I’m using Avast Free 5.0.594, definitions 100710-1. When I try to access this site http://aumha.net/viewtopic.php?f=27&t=44253 I get a MALWARE BLOCKED warning BV:AutoRun-AG (Wrm) and access to the site is blocked. That was also the case yesterday, with yesterday’s definitions. AumHa staff have scanned the site and can’t find anything dangerous. What to do?
The site is a page on the AumHa forum dealing with virus and antivirus. The name of the thread is “bumpy tasty trojan”. I can access the second page of the thread, but not the first.
If this is not the right forum for this question, please tell me where to post it .
Report 2010-07-10 22:25:57 (GMT 1)
Website aumha.net
Domain Hash e95f70b1b91d5344668cc1878f6a5b92
IP Address 64.130.45.31 [SCAN]
IP Hostname aumha.net
IP Country US (United States)
AS Number 7859
AS Name PAIR-NETWORKS - pair Networks
Detections 0 / 17 (0 %)
Status CLEAN
Finjan also finds it clean. Here it is also found benign: http://jsunpack.jeek.org/dec/go?report=2943fbc6076b7204f053f9b6c2345327f5dc69b2
Make the address non-click-through by putting hxtp or wXw, because avast still flags it,
DrWeb URL checker:
Checking: htxp://aumha.net/viewtopic.php?f=27&t=44253
Engine version: 5.0.2.3300
Total virus-finding records: 1553539
File size: 69.76 KB
File MD5: 8fb8dcc4e332f466c6e1dec666844d96
htxp://aumha.net/viewtopic.php?f=27&t=44253 - archive HTML
hxtp://aumha.net/viewtopic.php?f=27&t=44253/Script.0 - Ok
htxp://aumha.net/viewtopic.php?f=27&t=44253 - Ok
This is a good test…
Generally avast picks the infection before Dr. Web (that misses a lot) and NoVirusThanks the same.
Please, inform the last position. Should we believe on avast or on the others?
I have the update (100710-2) and it’s still blocked.
Getting to that site is not a life or death matter, it’s just curiosity - but of course I don’t like to be blocked when I can’t understand why.
I can get to other pages on that forum, and even the second page on that same thread, without difficulty. It’s only that one page that is being blocked.
For whatever reason there would appear to be packed file run when you click on that link, see image 1 and that is what I think avast is alerting on (that is what the gzip bit in the location indicates, image 2).
There is also another javascript file that is loaded that has some obfuscated script in it, but I don’t think that that is the problem.
What I do believe the true problem is, is that someone has posted an autorun script in the first post (image 3), that should have been posted as an image as the text of the contents of an autorun.inf file wouldn’t be differentiated from actual code, hence the malware name BV:AutoRun-AG [Wrm] as to all intents an purposes avast believes that is what it is an autorun script.
This happens with monotonous regularity when someone posts the actual code on a page.
Yes the illegal characters will no doubt be those in the autorun script shown in my image 3 (http://forum.avast.com/index.php?topic=61666.msg521282#msg521282). When will people realise that script examples of malware shouldn’t be posted as text but as images to avoid such detections.
There is not much progression here as we have treated this online danger here: http://forum.avast.com/index.php?topic=40014.0
How long before this becomes properly addressed by MS, and not only for their latest OS W7?
But probably they are more concerned about validating pirated versions than making their OS more secure?