http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js

e.g. visiting (remove the braces)

(http)://www.wix.com/support/forum/flash/other/other/spurious-code

The page injects some javascript (using document.write) to load the script http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js

I can access (https)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js (the very same code) and not get a virus alert. I can download (http)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js using wget and scan it and not get an alert. The alert its giving is a URL:Mal

I can upload the downloaded code to jotti.org and it passes as clean.

http://virusscan.jotti.org/en/scanresult/9cd19dba5af53585bfcc4a5244c21382e539fc60

False positive?

Have had this happen on several sites today, and upon a cursory search there seems to be a lot of references to this same code.

Yep same thing just happened to me visiting a jewellery website that i have used before (all the w’s acotisjewellery.co.uk) exactly the same pop up,avast blocked a malicious URL ://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js as other people are getting. :-\

I am getting this alert when I view my blog/website. I also get it when I try to expand the HTML template of my blog in the admin area. I use blogger, and have not recently made any changes to my site, nor do I allow spam comments on my blog. Pretty sure this is a false pos, but how do I report it?

I’m getting it when visiting the national newspaper Daily Mail. It was ok until this afternoon. Then this warning.

@ mehuge

Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

It’s not a site, it’s part of a java script on pages.

Since it only seems to be getting caught by Avast, it would be great if someone from Avast could chime in and say if it’s a false positive, or something we actually need to worry about.

I have the same problem and agree would be nice with some info from Avast!!!

could you attach a screenshot of the avast warning popup…

Pondus

Somehow, do not seem able to reproduce it. Maybe it has gone with a new definition update…
RUM means real user monitoring by automatically injected javascript. Info on what RUM does from Dan Wright in this article of his → link here: http://blog.newrelic.com/2011/05/17/how-rum-works/

polonus

Hello, I’ve registered just to say I’m getting this problem too and it started today, It’s popping up at many safe websites I visit daily, including filehippo and ausgamers just to name a couple.

It would be great if someone at avast! could confirm if this is a false positive, before I decide to disintegrate my harddisk.

My warning

With so many of us getting the same pop up it must be a false positive surely?

Wish someone from Avast would let us know. :frowning:

Just wondering what it is, and where it comes from. From the header request I get:


HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:01:18 GMT
Expires: Thu, 03 Jan 2013 22:01:18 GMT
X-Amz-Cf-Id: XwrpY8dIAJVQveFH1V5Sym206IB0K8Vw7BQo_q1YB4gJ2VV87JmyXw==
X-Cache: Error from cloudfront 

From the GET


HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:03:04 GMT
Expires: Thu, 03 Jan 2013 22:03:04 GMT
X-Amz-Cf-Id: UwQcftUvjCf9p_iJDZYCAUEnIwku1Cj3z96FN6k3L-Zgf2cRB7l8Cw==
X-Cache: Error from cloudfront

<html><body>Sorry, invalid request</body></html>

polonus

My screenshot and the one from Borgis refers to the same exact file.

EDIT: Forgot to mention that prior to Firefox, I had Waterfox installed (64bit Firefox variant) and that’s where I got the message first, my screenshot shows firefox portable cause I uninstalled waterfox thinking the exe got infected and so I switched on to the portable firefox I use for work.

i see both screenshot show Firefox as process…does it only happend with Firefox ?

Ya exact same warning as everyone else, getting really worried about what is going on :frowning: , was fine browsing until today with these pop ups…

PS: No, not only firefox, I am using Opera myself, still getting the same warning.

Just updated avast and still getting the pop ups. What on earth is going on and why are only some people affected and not others.

Come on Avast we need to know.

AVG flags it now on urlvoid: http://www.avgthreatlabs.com/sitereports/domain/d1ros97qkrwjf5.cloudfront.net/
Also blocked according to adblock lists: http://forums.fanboy.co.nz/forums/viewtopic.php?f=6&t=6857 Fanboy’s Adblock Forum…

polonus