Cruzer-C false positive on a GIF

Hi

i have a problem with AVAST giving false positive on THIS: hxxp://itmedia.sk/images/itmediask.gif
you can see a picture from one of my customers who told me about this: http://members.chello.hu/jermij/vir.JPG
There’s no way this GIF could be infected, as it’s the original one which we’re using for years now, and displays correctly.

Please check what gives the false positive, and let me know / fix the search pattern on your database.

Thank you.

No alerts here when browsing to that file.
The information you provided (via one of your customers) is 6 days old; perhaps a database update has remedied the situation.

Same here no detection^^

Maybe its fixed already^^ ;D

Hello,

Many ppl thinks about false positive if some AV blocks their website, but be sure JS:Cruzer (all variants) are very good detections with zero known false positives. Probably your server generated messages were infected - 404?

Regards

We own the server, i maintain it, I have checked every webpage containing “script”, nothing were modified.
Hopefully the database were updated to avoid such mistakes.
Basically, the avast told that the GIF is infected. Which is not, as you have confirmed later. (and which is unmodified for 5 years now, and displays correctly …)

Anyhow, thank you guys for checking, now i can simply release a news post on our webpage to update the virus database, as our webpage did not contains the virus …

Please believe me, no change with this detection has been made. Please read this thread (infected gif images too → resolved as infected server generated messages) http://forum.avast.com/index.php?topic=45658.0

If avast is showing this infection on your server, it is good for you to know that there is some security problem. The bad thing is that other AV dont know this infection and users that are protected with their products are getting infected.

http://www.mywot.com/en/scorecard/members.chello.hu

Didn’t get a alert ether…

Similar issue with a site I am helping with. The site is already getting lots of malware warnings. One of the files Avast was claiming was infected with the JS:Cruzer-C [Trj] trojan was an image on the home page. So I redid the image, taking a screenshot and putting it together in Photoshop. Now Avast is saying the new image is infected too. I haven’t been able to locate where the trojan really is yet, so I’ve been cleaning up code to reduce the amount of Javascript. At this point, on the front page, the image is the only thing being flagged by Avast. I haven’t delved into the rest of the site yet.

The site in question is hxxp://www.ronaldreagan.com
The previously flagged image is hxxp://www.ronaldreagan.com/index_images/build_1.jpg
And the currently flagged image is hxxp://www.ronaldreagan.com/images/homepage-header.jpg

Any thoughts?
Thanks - Jim

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.ronaldreagan.com/

Outdated Scanners Show:
http://www.mywot.com/en/scorecard/www.ronaldreagan.com
http://www.siteadvisor.com/sites/ronaldreagan.com

=I suggest you wait for another user to help=

Reading http://forum.avast.com/index.php?topic=45819.0 , I wonder if it’s possible that the server is infected and randomly serves up the malicious Javascript in place of different files. They don’t quite arrive at that conclusion, but almost. Thoughts?

Jim

-= I can’t access the website…? ???

Any thoughts? Thanks - Jim

Hi Jim. Welcome to the forum.

I think you will find that there is a lot of uncertainty on the web right now. There have been reports coming in lately - over the last 24 hours even - about widespread infection, much of it involving servers. On top of that May has just come through as the 10th worse month ever for malware proliferation. I’ve noticed tonight that reports are coming into forums of lots of different kinds of variants. Some of these are going to be false positives. But there are not a lot of people going to call one way or the other unless they have clear evidence. And even that may be misleading. My avast log is full of warnings. Iwould not be surprised to see someone from avast team coming on to the forum sometime tonight (1.50 am where I am). But they are only going to do when they can make the best calls for each query that is coming in. Half the battle is putting in the query and you have already done that. Your problem is definitely being attended to. So probably best to sit tight, secure your site as best you can, do whatever clean up you think necessary, and hope your case is a false positive, otherwise be ready to act on whatever info you recieve. Someone will able to help soon. I’m afraid I am not expert enough, but others are. They will be about the forum soon. And avast will be monitoring the situation. I wish I could say more, but thats about it. I’ve already had a couple of alerts tonight that I couldn’t do anything about but send the details into the labs.

Sorry, buddy, but wont be long and you’ll get something you can work with.

I just downloaded both those images and scanned them with avast and no detections on the files.

I have also visited the home page an no alerts either.

Fenrir, Google has already flagged the site, which causes that warning to show up for any file on the site. Using IE, though, you won’t get the message (unless you’re running Google Desktop). You can also disable the “suspecte attack site” warning in Firefox under Tools->Options.

DavidR, there seems to be some randomness to when the Avast alerts will pop up. Sometimes the alert doesn’t pop up and sometimes it does for the same file. Based on that and that thread I noted above, I am speculating that the infection is on the server: sometimes the server will serve up a file as the trojan, so goes my theory.

Thanks, mris. Sit tight is about all I can do right now… and offer wacky theories. I think there’s no question that something is infected because Google is finding malware and so is Avast. The curious thing is that Avast has flagged what I know is a clean file. Hence my above theory and I hope the Avast folks consider it, and not just say “what warning?”

That is where the code injection comes from, (server side) content management software, if that is vulnerable and being exploited then the randomness you mention is entirely possible.

The host ran their antivirus check on the server and didn’t find anything, so back to the drawing board on that theory. How do you think the randomness would relate to the code injection? The problems occur throughout the site when someone accesses a page with the injected code?

The problem is if they just run an AV that isn’t capable of detecting this type of exploit then they won’t find anything. So it is a little more complex than that and they may have to run some more checks.

Hi DavidR,

Yes, I have seen that, they will wrap it so the first line of the malcode becomes invisible, in an attempt to make it more difficult for the analysts to spot it right out,

polonus

I was taking the leap that if the trojan is detectable then the theoretical virus that is serving it up would be too. In any case, I will need something more concrete before I tell them that they missed the virus… which is why I am taking it up here, with the AV brain trust. :slight_smile:

We’re encountering the same problem.

People with avast reporting JS:Cruzer-C [Tri] on multiple websites, also .gif files.

I’ve tried to analyze the files my self, checked the server configurations if there was anything funky there, virus scanned the server, downloaded the content myself and virus checked it… nothing, nada.

Can someone from avast please enlighten us about these sudden infections?
I have no clue where to look for this, I see no obfuscated or any signs of infections.

Regards,

Wesley