HTML/Framer Information and Removal

Welcome, if you are visiting this website is probably due to your antivirus software detecting HTML/Framer in your computer with a message similar to “Virus found HTML/Framer” or perhaps you have found that your website content files have been infected by this malware.

Virus found HTML/Framer

HTML/Framer is the name given by your antivirus vendor to any html or javascript code which looks suspicious enough to have been produced and injected by malware, a virus or a trojan horse. The reasons of why this is being detected in your computer can be several and different solutions exist to get rid of this problem.

In this site you will find all the information necessary and tools to combat HTML/Framer both on your computer and website server as well as a discussion forum in where to share your experiences and get help and advice from experts.

Files detected by your antivirus as HTML/Framer  can be classified as part of a hidden iframe injection attack and a clear symptom of activity of virures such as Gumblar.

Gumblar is a two phased attack that combines different techniques to achieve it’s mission. The last known attack by Gumblar consisted of exploiting a PDF or Flash vulnerability on the client side in order to attack windows based machines and gain access to the system.

Client side attack

First, the attack is initiated on client machines following a classical drive-by-download attack by exploiting such vulnerabilities in Adobe Acrobat Reader and the Adobe Flash player. Once infected Gumblar is able to access the user system and carry on the next steps of the attack by collecting any stored FTP credentials (login and password) in applications such as FileZilla or Dreamweaver. Also, Gumblar installs a network sniffer that captures data traffic in search for FTP credentials being sent to FTP servers.

Besides stealing FTP credentials, Gumblar will carry on other activities on the client machine such as the sending of spam, hijacking of Google search queries and install other software applications such as a fake antivirus while disabling other legit security software applications such as your antivirus protection.

Server side attack

The second part of this attack consist of the usage of all the stolen FTP credentials to access the servers and infect any website content found by locating files containing the HTML, Javascript  or PHP code.

Files downloaded are then processed, injected with addiotional HTML, Javascript or PHP code usually consiting of hidden iframe html codes poitining to malicious sites hosting the exploits and  mechanisms necessary to infect new clients. Once the code is injected, the files are uploaded back again to the FTP server where found, converting the affected web server into a new infection point part of the world wide scale attack.

This type of attack is ever changing and the exploiting mechanisms, payloads and injected codes are always changing in order to avoid detection by the different antivirus software products.

HTML/Framer infection and attack lifecycle

Distinguishing which part of the attack has affected you can be a bit tricky, you could have been infected while browsing the internet, got your website content infected not even by yourself and just from another website system user or perhaps you aren’t even infected but have browsed an affected site and your antivirus is detecting the injected code on those pages.

To make things easier we have divided this section into two parts, how to detect this infection from a client standpoint and how to detect if your website content has been infected by the HTML/Framer attack.

Client Symptoms

1) Your antivirus is probably alerting you of HTML/Framer detections in your computer files. If you don’t have an antivirus program then please get one immediately, we recommend you to download AVG Free.

2) New programs have been installed on your computer, these programs offer to fix things for you, usually security related stuff.

3) Erratic internet behavior such as slow connection, different than expected search results or new default search providers.

Server Symptoms

1) Your antivirus is probably alerting you of HTML/Framer detections in your computer or web server files. If you don’t have an antivirus program then please get one immediately, we recommend you to download AVG Free.

2) Your website content behaves differently than expected, increased file size, e.g. bugs have been introduced. Compare your website content against a previous backup you may have, explore the code for unusual or new code. You can automate this by using a comparison tool, this will look automatically for code differences, we recommend you to try the free tool WinMerge.

3) Google Safe browser is detecting and reporting your site as serving malicious content. Example report

-

If none of the above seems to work for you in detecting the infection and you are still unsure, we recommend you to visit our forum for expert advice, click here to visit our forum.

Removing HTML/Framer from your computer or webserver can be achieved by following the steps below, we recommend to ignore the server part if you aren’t the owner of a website page.

-

Removing HTML/Framer from a computer

1) First and mandatory, you must have your computer protected, in case that you don’t have any protection program installed or you are unsure about the effectiveness of yours, then download AVG Free.

2) If your antivirus is reporting HTML/Framer detections in your computer, first you need to find whether you are truly affected or your antivirus is simply detecting temporary files from your browser in your computer. Download CCleaner and make sure that you empty all your temporary files.

3) Once CCleaner has done its job then reboot and rescan your system with your protection software, if no more problems are found by your antivirus software or by our recommended software, then you are probably not infected and your antivirus was just detecting temporary content from an affected website that you recently visited. Be cautious and also read our previous article on how to detect an infection for any symptoms you may recognize.

4) If by any chance you are the owner of a website or you manage any kind of FTP accounts, then it’s extremely important that you change your FTP account passwords immediately since Gumblar / HTML/Framer steals these kind of credentials from any infected computer. Also try to switch to SFTP rather than the standard FTP to avoid network sniffing.

5) If none of the above has worked or you have any doubts or questions, please visit our forum.

-

Removing HTML/Framer from a website server

1) First and mandatory, you must have your computer protected, in case that you don’t have any protection program installed or you are unsure about the effectiveness of yours, then download AVG Free.

2) The reason why your website server content got infected is because the malware behind HTML/Framer has got access to it. Usually this is done via FTP, so chances are that your work/home computer or any other person’s computer with access to your server is infected and the credentials have been stolen.

3) Change your FTP login password immediately, and if you can, switch to SFTP (secure ftp) rather than using FTP alone. Do not store account password inside any program or text file. For added protection it is also recommended that you restrict the content uploading and administration of your server to the known IP addresses that require access.

4) Clean all the affected website content by locating the code that has been injected into it. One simple way recommended in our previous point was to use a comparison tool to check out for file differences from a previous backup. Once you have located what’s affecting your website content, then proceed to upload a backup copy that is not affected. If you don’t have a clean copy, then you will have to remove the malicious content manually. For this we recommend you to use something such as Notepad++ which will accelerate the process by allowing you to make global search and replace across all your files.

5) Revise your work/home computer or any other suspected computers and make sure that your protection program or the one recommended by us reports no further problems. Repeat this process as many times as necessary until you are convinced that no infection is present, reinstall the computer(s) from a clean disk if necessary.

6) Lastly make sure that your site is clean by scanning the content of your site with your protection program or better yet by checking out what Google says about your content. You can do this from the Google Webmaster Central admin panel.

6) If none of the above has worked or you have doubts or questions, please visit our forum.