA software and not a virus at all. GRRRrrr!!!

Thats the problem and why I said to install a good antivirus problem. Avira has comparably a few more false positives but from my experience they are minor compared to the protection it gives. Its an entirely free program with full functionality, you can of course pay for it as well. What I am sure you are seeing is either a false positive or an infected html page. Thats why its showing up in your IE temp folder. You need to be 100% prevention rather than trying to fix what your AV program missed.

Check out this website for more information http://www.av-comparatives.org/ It is the only website of its kind.

Curiour (Curious) - I was on another Active|Rain member site and clicked on the video to listen to a song. That's my only YouTube adventure yesterday. I have contacted the member to find out if they have experienced any problems. I did notice that the video is gone. If I hear more from our member I will let everyone know.

Indiana and Shane- you seem to both be saying this could just be a false positive. At this point I've run Avira (which I downloaded) twice. The first time 1 infection was found and deleted. The second time nothing was infected, but had 7 instances where Avira could not scan the file. I'm in the process of running my original CA software, which is taking forever, and so far has found 10 more of the same virus, 8 files are infected, 2 are deleted.

The last virus I had was the Trojan.Renos which was wicked to remove. Again CA picked it up but could not remove it. Since I see similarities in it's ability to replicate, I'm reluctant to just leave them there.

HAS ANYONE USED "HIJACKTHIS" TO REPORT THEIR LOG TO THEM TO WORK OUT THE PROBLEM

Gail you cant leave them. It sounds like you have a very serious protection. I doubt even if you could entirely remove them that there wouldnt be serious damage. I could only recommend that you do a full format of your drive and reinstall windows. I just wrote an article on AV protection to help Brad and you both with your problems. I dont think it could be salvaged. You can try saving your data quickly and hope its not infected. Even if it is do this.

1. backup what you can as fast as you can.

2. format your drive and reinstall windows.

3. install a good AV program.

4. update windows until it is entirely up to date.

5. update your AV as well.

6. Once your computer is fully secure try bringing the data on to it. Move the files from where it is (discs?) to the hard drive on your computer. An active scan which Avira will be automatically doing should reveal if anything is infected before it transfers the files. Just to be safe scan all the files once they are on your drive.

7. Once its safe do a full scan of your entire system just to be sure.

8. now install the rest of the software you normally use.

Thanks Shane- I'm definitely not in a state of panic. I've faced these before and always manage to get rid of them. Formatting is not something I would do lightly. I'm going to submit my log to HijackThis and have them look it over. I'll report back here with the results.

I have CA Security Center, and i had a warrning come up that said that viruse had been detected in my temporary internet file folder, so i closed all of my web pages, and deleated ALL of the files. Then I went back on the internet to my homepage google and logged on to my igoogle acount and the warnning came back, i did this a couple times and then i deleated the igoogle gadget "my favorite youtube videos" Since then I haven't had any problems with it but it has only been about half an hour.

UPDATE #1: This thing is still replicating but also deleting the virus at a ratio of 1:3. Now here's the biggie. I called my A|R buddy where I thought a clue might lie and his video is still there and he's not having a problem with it. NOW - on my computer his video is missing....what, why, where and how???...I know the when! I've only embedded 1 YouTube on my A|R blog...guess what...it's gone as well...all YouTube videos posted to A|R are gone on my computer!!!! what's up with this???

I've just disabled System Restore with the hope of stopping the replication of this virus. GOD ~ so much wasted time :(

I don't know how, but I do know something involving YouTube is the culprit....PLEASE USE CAUTION

Try deleating Everything in you temporary internet files folder, you don't need them unless you have passwords that are saved but you should know those anyway. Then when you go back on the internet start out on google or something, where you know the viruse isn't there. I agree youtube is involved.

Hi Bob - Thanks for joining in:-) I deleted the temp file first thing this morning when I saw it was involved....but did not opt for deleting history or passwords...do you think this is important? I just ran ANOTHER scan with Avira and no viruses showed up. That's the thing with these new fangled viruses! Why don't these oh-so-clever geniuses do something productive and help this planet progress...OH what a dreamer am I!!! Thank you very much for your feedback.

Gail at this point it doesnt matter what caused it. You might never know. Just focus on trying to stop it. It might not be able to be stopped. One thing to do is unplug your network cable immediately to ensure that it cant access the internet. It might be replicating by downloading different versions trying to escape. At that point theres nothing more you can do than keep it scanning and scanning until either it overcomes the virus or you dont think its possible.

If you don't Need the saved passwords and history then give it a try, the infected files could be anything. I just went to the folder and selected select all and hit deleat.

Shane- You've been such a help with this situation today...and I thank you very much as I know you have much better things to do than worry about this stupid virus... I OWE YOU for your caring attention...thanks so much :-) Believe it or not, at the moment things are actually quiet. I will leave System Restore off overnight and see what happens in the morning. It's dinner time in Florida and I'm hoping food restores my will to fight this THING - LOL. Next problem is, I entered Jason's worst song contest and my entry is gone (thanks to this stupid virus!) Trust me it was THE WINNER! Could you put in a good word for me - gee....thanks again for being such a nice guy and forward this post on to Jason Crouch. Amen...

Jeez, Gail. I wish I had some advice for you with this problem, but I don't. Sounds like you've got some pretty smart people here to help, and I hope you get rid of this thing soon. I'll stay away from YouTube until you all think it's safe to go back in the water. I'm using AVG, have been for years with (knock on wood) no problems.

I'll stay tuned....

Debi

OK Debi- The Naughtiest of RingLeaders from Woodland Park, Colorado, did you think you would be unrecognizable without a signature ;-)... seriously I hope no-one else gets this bad baby!!!

DEC

UPDATE #2: Disabling System Restore seems to have done the trick. Everything is running normally this morning (except had to boot twice) and there is no evidence of the virus. Even the missing YouTube video has been restored in it's original location. Big thanks to all of you who shared my misery and so graciously gave of your time and expertise. Hopefully this chronology will help the next person overcome the virus quickly. I will leave System Restore off for a few days but will reinstate to see what happens. Thanks again :-) Life is good!

DEC

Gail, reading stuff like this makes me so glad to have a Mac!

Patricia- I could be wrong, but when A|R's servers became infected, I thought I read something about MAC...sorry don't have the details. I have read that MAC's are much less susceptible, let's hope it stays that way....it seems these hackers love a good challenge :(

These viruses are getting smarter and smarter. It pays to have a good backup program.

Gail I found this article today and immediately thought of you.

http://www.crunchgear.com/2008/12/02/actnsswift-virus-affecting-embedded-youtube-vids/

Apparently its not really a virus? Im confused!

Thanks Shane- pretty weird eh? The article seemed to think it's a Trojan. Anyway, I've not had any more issues (that I'm aware of) since turning off System Restore. Avira is working great, thanks for the advice :-)

OCT

Avira is ok but still wont catch everything,install Avast its free for home edition and will catch all

This blog does not allow anonymous comments