VBS: Malware-gen at my site

Hello.

Some users noticed me about Virus/worm that reports avast when they will visit any content from http://hip-hop.sk

I have no idea what should be wrong.

From one user I got this detail about it:
Internet Explorer 7
Avast! version 4.7 professional , virus database 21.3.,
Virus name: VBS: Malware-gen
Malware type: virus/worm
VPS Version: 080321-0, 21.03.2008

I have a thick knowledges about viruses, therefor I installed into VirtualBox some Windows XP with latest free Avast Home, but I got no warning.

I think that this is false positive. What should I do?

If it is a false positive, you can temporarily add the URL to WebShield exceptions.
Hope they correct it soon.
Dr. Web and LinkScanner come back clean when scanning that page.

I didn’t get any alert from avast! when surfing http://hip-hop.sk , but I use Opera browser. Many times when I click on sites that members report fp’s from, I often don’t get alerts. Opera seems to be immune to some fp’s, really it’s just that the fp’s affect Firefox & IE in those cases.

I too didn’t get any alert using firefox (noscript allowed for the site) perhaps you can try with the latest virus signatures, 080322-0, right click the avast ‘a’ icon, select Updating, iAVS Update and see if you are still getting the alerts.

DrWeb link scanner doesn’t find anything on the url you gave above either.

I’m not receiving any alert from WebShield now…

Some fp’s only affect certain browsers…
http://forum.avast.com/index.php?topic=33947.msg283760#msg283760

Tested IE and Opera and both return clean…

This morning my wife started losing all of her browsers as she was logged on, when she went to network places to look for a problem with our home network it was gone on her computer. After running thru all the tests everything checks out fine. However when she reboots her computer avast alerts her to the VBS:Malware-gen at my site. No matter how she tries to remove it, even running a sweep in safe mode she can’t get rid of it. Don’t know if her losing her network and the VBS are a coincedence or not. Our provider told her it’s a hardware problem even though everything test ok. Any thoughts or comments would be greatly appreciated. Also don’t know if it’s a coincidence or not but it all started right after avast automatically updated on her computer. Thank you.

What is the site URL that the alert is on so that it can be checked ?

When posting the URL, please break it so that it isn’t active (avoiding accidental exposure) or instead of the http use hxxp, e.g. hxxp //: www .example-url.com/index.html, etc.

The infection isn’t on her system as the alert is on your site and was intercepted by the Web Shield provider. The only option given on the alert would be abort connection (see image example), this stops the infected file/page from being downloaded, so she won’t find it.

Was not on a site. The alert pops up on computer start up.

I’m confused now, as this was in your first post ?

However when she reboots her computer avast alerts her to the VBS:Malware-gen at my site.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx, may also be a URL, if so break it up as previously suggested) ?

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Hi, I am new to this forum but I have started to get this “VBS:Malware-gen” warning against one of my sites also!
The site is http://www.karenwilson.net and if you select the Gallery link. From within that page, if you select any of the gallery items (basically load the list.php page) then I am getting the Virus warning. This happens on the live site and also my local hosted test site? I cannot see any “extra” dangerous code.

I only updated to v4.8 of avast yesterday and since then this has started. Please can you help.

Probably it is false positive (e.g. for the page http://www.karenwilson.net/gallery/list.php?cID=2 ). It is curious to obtain VBS:Malware… message for a page without any VB script, JS only.
More specifically false positive in the following code, if you comment this alert wll gone

function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

hi psw, thanks for that. i agree as i have a similer site that has no issue with that code !! I did comment it out and sure enough no virus warning ?? any ideas?
Its strange that its started after I have installed v4.8 also ?

Just to post my details also …

  • Vista Ultimate (with SP1 and patched todate)
  • IE7 (Patched todate!)
  • Avast 4.8 Home Edition (build Apr2008 (4.8.1169))
  • VPS Compilation date: 01/04/2008 version 080401-0

Just to confuse further … i must be missing something but on this site the JS is as follows:

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf(“#”)!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf(“?”))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}

BUT on the site that doesnt seem to get picked up as a virus the same code but the functions are in a slightly different order (and another tested also, as long as function MM_swapImgRestore() isnt first !!) … as follows:

function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf(“#”)!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf(“?”))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}

It is not specific 4.8 problem but simultaneous VBS update. I got similar alert from the Standard Shield during simple copying this page :slight_smile:
Probably you need write email to virus at avast point com with Subject False Positive. In this email you can provide the link to your page with FP and can give a ref to this topic.

As a urgent workaround for your site you can modify problem function. Or you can wait for solving this FP problem by avast!

It isn’t to do with the new 4.8 but VPS signatures, which are constantly updated and on occasions will trigger on something that matches the signature, which isn’t correct.

I would say it is probably more to do with the actual malware name, VBS:Malware-gen as it is my belief that these -gen signatures are a more generic signature that is trying to catch many fish with one hook so to speak. They will be trying to look for a type of malware rather than a specific one.

DrWeb link checker doesn’t find anything at the URL psw posted and ‘now’ neither does avast as you have commented it out.

You could submit a false positive report to avast.com (see below) and attach the original list.php file without the script being commented out and see if they can tweak the signature so it doesn’t get hit.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you could remove the comment on the site and submit the false positive report with the URL that is causing the grief.

Yup, this exact false was removed from the internal build and will be released later this evening.

Regarding the name, I admit it’s a bit stupid, I’ve got it in my todo list, so it will be changed to better reflect the real threat name. (Historically, this piece of code was getting just the VBS viruses)