BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Discussions relating to ClamXav

Moderator: Mark

BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby MLB » Wed 13 Feb 2013 3:43 pm

I've been running nightly scans without incident for the 6 weeks I've had my machine (OS X 10.8.2) but a few days ago a single error began showing up in my scan summary results and then, last night, 2 infected files were found:

Heuristics/Phishing/Email/SpoofedDomain:
/Users/ME/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/135K/x27_135127.olk14MsgSource

BC.Exploit.CVE_2013_0019
/Users/ME/Library/Caches/Firefox/Profiles/7fxtb7zm.default/Cache/3/9D/88B46d01

Anyone know what these are and have advice on what I should do? I should warn you that I'm not very technical, so please speak slowly for me :D.

Thanks for the help!!!
MLB
 
Posts: 12
Joined: Thu 03 Jan 2013 5:10 am

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby leamcd » Wed 13 Feb 2013 4:56 pm

Hi....I have found two files: f_003b5a and f_003c66 with the same Infection Name. Is this a false positive?
Thanks, Lea Sorry for all the edits

MacPro 17"
Last edited by leamcd on Wed 13 Feb 2013 5:20 pm, edited 1 time in total.
leamcd
 
Posts: 25
Joined: Sat 05 May 2012 5:44 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 5:16 pm

MLB wrote:last night, 2 infected files were found:

Heuristics/Phishing/Email/SpoofedDomain:
/Users/ME/Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/Message Sources/0T/0B/0M/135K/x27_135127.olk14MsgSource
The word Heuristics in the infection name means that something in the format of that e-mail message, supposedly from a financial institution, looks strange, so you are being warned to take a look at it. It could well be a legitimate message so you will need to look at it closely in case it's something you need.

When possibly infected e-mail files are found:
    - Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
    - Right-click/Control-click on the entry.
    - Select "Reveal In Finder" from the pop-up menu.
    - When the window opens, double-click on the file to open the message in your e-mail client application.
    - Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).
    - If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
    - If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.
BC.Exploit.CVE_2013_0019
/Users/ME/Library/Caches/Firefox/Profiles/7fxtb7zm.default/Cache/3/9D/88B46d01
Since that's in your Firefox cache it just indicates that you visited a web page recently that contained that infection. It cannot hurt you in cache and you can either delete it or ignore it. It seems to be a new signature and I don't know much about it, but I'll see what I can find when I have time later today.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 5:52 pm

leamcd wrote:Hi....I have found two files: f_003b5a and f_003c66 with the same Infection Name.
Which infection name? The OP lists two.
Is this a false positive?
If you are talking about BC.Exploit.CVE_2013_0019, then it might be as it appears to be something new. I don't see any other reports yet. Are those files in a browser cache?

According to the technical listing http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0019 it looks to be a problem with MicroSoft's Internet Explorer browser and MS patched it yesterday, so I would not be too concerned about it.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby leamcd » Wed 13 Feb 2013 6:12 pm

Yes, It is the BC.Exploit.CVE_2013_0019 in my google chrome cache. Should I delete them from ClamXav, and then clear my Google cache?
Thanks,
Lea
leamcd
 
Posts: 25
Joined: Sat 05 May 2012 5:44 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 6:15 pm

leamcd wrote:Yes, It is the BC.Exploit.CVE_2013_0019 in my google chrome cache. Should I delete them from ClamXav, and then clear my Google cache?
Either way will work, you don't really need to do both.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby leamcd » Wed 13 Feb 2013 6:18 pm

Thank you for your prompt reply. I appreciate your help
Lea
leamcd
 
Posts: 25
Joined: Sat 05 May 2012 5:44 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby dansalmon » Wed 13 Feb 2013 7:22 pm

Hi,

I've been having the same problem. Whenever I login to Gmail via either Firefox or Chrome, ClamXav quarantines an infected file:
* Chrome: ~/Library/Caches/Google/Chrome/Default/Cache/[filename varies]:BC.Exploit.CVE_2013_0019 FOUND
* Firefox: ~/Library/Caches/Firefox/Profiles/.../[file name varies]:BC.Exploit.CVE_2013_0019 FOUND

I have now tested on multiple Google Apps accounts on different domains and standard Gmail. All with same result in latest Firefox and Chrome. No problem with Safari. OS X 10.8.2 and ClamXav 2.3.4 (271).

I'm going to raise it with Google but thought I'd check here first for any advice as seems either there's a false positive with the virus definitions or Google is distributing a virus today.

Any help/advice greatly appreciated.

Cheers, Dan
dansalmon
 
Posts: 2
Joined: Wed 13 Feb 2013 7:09 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby MacTime » Wed 13 Feb 2013 7:35 pm

I also have had no problems, using Firefox recently downloaded, until suddenly last evening I had 35 hits of the above BC.Exploit.CVE_2013_0019 infection, but these were all but one in files saved to my Documents folder from government job search sites weeks or months ago.

There was only one file which was a numbered file, and I could not find its location. I just deleted them all, but it is confusing.

Thanks for any information.
MacTime
 
Posts: 3
Joined: Wed 13 Feb 2013 6:53 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 7:45 pm

MacTime wrote:suddenly last evening I had 35 hits of the above BC.Exploit.CVE_2013_0019 infection, but these were all but one in files saved to my Documents folder from government job search sites weeks or months ago.
Documents are a different story than cache since they can be easily re-opened, but mostly because they can be submitted to ClamAV as examples of a False Positive so that others won't be similarly alerted. If you should run across one of these again, please upload up to two of them to http://www.clamav.net/lang/en/sendvirus/ using the "Submit a false positive report" form.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby dansalmon » Wed 13 Feb 2013 7:54 pm

alvarnell wrote:
MacTime wrote:suddenly last evening I had 35 hits of the above BC.Exploit.CVE_2013_0019 infection, but these were all but one in files saved to my Documents folder from government job search sites weeks or months ago.
Documents are a different story than cache since they can be easily re-opened, but mostly because they can be submitted to ClamAV as examples of a False Positive so that others won't be similarly alerted. If you should run across one of these again, please upload up to two of them to http://www.clamav.net/lang/en/sendvirus/ using the "Submit a false positive report" form.

Hi alvarnell, are you sure this is a false positive? Happy to submit the file if it is but just want to be sure it's false first. Cheers
dansalmon
 
Posts: 2
Joined: Wed 13 Feb 2013 7:09 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 8:02 pm

dansalmon wrote:are you sure this is a false positive? Happy to submit the file if it is but just want to be sure it's false first.
Not at all. I was just informing MacTime as to what to do if they thought it was a False Positive.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby MLB » Wed 13 Feb 2013 8:05 pm

The word Heuristics in the infection name means that something in the format of that e-mail message, supposedly from a financial institution, looks strange, so you are being warned to take a look at it. It could well be a legitimate message so you will need to look at it closely in case it's something you need.

When possibly infected e-mail files are found:
    - Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
    - Right-click/Control-click on the entry.
    - Select "Reveal In Finder" from the pop-up menu.
    - When the window opens, double-click on the file to open the message in your e-mail client application.
    - Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).
    - If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
    - If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.


Thanks, Al. I followed these instructions but, when I double-click the file within Finder, it does not open in my EM client (Outlook) but I'm asked to choose an application instead. When I choose Outlook, the file shows up as an attachment in a draft email. I can just "Exclude from Future Scans" but thought I should let you know what I found before doing so, in case this might change your assessment of what it is and how to deal with it. I appreciate the help!
MLB
 
Posts: 12
Joined: Thu 03 Jan 2013 5:10 am

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby MacTime » Wed 13 Feb 2013 8:08 pm

Thank you. To avoid misunderstanding, these were saved web pages designated as "web archive" in Get Info, and they had been scanned a number of times before this. Thanks again.
MacTime
 
Posts: 3
Joined: Wed 13 Feb 2013 6:53 pm

Re: BC.Exploit.CVE_2013_0019 in Firefox & SpoofedDomain

Postby alvarnell » Wed 13 Feb 2013 8:28 pm

MLB wrote:the file shows up as an attachment in a draft email. I can just "Exclude from Future Scans" but thought I should let you know what I found before doing so, in case this might change your assessment of what it is and how to deal with it.
Only sightly. I'm still learning about Office 2011. If it had been a previous version of office, it would have been impossible to track down since those use a massive database which can't really be searched without having an exact signature. 2011 seems to use a combination of individual files and a database.

As you probably know, spoofed domain phishing is an attempt to get you to go to a fake site and enter privacy information, so as long as you don't do either of those things, you are perfectly safe. If you are able to identify the draft e-mail and then the attachment, you should be able to visually examine it to see what's going on. It would almost certainly contain a web link and if when you hover your cursor over the link it should reveal the actual URL that will open in your browser. If the link differs from the URL that's when you get an alert.

As an example, users have recently run into American Express statements that have images for the Apple AppStore and Google Play. The images come from American Express but clicking on them takes you to the Apple iTunes or Google Play stores, so that triggers the Heuristics warning.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5 & 10.10.1 / ClamXav 2.6.4 (AppStore & Web) w/ClamAV® 0.98.4
17" iMac G5 / Mac OS X 10.5.8 / ClamXav 2.5.1 / ClamAV® 0.97.8
alvarnell
Site Admin
 
Posts: 4477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Next

Return to ClamXav

Who is online

Users browsing this forum: No registered users