IDP.Generic was detected

RX78HK · November 21, 2020, 8:16am

When I’m going to install the following file for my MicLink Wireless mouse, avast warned that “IDP.Generic” was detected. Is it a false alarm?
http://www.miclink.net/MicLink.exe

Asyn · November 21, 2020, 9:00am

→ https://sitecheck.sucuri.net/results/www.miclink.net/MicLink.exe
→ https://www.virustotal.com/gui/url/ec8c224385228d71d9441d8b4808c4aef9deef102955eb923c5690b1e584bd8b/detection

polonus · November 21, 2020, 10:59am

Connections to this http site are insecure to Nginx 1.4.4. with vulnerable headers.

Retirable jQuery library:
jquery 1.6.2 Found in -https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js
Vulnerability info:
Medium CVE-2011-4969 XSS with location.hash
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

JavaScript errors

SyntaxError: Unexpected token ‘&’
eval ()()
:3:100()
Object.N [as F_c] (:2:148)()
Object.E_u (:3:274)()
Ka (eval at exec_fn (:1:157), :61:375)()
Object.create (eval at exec_fn (:1:157), :73:235)()
L (eval at exec_fn (:1:157), :12:208)()

SyntaxError: Invalid or unexpected token
eval ()()
:3:100()
Object.N [as F_c] (:2:148)()
Object.E_u (:3:274)()
Ka (eval at exec_fn (:1:157), :61:375)()
Object.create (eval at exec_fn (:1:157), :73:235)()
L (eval at exec_fn (:1:157), :12:208)()

SyntaxError: Unexpected identifier
eval ()()
:3:100()
Object.N [as F_c] (:2:148)()
Object.E_u (:3:274)()
Ka (eval at exec_fn (:1:157), :61:375)()
Object.create (eval at exec_fn (:1:157), :73:235)()
L (eval at exec_fn (:1:157), :12:208)()

SyntaxError: Unexpected token ‘<’
eval ()()
:3:100()
Object.N [as F_c] (:2:148)()
Object.E_u (:3:274)()
Ka (eval at exec_fn (:1:157), :61:375)()
Object.create (eval at exec_fn (:1:157), :73:235)()
L (eval at exec_fn (:1:157), :12:208)()

SyntaxError: Unexpected strict mode reserved word
eval ()()
:3:100()
Object.N [as F_c] (:2:148)()
Object.E_u (:3:274)()
Ka (eval at exec_fn (:1:157), :61:375)()
Object.create (eval at exec_fn (:1:157), :73:235)()
L (eval at exec_fn (:1:157), :12:208)()

Source view

HTML
-www.miclink.net/
7,122 bytes, 60 nodes

Javascript 6 (external 0, inline 6)
INLINE: self[‘tp_iagrqORgyeH_func’] = function(frame){ if (frame === null) { co
3,872 bytes

INLINE: self[‘tp_MTpqOLZCiQD_func’] = function(frame){ if (frame === null) { co
2,186 bytes

INLINE: self[‘tp_LwOzUmFnVTu_func’] = function(frame){ if (frame === null) { co
2,614 bytes

INLINE: self[‘tp_rRilLMJIsQY_func’] = function(frame){ if (frame === null) { co
2,424 bytes

INLINE: self[‘tp_ECvfeETtTFx_func’] = function(frame){ if (frame === null) { co
5,409 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

CSS 4 (external 0, inline 4)
INLINE: body { background: url(“img/background.png”); }
286 bytes INJECTED

INLINE: a.gootranslink:link {color: #0000FF !important; text-decoration: underline !impo
2,944 bytes INJECTED

INLINE: .BDTLL_icon_ok { background-image: url(data:image/png;base64,iVBORw0KGgoAAAA
26,787 bytes INJECTED

INLINE: .BDTLL_status { cursor: pointer; display: inline; margin-right: 3px;
117 bytes INJECTED

If this is Alibaba Cloud abuse. Wait for a final verdict from avast team, that it may not be an FP.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Pondus · November 21, 2020, 11:26am

Names

MicLink.exe
Signature Info
Signature Verification
Signed file, valid signature
File Version Information
Copyright
Product MicLink
Description MicLink Setup
Original Name
File Version
Comments 此安装程序由 Inno Setup 构建。
Date signed 08:45 AM 11/19/2020

https://www.virustotal.com/gui/file/0dfc67c4cb394ce638a0093fd5a6770656a9b847caf18e867c14271168292001/details

https://www.virustotal.com/gui/file/0dfc67c4cb394ce638a0093fd5a6770656a9b847caf18e867c14271168292001/detection

polonus · November 21, 2020, 2:07pm

Additionally to what Pondus (with supporting VT scan results) reports above.

IDP generic means that the detection was detected by a Identity Protection detection component of your Avast AV-solution and it is a generalized file that got detected. This can either be a false positive as well which happened due to an outdated definitions and got fixed after updating avast. One should certainly try the latter.

So very often such detections may be FP’s, but can be genuine detections, when malcreants knowingly use names of innocent files to infest you with malware.

In case of a IDP.Generic Infection is detected, upon detection a particular downloaded game or programme will often cease to function.
Then it is important for one to establsih this is a genuine detection or a False Positive detection.

So always download from official and trusted sources.

In case of a genuine persistent IDP.Generic detection also MBAM (malwarebytes) can erase it (second opinion scan).

polonus

IDP.Generic was detected

Announcements