Tuesday, December 02, 2008

Putting the "US" Back in "Virus"

Sigh...

So this morning, I navigated to this page to see what lovely comments had been left by my threes of readers, and I got a popup warning from my virus scanner that two instances of the actns/swif.t virus had been detected and deleted.

Naturally, I crapped my pants. After that was cleaned up, I poked around looking for information on this virus. Unfortunately, it's a relatively new thing and there's not much out there. I suspect it was just added to the virus definition files on the last update.

The problem was a couple of videos that I had embedded from Youtube. The videos themselves weren't infected. It was just the HTML code that was being flagged and deleted every time the page was loaded.

I finally found this info on the actns/swif.t virus on AntivirusConnection.com:

The Actns/Swif.T has been a tricky one. It seems this virus has just recently spawned, causing computers to show a embedded shockwave/flashplayer file within IE/Firefox browser. Inside the embedded swf, it features a redirect to a phishing website that I advise everyone NOT to click on! So if you see this embedded vicious file pop up, Do Not Click It! It will install another virus called Antivirus 2009, which those of you who know this virus already, it’s a pest to get rid of.

Now, based on this, I'm suspecting my detections were false positives. Since the virus definitions were just added, I think my virus scanner saw the embedded videos in my browswer and just assumed they were placed there maliciously. The videos themselves don't appear to be infected, and I've never been redirected to the phishing site.

But I'm hardly an expert, and I don't want to take any chances until I know for certain. So I've deleted the embedded videos until I can get a little more information. If any of you out there are smarter about this kind of thing than me, I'd love to hear from you.

Thanks!

--------------------------------

Update: After all the ballyhoo, it turns out it was just a false positive from CA Antivirus. Apparently they've fixed the problem and I'm off to download the updated files. I feel pretty goddamn smart for having figured it out myself FOURTEEN HOURS AGO!

Also, I had a LOT of hits on the blog today. I was apparently one of the first people to post anything about the virus online, so for a few hours my blog was showing up on Google near the top of the list for searches on "actns swif.t" or variations thereof. Ordinarily, I get 20 to 30 hits a day. Today, I got 600+.

Of course, Google's brilliant algorithm eventually kicked in and decided that link farms and sites devoted to 80s heavy metal were FAR more relevant than my blog, so now I've dropped down several pages. But that's okay. Fame would have only changed me.

12 comments:

Anonymous said...

This just happened to me also. I'm curious, what AntiVirus product are you using? CA for me.
It pops up when I hit a certain site that has been fine in the past.

Anonymous said...

Problem appears to be limited to embedding YouTube videos in Internet Explorer. No issues with FireFox. I'm running CA eTrust and having the issue. Not sure if it is just them or all of the AV companies.

Anonymous said...

Likewise I had the same issue with CA and followed the same process you did, which lead me to your site. If these are indeed false positives then at least we know who is watching videos on the network...

Irb said...

So many Anonymouses!

Yes, I'm using CA as well, so I think we've found the culprit.

I'm pretty sure it's a false positive, but until I hear definitively one way or the other, I think I'll stick to linking to videos instead of embedding them.

Thanks for the info, guys!

Steph said...

You all are not alone!

CA user, IE user, but Wordpress.

Irritating little "bug" isn't it?

Anonymous said...

One more anonymous here, one more CA user, but not embedding any videos. Just going on a blog I read almost every day, and getting the virus alert for the first time. It only pops up on a few pages, and no videos there. So if it's a false positive, why are we all getting this for the first time on familiar sites. Hope CA responds to this soon.

Anonymous said...

I'm also a CA and an IE user. I just started getting these pop-ups from my CA Anti-Virus today. It will tell me that 3 viruses (Actns/Swif.T) have been detected, but 2 have been infected while one has been deleted.

I was on YouTube yesterday. I watched a "Jeremiah Was a Bullfrog" and Sesame Street's "Wubba Wubba song" videos. I've never linked to or embedded these videos, and I (so far) am on being redirected to any phishing site.

If these are false positives, are they only being picked up by CA software? What does the "infected" mean, as opposed to the "deleted"? What's up? Is there somebody watching my computer's move now, or are these pop-ups from CA just CA's way of saying it seems malware while the malware has not infected one's computer yet? Thanks for any help!

Anonymous said...

Can someone post the urls where they're getting the warnings?

The Coroner said...

One url with the warning is http://www.talkingpointsmemo.com

Farrago said...

Get a Mac.

(You know I just had to do it...)

scarletvirago said...

Aw, man. You lost me at "navigate".

Professor said...

You're famous! Now it doesn't make any difference if you give people a virus.. :)