Probable false positive malware warning. Why?

There is a site I use which is trustworthy. This site uses a style sheet script to place a shadow border around a picture. This script is rejected by Avast 5 for some reason.

Does anyone know why the following should be rejected as malware?

hxxp://www.coco3.com/gallery2/main.php?g2_view=imageframe.CSS&g2_frames=shadow%7CNone [L]
HTML:Script-inf (0)

Hi Robert Gault, welcome to the forum :slight_smile:

Please can you modify your post to deactivate the link to prevent others from potentially becoming infected. (change http to hXXp)

The problem with that script is that at the end is another script that points to a malicious site…

http://www.mywot.com/en/scorecard/zettapetta.com

This inline script is what avast! is correctly alerting on.

-Scott-

Hi Robert Gault, spg SCOTT & others,

See that only GData detects it heuristically and avast does not (well actually does now):
flagged as: HTML:Script-inf B
http://scanner.novirusthanks.org/analysis/7b9ca1492a36f2d553bb306de6ebd843/bWFpbi5waHA=/
zettapettacom: the last time suspicious content was found on this site was on 2010-05-14.
Malicious software includes 2 scripting exploits. Wepawet gives them as benign…
htxp://zettapetta.com/js2.php 200 text/javascript
htxp://www3.ruboidmon-64td.com/?p=p52dcWpkbmmHnc3KbmNToKV1iqHWnG3LXpSYx2ibZmqemA== Timeout application/x-empty
link to: www4
miymiy3net benign
link to: htXp://zettapetta.com/js.php blocked by the avast network shield
source: www4
miymiy3*net/07a9037379f74c5178575d905661ee1086d3010611.js
This site was hosted on 2 network(s) including AS39150 (VLTELECOM), AS50108 (KALUGANET),
dangerous site:
http://www.siteadvisor.com/sites/zettapetta.com
http://www.mywot.com/en/scorecard/zettapetta.com
http://www.surbl.org/lookup/
TrendMicro: This URL is currently listed as malicious,

polonus

novirusthanks.org seems to use… erm… a bit obsolete virus database?
I mean, avast! having a virus database from March? No wonder it doesn’t detect it…

Hi igor,

Anyway anyone in our user base knows about this now, and “bariéra je dolů”…

polonus

hxxp://www.coco3.com/gallery2/main.php?g2_view=imageframe.CSS&g2_frames=shadow%7CNone
VirusTotal - main.css - 4/41 http://www.virustotal.com/analisis/48f8897b49526afaca1d7a7fb0bdab0d6b3926b88125177181ab9bfd4627a7c1-1276006810
link to: htXp://zettapetta.com/js.php blocked by the avast network shield
VirusTotal - js.php - 3/40 http://www.virustotal.com/analisis/034803c0ace893aeb20596e62ab683d9380d02bc2d101d10af8d3a9cbd0f8bfb-1276007126

Guys,

Thanks very much for the information. I’ll forward it to the site operator.