False positive? http://www.minifycss.com/data.js HTML:IFrame-KT [Trj]

VPS: 091214-0, 14/12/2009

Is this a false positive?

Thanks.

Generally avast is very accurate on these detections.

The data.js file is full of obfuscated code, functions and document commands, because of the obfuscation I can’t say what it is trying to do. But since javascript is a plain language scripting tool I don’t see why there is a need for this level of obfuscation, what have they got to hide and for me is suspicious.

However, a recent scan at virustotal gives 9 detections of 41, so that is further suspicion it isn’t an FP, as many AVs aren’t even looking for this sort of thing.

http://www.virustotal.com/analisis/1ba72a2f3b579ef1bb0e2ef0404b3428b87c93cda53cd977306c7672b69b66aa-1260474782

My upload has just finished being scanned and the result is 10/41 so 1 more than the last scan.

http://www.virustotal.com/analisis/1ba72a2f3b579ef1bb0e2ef0404b3428b87c93cda53cd977306c7672b69b66aa-1260817093

Hi hm2k,

Consider this here: http://forum.avast.com/index.php?topic=51941.msg439644#msg439644

polonus

My upload has just finished being scanned and the result is 10/41 so 1 more than the last scan.
It is actually 8 David, since f-secure and GData are using Bitdefender engine

Hi hm2k, DavidR and Pondus,

We should be glad for these Webshield findings. But I can understand that users are reluctant to believe these are genuine and there is really a major threat luring visiting the site. I will demonstrate it with an example where MacAfee’s SiteAdvisor gives a site as all green, while unmasked parasites gives it as ridden with malware. The example site I mention also has (had) HTML:IFrame-KT [Trj].

Site nandableeker dot nl

Part of this site during the previous 90 days was noted thrice for suspicious activities.

What happened when Google visited this site?
Of 40 pages that we tested on the site 7 pages without user’s consent have been downloading and installing malcode. Last time suspicious content was found on the site was on 2009-12-07.
Malicious software includes 40 scripting exploits, 3 Trojans, 2 exploits. Successful infection resulted in an average of 3 new process(es) on the target machine.

Malicious software is being hosted on 10 domains, e.g. gabtibbgtwe.com/, toshiba4u.ca/, cardemil.dk/.

4 domains seem to function as redirecting to spread malicious software to visitors, i.e. frostep.com/, tradeservise.com/, dominchikis.com/.

This site was hosted on 1 network(s) including AS21155 (PROSERVE),

polonus

Well depends, if you want to also consider GData also uses avast, though in this case it is using the bitdefender signature, so theoretically it could be two ;D

However that doesn’t matter too much as it is basically confirming suspicion about that file and the probably good detection by avast.