i was on wikipedia then a avast warning pops up telling me about HTML:iframe-gen virus/worm.
i also made a video about it : http://www.youtube.com/watch?v=cMqEy3ZHRxg&fmt=18
here is the link to the wikipedia page that i was on : http://en.wikipedia.org/wiki/Hunan_Satellite_Television
so is that a false positive or is that really a worm?if its a FP can you fix it in next update?
False Positive. Dr. Web’s Online Check says it’s clean. I hope Alwil fixes it.
Hi mathboyx215 and welcome to the forum.
Does Avast still detect this page on your system? I followed the procedure you used in your video, and Avast doesn’t detect anything. Try updating Avast and retesting. I see it was VPS version: 081224-0 which detected it. The current version is 081226-0.
avast is still detecting it
The detected JPEG image has an iframe appended to the file, pointing to some Chinese site.
I don’t think it’s really a false positive.
but i have one person who commented on my video saying that he have avast pro and went to that link but nothing happened.so maybe its only happening to me?
No, it’s not happening only to you - I get the same detection when I visit the corresponding page.
Maybe the page is hacked? ???
avast is very sensible - generally correct detections - on encrypted frames on webpages :
Most certainly this is no FP the image has been hacked to include an iframe tag at the bottom of the file.
Remember Wiki is user modified so there is a possibility of user images too I guess.
@ Igor
So would this also be considered a type of jpg exploit ?
Tech it isn’t in the page content but is embedded in the actual .jpg image. See the image I posted that is at the bottom of the .jpg viewed in a text editor (editpad lite).
but why when some people go on the page avast don’t detect it?
Maybe the avast is not updated? Or well configurated…
For me, the page is set as infected as the picture showed.
I don’t know and as we only have one person saying they don’t have an alert we would need to know what browser, OS and set-up they have as any of those things could lead to it not being detected.
I didn’t watch the video (dial-up) so I have no idea what Jahn meant when he said he I followed the procedure you used in your video, and Avast doesn’t detect anything.
Now why this didn’t alert on one or more, is a different issue, but this detection is IMHO correct, why would a .jpg file be hacked in this way. It is still detected in the latest VPS 081227-0
I think the Wikipedia administrator needs to delete the image or edit the description.
I don’t know what there is to edit in the description, that isn’t what launches the iframe, but the manipulated .jpg with the embedded iframe tag.
I’m still not getting any detection on this page after a repair of Avast/reboot. I do believe Avast is working properly, though. Avast recently detected JS:XMLParse-A [Expl] during Scanit tests HERE, and later detected the leftover TIF’s and SysVolume entries during a Standard demand scan.
My Avast providers are at default values, except I’ve added a redirected HTTP port (for proxy server) to Web Shield.
I can only guess that another security program is blocking the exploited jpg iframe before Avast sees it. XP SP2, Firefox 3.0.5 with ABP, Dr.Web link checker, Finjan, SiteAdvisor, NoScript, Perspectives and WOT. No detection either in IE7 with flash disabled by Toggle Flash, Finjan, WOT and Dr. Web link checker. I also use SAS Pro (my forever gratitude to CastleCops [R.I.P.] and Nick for my free lifetime licenses), Comodo Internet Security in ProActive Safe Modes (AV module not installed) and a custom Hosts file. I’m betting on CIS, though nothing shows in the firewall or Defense+ logs.
According to the video, mathboyx215 accessed the Wikipedia page via a link in a Google search for hunantv. I was attempting to duplicate the occurence, so that is what I meant when I said I went there in the same manner. Hope this clears some mud out, and sorry I couldn’t get back here sooner.
I don’t know why you needed to add to the redirect port (what application ?), but I believe that you would also need to uncheck the Ignore Local Communication, or whatever is coming through the other redirect port might not be being scanned.
You could check the avast web shield detailed view and see if your web traffic is actually being scanned. Or if none or only partially scanned as I haven’t a clue what your other proxy is doing.
You could also uncheck the option ignore local communication (see image) and try the above link again and see what happens.
Hi David, I have to add the port to Web Shield to enable Avast to scan Proxyconn traffic on port 6198. I have just verified that Avast is indeed scanning both ports 80 and 6198. I bumped Web Shield sensitivity up to High and went to the Wikipedia page - nothing. But if I run all browser tests at Scanit, or try to open a zipped file with eicar in it Avast will alert. Avast seems to be working. Checking or unchecking Ignore local communication doesn’t seem to make any difference.
All I think that is happening is the traffic is passing through the web shield and because it is effectively local traffic, it isn’t being scanned. So why it isn’t being detected when you uncheck the Ignore local communication is beyond me, but using additional port redirects you should uncheck that option.
Well I haven’t got a clue what Proxyconn does or how it goes about its task, so I don’t know what might go through its proxy port.
After a little googling, I now know a little more about proxyconn that I did earlier and now possible a little more than you in one regard 
The probably reason nothing is found, proxyconn is supposed to detect and block viruses, see image.