False Positive?

Detection: JS:Autolike-DT [Trj]
I get 100% detection (web shield: site blocked) for this on one specific news site. Has been detected for at least 2 maybe 3 weeks now. I have trouble believing the site would not have been contacted, warned, etc. by someone if the infection is valid… FYI, I get the detection only in Avast for windows (7) and not on my Nexus Tablet (Android…)

Additional info: Full Avast scans as well as full Malwarebytes scans show no issues on my PC. In any case, as I mentioned, Avast blocks the site, presumably successfully.

Hope this is not a Musta.A infection.
This application spreads from one system to another and they interact with computer operations.

polonus

It would help if you told us what site :wink:

http://shrewsbury.net/

I was more interested in how to detect a potential false positive, if others have seen this one, etc. Before I call them, I want more expertise.

Sucuri http://sitecheck.sucuri.net/results/shrewsbury.net

Urlquery http://urlquery.net/report.php?id=8958265

Zulu analyzer http://zulu.zscaler.com/submission/show/607ac8a27cf5949e3b9fd84d6cdcbebc-1390589842

Well, if their result is valid, it is a false positive…

Attach a screenshot of avast warning popup

Sorry, no… too much private info on my screen. complete text of the pop up is:

avast! Web Shield has blocked a harmful webpage or file.
Object: http://…/autolike.js?ver=1.0
Infection: JS:Autolike-C [Trj]
Process: C:\Program Files (x86).…\chrome.exe

and yes, this time it’s showing Autolike-C instead of D

Here is one I made earlier :slight_smile:

scanning the html

http://virusscan.jotti.org/en/scanresult/52d5b3a81aa3b9d66087b5415480858abe70eb9d
https://www.metascan-online.com/en/scanresult/file/a72d92cf97724d51b35d59cb1e77769d
https://www.virustotal.com/en/file/3c1597abd6625341113459078b96e0fd6f6121a0cc6cb28700bfbe947f34b0b3/analysis/1390656020/

Interesting… I found this relatively recent Avast thread on a variant of this trojan…
http://forum.avast.com/index.php?topic=142323.0

Sorry, no... too much private info on my screen.
you can crop pictures...like essexboy did ;)

have uploaded to Norman lab … will post result tomorrow’

yes… copying the text was easier/faster

Hi NSILMike,

If the site was detected and blocked by avast! Webshield, it is most likely that your computer never came into contact with that site and the malware delivery.
In that scenario you had a lucky escape. Just scan your complete Google browser file through opening file location, clicking the complete browser file and scan.

There is/was suspicious iFrame code there: Suspicious

hxtp://www.homeinsight.com/widget/defaultcommunity.asp?iahh3yruvp3i’ → We’re sorry

We are experiencing technical difficulties. Please try again later.

Thank you for your patience.


On the main site I also got a connection time-out!

Site likely compromised because of outdated CMS:
Web application details:
Application: WordPress 3.5 - http://www.wordpress.org

Web application version:
WordPress version: WordPress 3.5
Wordpress version from source: 3.5
Wordpress Version 3.5 based on: htxp://shrewsbury.net/wp-admin/js/common.js
WordPress directory: htxp://shrewsbury.net/wp-content
WordPress theme: htXp://shrewsbury.net/wp-content/themes/WpAdvNewspaper/ (probably this at the root of this site being compromised)
WordPress version outdated: Upgrade required.

pol

Yes, I wasn’t worried for my PC. My interest was is it a false positive that Avast needs to fix, or a real infection that I need to contact the website about. It has lasted so long that my presumption was/is it was a false detection. It’s a popular enough site (locally) that they would have heard about it from someone after enough time had passed. FYI, the detection is still occurring.

Well you have to take that up with avast team members via a report here: http://www.avast.com/contact-form.php
I am not aware why they still blocks it. If not a FP it is a notorious facebook hijacking virus for fraudulent commercial benefit.
It is detected in here: htxp://shrewsbury.net/wp-content/plugins/codecanyon-1970565-facebook-auto-like-for-wordpress/inc/autolike.js?ver=1.0
http://wepawet.iseclab.org/view.php?hash=bfd5fb0eb5972eafba5c79ae070b90bd&t=1390766714&type=js

polonus

reply from Norman lab, detection is correct …detection added

shrewsbury.net.htm: Fbjack.N

from the name given by avast and Norman it seems to be a clickjacker for Facebook likes

see Likejacking http://en.wikipedia.org/wiki/Clickjacking

Hi Pondus,

Thanks for checking, good we are being protected against this blackhat malcode,

polonus

I’ve alerted them to it.