Is HTML.Downloader_Geno_iframe A False Positive? [SOLVED]

I went to a link on a webpage and was directed somehow to a page at Frigidaire’s website (the appliance company.) Suspicious, I immediately ran a scan with Avast and Malware Bytes, which came up clean, and after that, rebooted with no problems or evidence of infection. A scan with Virus Total of the site in question shows 1 detection, from an Anti-Virus company I have never heard of: ViRobot?

See Report here:

http://www.virustotal.com/file-scan/report.html?id=2ef919f45473eb97d07703277cf4244d0deac2c3bb0b026d13ea8c38c7e5d999-1303237368

Computer seems clean and fine, is this a false positive? Researching this malware, shows that it first appeared around 2007. In fact, the URL for the site in question, no longer exists.

Jack

Given there is only one detection and that the avast web shield is usually red hot in iframe and script exploits, I would lean towards an FP.

However since you don’t jive any details on the url you were at when redirected, there really is no way to investigate further.

Hi Jack 1000,

If you give us the link like hxtp or wXw we could investigate. As we have no source url we cannot see anything about the validity of this VT result, if Avast detects this trojan it is as HTML:Iframe-inf or PHP:C99Shell-B

polonus

Here is the host link. hxxp://www.gla55pak.com

And the full URL:

hxxp://www.gla55pak.com/lameduckie/02november/serial

Jack

I find nothing and I mean nothing actually displayed on either of those links.

The page source is the same for both pages, see image extract, the iframe at the bottow is the thing that is probably being detected but nothing on the web shield.

So what made you click on that link to take you to tha site ?
Me I would have been suspect on the use of 55 in the domain to look like SS.

Hi Jack 1000,

Most likely was earlier reported before, as:
Malware details
MD5: ac03c8df87c4fae4ae852eed4a5b4757
SHA1: 7b9c35b76c3f5ccd1db2f9bffa4a7abb64089dcb
SHA256: 3bd502462d9f8ddee1edc2dd98ec462fdab83056c08ea4d2c0f11237ea383b13
Received: 2011-02-24 16:32:02
Last scanned: 2011-02-24 19:32:43
AV Detection: 2/51

TrID results
80.6% (.HTM/HTML) HyperText Markup Language with DOCTYPE (12501/2/4)
19.3% (.HTML) HyperText Markup Language (3000/1/1)

Flagged by SUPERAntiSpyware Rogue.Agent/Gen–o[BIN]
and Robot HTML.Downloader_Geno_iframe
source of above report: RabidMonkey.org

your link gave this wepawet scan results: http://wepawet.iseclab.org/view.php?hash=2b1a29cfb45b2ef9e9dbdbb1d0fe38fb&t=1303245460&type=js

Nothing found: http://vscan.urlvoid.com/analysis/0a822950d566ac916e28909e60b7f74c/c2VyaWFs/

Upload the file to virus AT avast dot com for analysis, could be fairly new and the above flags because of a test-run,
or as you say a False Positive (but two flags SAS, Robot and the RabidMonkey report),

Again thanks for reporting the issue,

polonus

My story is that from time to time, I have always been interested in Supernatural activity, haunted houses, and unexplained phenomenon. I found this site of Haunted Places in the United States. Very safe. (Well except for that link) It’s a database of haunted places.

Anyway, I was looking at a place in Wisconsin, where a friend of mine lives and there is or was this haunting in the city of Eau Claire. Do a search with the Find Command and enter the text Rope Swing on the page below:

hxxp://www.theshadowlands.net/places/wisconsin.htm. (This is the safe URL, but will use the xx protocol as good Internet etiquette.)

The world “Missing” is highlighted and takes users to the URL mentioned above in my OP. I have contacted the site’s Webmaster to please remove the link.

Note that I cannot submit a file, because there is no file to submit. Nor do I want to go back to a web page to submit the file.

David, yes you are correct, I should have been more cautious about that “55” as a part of the link.

Jack

PS. Still strange that I was directed to Frigidaire that first time! (When I clicked on the “Missing” URL at the Haunted Places site.) One of the reports said that the strange URL links directly or indirectly to some stuff at Google. I mean, whatever it was wanted me to look at refrigerators! And I actually went to Frigidaire’s home page and could click on the exact page that to which I had been directed.

That had to be a banner cookie of some kind. I will probably run full scans with Avast/Malware Bytes tonight just to make sure that there is nothing found. But it sounds like this is OK. I’ll post back if it’s not.

Jack

Hi Jack 1000,

WOT does not like that gla55pak dot com, see: http://www.mywot.com/en/scorecard/gla55pak.com
source of “unknown_html_google_malware” browser exploit according to one malware resource site…

polonus

That’s actually my WOT Rating! I rated it I think Yellow this morning.

Jack

Yes it is certainly weird behaviour, but currently not malicious as far as I can tell, but that rather depends on what the pop_int.js does, but avast doesn’t alert on it and zero hits at virustotal either.

So it rather depends on what might be at the other end of the iframe, which appears to be some sort of sponsoring, given the check_bot=‘domainsponsor’ bit at the end, see image.

Now I use firefox and the NoScript (NS) and RequestPolicy (RP)add-ons, NS would primarily stop scripts being run on the gla55pak.com site and RP would stop cross site scripting (on searchportal.information.com), it is this bit which would block the redirect to whatever the sponsor domain might be (check_bot=‘domainsponsor’).

Updates with Avast Boot Time Scan and Full Malware Bytes Scan Show Clean System. Considered SOLVED. Thanks everyone!

Jack

You’re welcome.