False Positive on Neowin.net article page

Viruses and worms
1

There is a false positive on this page:

http://www.neowin.net/news/a-history-of-viruses-on-linux

It appears that a line referencing a particular ELF infection is causing this issue. It is in the 2001 part of the history segment and it was flagged as ELF.Satyr. Please rectify this false positive and any others that may of occured on it. I assure you this page does not house any infections at all.

11/27/2010 1:16:59 PM http://www.neowin.net/news/a-history-of-viruses-on-linux|>{gzip} [L] ELF:Satyr (0)
11/27/2010 1:17:09 PM http://www.neowin.net/news/a-history-of-viruses-on-linux|>{gzip} [L] ELF:Satyr (0)

2

Report 2010-11-27 19:42:23 (GMT 1)
Website neowin.net
Domain Hash 77d0107dfcc8033d6e2e7fb5e7db3a21
IP Address 209.124.63.219 [SCAN]
IP Hostname 219.63.124.209.sfldmi01.utropicmedia.net
IP Country US (United States)
AS Number 53292
AS Name MANAGEDWAY - ManagedWay
Detections 0 / 17 (0 %)
Status CLEAN

3

This page seems to be 6 suspicious inline scripts found. (scroll down to the bottom where the Obfuscated script is listed )
http://www.UnmaskParasites.com/security-report/?page=www.neowin.net/news/a-history-of-viruses-on-linux

VirusTotal - a-history-of-viruses-on-linux - 3/43
http://www.virustotal.com/file-scan/report.html?id=46ebdd6568de47d076d848395775e3ca9583adbb91fdcb01553c65de35522aa8-1290883973

NoVirusThanks - 1/16 - INFECTED
http://vscan.novirusthanks.org/analysis/beb9c964da18668b6f10ba2d44f48153/YS1oaXN0b3J5LW9mLXZpcnVzZXMtb24tbGludXg=/

4

You need to report this URL to avast as a false alert:

http://www.avast.com/contact-form.php?loadStyles

5

Is this new? I haven’t noticed this before.

6

It certainly looks new as it is for multiple contact option and includes, Report false virus alert in file and Report false virus alert on website, which I’m sure the only option prior to this was email and chest submission.

7

I did not know of that page previously. Thanks for the heads up. I’ll report it there and see what kind of response I get.

The scripts are Neowin.net’s ad code that only appears to non-subscribing members. That’s normal. It’s flagging based on some text in the body of the article.

8

Well it does depend on where the Ads are actually from as there is now an issue with some ads being poisoned, see this avast blog article.

http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/

9

The form isn’t new, but the report FP options are rather new.
asyn

10

Hello,
it should be fixed in current VPS 101128-1 which was just released.

Milos