Another blocked site, possible FP?

I’m using Avast Free 5.0.594, definitions 100710-1. When I try to access this site http://aumha.net/viewtopic.php?f=27&t=44253 I get a MALWARE BLOCKED warning BV:AutoRun-AG (Wrm) and access to the site is blocked. That was also the case yesterday, with yesterday’s definitions. AumHa staff have scanned the site and can’t find anything dangerous. What to do?

The site is a page on the AumHa forum dealing with virus and antivirus. The name of the thread is “bumpy tasty trojan”. I can access the second page of the thread, but not the first.

If this is not the right forum for this question, please tell me where to post it .

Thanks,

John

Report 2010-07-10 22:25:57 (GMT 1)
Website aumha.net
Domain Hash e95f70b1b91d5344668cc1878f6a5b92
IP Address 64.130.45.31 [SCAN]
IP Hostname aumha.net
IP Country US (United States)
AS Number 7859
AS Name PAIR-NETWORKS - pair Networks
Detections 0 / 17 (0 %)
Status CLEAN

Hi saluqi,

Finjan also finds it clean. Here it is also found benign: http://jsunpack.jeek.org/dec/go?report=2943fbc6076b7204f053f9b6c2345327f5dc69b2
Make the address non-click-through by putting hxtp or wXw, because avast still flags it,
DrWeb URL checker:
Checking: htxp://aumha.net/viewtopic.php?f=27&t=44253
Engine version: 5.0.2.3300
Total virus-finding records: 1553539
File size: 69.76 KB
File MD5: 8fb8dcc4e332f466c6e1dec666844d96

htxp://aumha.net/viewtopic.php?f=27&t=44253 - archive HTML

hxtp://aumha.net/viewtopic.php?f=27&t=44253/Script.0 - Ok
htxp://aumha.net/viewtopic.php?f=27&t=44253 - Ok

polonus

I get no warning from avast

NoVirusThanks - INFECTED - 1/16
http://scanner.novirusthanks.org/analysis/5e5ec21edde647d38e64f2e396533612/dmlld3RvcGljLnBocA==/

probably a FP that GData have not updated for yet ?

Hi Pondus,
I do get the warning…
asyn

do you have update 100710-2 ???

This is a good test…
Generally avast picks the infection before Dr. Web (that misses a lot) and NoVirusThanks the same.
Please, inform the last position. Should we believe on avast or on the others?

Yes…!!
Don’t know, why it’s blocked here and not blocked at your machine…!??
asyn

Well, even avast seems to be not sure… ;D
asyn

I get a warning here. Wonder if it’s something on that forum rather than the link itself ???

I have the update (100710-2) and it’s still blocked.

Getting to that site is not a life or death matter, it’s just curiosity - but of course I don’t like to be blocked when I can’t understand why.

I can get to other pages on that forum, and even the second page on that same thread, without difficulty. It’s only that one page that is being blocked.

John

We all wonder what’s going on… :wink:
As Pondus is on the same VPS and also has a similar system but no alert…!??
asyn

For whatever reason there would appear to be packed file run when you click on that link, see image 1 and that is what I think avast is alerting on (that is what the gzip bit in the location indicates, image 2).

There is also another javascript file that is loaded that has some obfuscated script in it, but I don’t think that that is the problem.

What I do believe the true problem is, is that someone has posted an autorun script in the first post (image 3), that should have been posted as an image as the text of the contents of an autorun.inf file wouldn’t be differentiated from actual code, hence the malware name BV:AutoRun-AG [Wrm] as to all intents an purposes avast believes that is what it is an autorun script.

This happens with monotonous regularity when someone posts the actual code on a page.

Thanks, David…!
Still I don’t get why Pondus didn’t get the alert…!??
Meanwhile I’m more interested in that, than what’s going on on that site… :wink:
asyn

You’re welcome.

I have no idea why Pondus didn’t get an alert based on the fact he didn’t give any information, browser and any security add-ons. etc.

Hopefully he will enlighten us, if he can.
It seemed he was also surprised about the fact…!?
Have a nice sunday,
asyn

I also get the alert.
Bo


Opera warning of illegal characters in image 1

Online Linkscan says it is infected in image 2

Click images to enlarge.


Yes the illegal characters will no doubt be those in the autorun script shown in my image 3 (http://forum.avast.com/index.php?topic=61666.msg521282#msg521282). When will people realise that script examples of malware shouldn’t be posted as text but as images to avoid such detections.

Hi forum friends,

There is not much progression here as we have treated this online danger here:
http://forum.avast.com/index.php?topic=40014.0
How long before this becomes properly addressed by MS, and not only for their latest OS W7?
But probably they are more concerned about validating pirated versions than making their OS more secure?

polonus