js:Downloader-gen@bhv [Expl] false positive?

Viruses and worms
1

js:Downloader-gen@bhv [Expl] is being blocked at www.HuffingtonPostdotcom. Did not get this yesterday. False positive as this is a credible, highly trafficed site? I’m updated to definitions 111109-1.

Thanks.

2

I can’t check it out as it redirects me to the .co.uk version of huffingtonpost.

  • There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.

3

This page seems to be - 19 hidden external links found.
http://www.UnmaskParasites.com/security-report/?page=www.huffingtonpost.com

Wepawet: The last time we found it to be suspicious was at 2010-08-21 13:16:30.
http://wepawet.iseclab.org/view.php?hash=e7810694e4ca3c03162e7d82eaebd27c&t=1282421790&type=js

Wepawet: New scan
http://wepawet.iseclab.org/view.php?hash=e7810694e4ca3c03162e7d82eaebd27c&t=1320868907&type=js

potential malware links listed at the bottom of Wepawet report

4

Hi VFN,

Gave no problem going to the UK version if that site. No alert. Sucuri scan: -http://www.huffingtonpost.com/
Given clean: http://www.urlvoid.com/scan/huffingtonpost.com
status: Verified Clean web trust: Not Blacklisted
Safe: http://urlquery.net/report.php?id=7896

But they did a sort of scripted DNS trick there which was reported here:
http://www.google.com/support/forum/p/Webmasters/thread?tid=593d3767d56e8015&hl=en
and maybe that was flagged at the time…
Pondus this was reported as clean: http://www.google.com/safebrowsing/diagnostic?site=huffingtonpost.com
Hidden external links, OK, but did you scan them all for being malicious?

This certainly is suspicious there: -s.huffpost.com/assets/js.php?f=sub.js,jquery.js&v62011 suspicious
[suspicious:2] (ipaddr:-64.215.158.197) (script) -s.huffpost.com/assets/js.php?f=sub.js,jquery.js&v62011
status: (referer=-www.huffingtonpost.com/)saved 95253 bytes 47539740bc7d96e51aa1fe2af418265861eb5677 according to jsunpack… for that issue check: -http://jsunpack.jeek.org/?report=c56656dc545b58e3447f68cdd5fccc8e99bd5bfd
(jsunpack is only to be visited by the security aware with ample script and VM protection enabled)
For the potential malware links I get a 404
and WOT does not like it: http://www.mywot.com/en/scorecard/cdn.uc.atwola.com
also see: http://www.urlvoid.com/scan/flv.stream.atwola.com
3 times given in the realtime evidence virus table list: -k.net ar.atwola.com atdmt.com
-om cdn.atwola.com download935 & -avast.com atwola.com download9 (this flag stems from last
incident) - but probably it is no longer up and running that is why I get the 404 webpage not found error with malzilla,

polonus