False Alarm?--Maybe???

Viruses and worms
1

Hi :slight_smile:

How are you? :smiley:

Is this false alarm. hXtp://www.monitor.si/clanek/nasveti-januar-2007/ Virus:(VBS:SelfMailer-gen2 [Wrm])

Have a nice day. :slight_smile:

PS:How can I help to Avast with this THX :wink:

2

Hi JuninhoSlo,

First could you modify your post to change the URL and make it non-clickable (e.g. change the http to hXtp) to prevent others potentially becoming infected.

I have looked at the source code and could not find anything obvious, however my skills in this area are limited so I’d wait for someone more experienced to confirm your question.

by reporting this, you are helping avast :slight_smile:

For the more experienced:

Is the ‘bad request’ section right at the bottom questionable, I have not seen this in pages before

OT: Are there any sites that can help me to learn about this kind of thing? (interpreting source code etc.)

-Scott-

3

Hi JuninhoSlo,

Could you please modify your post as Scott has proposed so that the http in your url reads hxxp.
For the reasons made clear by Scott.

I also was alerted by avast to your site. Perhaps a false alarm. However, the script does appear a little outside the norm. There is further script appended to the end of the page. Somebody should be along shortly, who can fully analyse the page.

There is script in the body of the page that also appears outside the norm but this does not necessarily mean an infection.


Here is the log entry that was generated by the alert –

Sign of “VBS:SelfMailer-gen2 [Wrm]” has been found in “hxxp://jutaky.no-ip.org/detektor304_frame.php{gzip}” file.

Here is the Jutaky analysis –

No zeroiframes detected!
Check took 3.34 seconds

(Level: 0) Url checked:
hxtp://www.monitor.si/clanek/nasveti-januar-2007/
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.monitor.si/clanek/nasveti-januar-2007//ihtml/md5.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
ty0pe=text/javascript hxtp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript hxtp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://media.iprom.net/adserver/event/impression?z=33&t=js&sid=monitor
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

Edit - bloody hell, nearly got caught out myself with those active urls. I’m a bit tired so I’d better turn in for the night.

4

I can’t see anything obvious on the actual page, unless it is in one of the other site .js files called in the page, e.g. /ihtml/md5.js.

I captured the temp page avast scans and alerted on and uploaded it to virustotal and only two consider it infected, GData (which uses avast as one of its two scanners) and avast, http://www.virustotal.com/analisis/786519ef564187dd0beb01253b43f15accda985ecea42d888ba58b23a534babc-1244989705.

So it is possibly an FP which should be submitted to avast (done).

5

How do you send a file to the Avast?

Thx and have a nice day. :slight_smile:

6

If it is your site and you have a copy of the file, you can send it for analysis (see below), without it you have an option to report it as a possible false positive in the actual alert window. You have to have analysed the page source first and have a reasonable idea on what is or isn’t right on the page source which is detected, then you can submit it.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

The image I posted is the file being uploaded after I did a manual iAVS update.

7

No site is not mine, I saw a picture so I asked :wink:

PS:This is difficult for me,Would you make a video for this. THX :smiley:

Have a nice day :slight_smile: :slight_smile:

8

Sorry, no video, I don’t have the software and on dial-up video uploads are out of the question.

It really isn’t that complex.

9

Hi mkis,

More info on the malware in question here:
http://virscan.org/report/83cd9493009c56b979d61b460ae09fb3.html

polonus

10
Hi mkis,

More info on the malware in question here:
http://virscan.org/report/83cd9493009c56b979d61b460ae09fb3.html

polonus

Hi Polonus

I came home late last night and shouldn’t have bothered with internet. I came very close to clicking through on this by my carelessness. After which, I decided to log off. I was hoping someone would follow up on the alert.

Regards