HTML:Allaple-A [Wrm] - True or false

Hello guys.

I got a virus/worm alert while visiting the following website:

hxxp://www.balipost.co.id/international/info/INDEX.HTML

But i’m not quite sure wether this is a wrong alert. I checked the page also with the Norton Online Tool, which doesn’t find anything. See:

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.balipost.co.id%2Finternational%2Finfo%2FINDEX.HTML&x=0&y=0

The Virustotal Online Check is able to find something. (37%)

http://www.virustotal.com/de/analisis/07e802fc2bb288bfff5a368e49d587d2466a2f1af5dd08309eccfb7d97f811d9-1247602994

see also attachment

So actually i don’t know if that is dangerous or not. It would be great if somebody could clarify that.

Best regards

Roman

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit your link to hxxt instead of http and make it not live.

I even don’t know what exactly an obfuscated script or iframe means. Therefore i have no idea how to check out wether one of those things is implemented in the websites code ???

I coudl try to contact the admin from the indonesian site, because this site doesn’t give a virus alert when it is opened.

??? How to find out if a gif-image or anything else that is linked contains an virus? I don’t even want to load the html page.

Link has been edited, sorry for that!

  • Thanks for the fast reply.

Well, I’ve tried to find anything weird in the html code, but found nothing.
Maybe a more experienced user could help.

btw i tried to find out an emailadress of the admin. Using the Indonesian whois database didn’t solve the problem. Not admin emailadress deposited. ;D Awesome…

Funny country — https://register.pandi.or.id/whois

Thanks so far Tech!!!

As far as I can see from the page source it is likely to be the Object tag that is the cause of the alert, image1.

I’m not entirely sure why the object tag would be there as it isn’t very common and I have seen this used before for malicious purposes. So the site may have been hacked and this tag inserted.

OK I did a test and cut out that object code and created a test html file with only that and the basic html structure (see image2) and uploaded to VT and it has pretty much the same results, http://www.virustotal.com/analisis/53e8179cd71dbf2cb0c139f696d70a1dbb9e2d1130a069fd9bac50cfaecbe887-1247608736.

So it looks like that is the problem and I would imagine that there may be a corresponding file that the object tag uses in the call.