The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
IssueSophos Anti-Virus detects Troj/Iframe-AG and/or Mal/Badsrc-C when you attempt to access a local database or visit a website.
Technical informationThis infection is most likely caused by SQL injection, a security vulnerability which allows a malicious source to perform operations on a database. This can occur either locally or remotely.
Attackers scan for web pages which may be susceptible to SQL injection, and an HTTP request is sent to the page which will insert malicious script into the related database.
Mal/Badsrc-C is detected when accessing a page which references a field in the database which has had malicious code inserted into it, most likely to redirect a user to a hijacked website.
Sophos Anti-Virus detects this malware but Sophos does not provide a database cleanup utility.
The data cannot be cleared up because the data within the database has been compromised. The pages will often contain many malicious script tags, so to attempt to clean a page is risky and it can be misleading, because it is possible that some malicious code has not or cannot be removed.
Further information on SQL injection vulnerabilities
Microsoft has released an article on this vulnerability which links to methods to test for susceptibility to SQL attacks:
Additional information can be found on the Sophos blogs:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.