Avast false positive on a tif image?
File name: http:// gromozon.com/10f88583/50301/2/img.tif :o :o :o
Malware name: MS06-001 WMF Exploit ???
Are you sure it’s a false positive? :o
I highly doubt it’s false positive. KAV6 also warned on this file as Explot.Win32.IMG-WMF. So 3 AVs detecting same file. It’s safe to belive that file is indeed malicious.
What makes you think it is a false positive ?
Basing this decision on the file type, which can be changed and is often used to make people thing something is benign.
So curently were on 3 for 3 on detection avast, DrWeb and KAV, although they have different names they relate to graphics vulnerabilities.
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx
No, i’m not sure. I’ve received this warning after visiting this site http://www.thevista.ru/
The url is changed to:
http:// gromozon.com/9a9483ec/50301/2/img.tif
OK it looks someone have removed the offending files.
For the future if reporting suspect URL please ensure they aren’t active to a void accidental exposure to the inexperienced or terminaly curious. You can either use the Code tag (the hash # icon) or break the url path up so it isn’t active, we can still see the location but it isn’t active.
http://gromozon.com/9a9483ec/50301/2/img.tif
oh my god the url is changed again:
http:// gromozon.com/8bb03c9d/50301/2/img.tif
try to visit http:// www .thevista.ru/ and randomly if you’re “lucky” you’ll get a tif
I won’t …
Me I would stop visiting a compromised website having proven that there are infected images being imported from another location it could be as simple as a rotating image location like banner ads, etc. But life is too short to keep going back to a site that is compromised or trying to infect you.
gromozon.com Web site
User Reviews (3)
page 1 of 1
Learn more about our reviewer system.
Rating: Adware, spyware, or viruses
http:// gromozon.com/page.php?50300 This webpage contains exploit and trojan downloaders
Posted at 07/27/2006-02:34:41 PM by Marco_Era, Reviewer , View profile [ Reputation score: 1 / 9 ]
Rating: Adware, spyware, or viruses
Attempts to install application automatically. Caution recommended.
Posted at 07/19/2006-06:04:31 AM by gmtbrs, Reviewer , View profile [ Reputation score: 1 / 9 ]
Rating: Adware, spyware, or viruses
Spyware!!!
Posted at 07/05/2006-03:51:48 PM by ottomano, Reviewer , View profile [ Reputation score: 1 / 9 ]
Aaaaah the www.google.com file. Though makes me wonder why KAV doesn’t detect it as it’s an old stuff…
Again thevista.ru loaded the infected image:
When this happens the source of the middle column of thevista.ru is this:
http:// 81.222.128.9/pelmen468.html?bid=238962?html_params=rhost%3Dad.adriver.ru%26sid%3D39649%26bid%3D238962%26ar_ntype%3D0%26bn%3D0%26width%3D468%26height%3D60%26rn
And again you went to visit a malicious website.
And you are wondering why alarm bells start rinkling?
Get a clue.
Stay away from those sites.
If there is no free (or cheap) trustfull alternative, buy the things you want/need.
EG: Get OpenOffice instead of MS-Ofice
Also despite being asked not to post live links to potential malware locations you continue to do it (in the iFrame code you pasted).
There are plenty of tools out there to determine if a site is suspect without continually having to visit ie. We know it is suspect and importing infected files (way back by reply #3), how it does it isn’t really relevant.