Hi. I have a warning that site have VBS:Malware-gen.
But i think the site is normal, can you help me?
link: hxxp://www.yatop.com.ua/
Thanks, Aleksej
Hi. I have a warning that site have VBS:Malware-gen.
But i think the site is normal, can you help me?
link: hxxp://www.yatop.com.ua/
Thanks, Aleksej
Be aware, it is not a false alarm. This exploit brings you several Malware, like a zbot(ntos.exe) Variant and several other malware!
hello,
not a false positive, contains encoded iframe pointing to mallicious web. You can find it by searching string “eval(function(p,a,c”.
Hi Reinger
That site contain malware positive about that avast never give false/fake alarm about virus/trojan if you Ignore this alarm and allow it your computer might be severely damage if possible try choice another site. the worst of all your privacy might be violated giving away your email/Credit card and other important stuff
you might benefit from one of the “site adviser” programs
what are you running for protection besides Avast
Firewall?
Script Blocker like “no script”
real time anti malware?
I f you are going to try and download from bad places or have unprotected p2p you are going to need all teh protection you can get
Thank`s jsejtko. Guys from this site resolved problem when found eval function in their JavaScript
great result
Hmmm… maybe something is wrong in their scripts and code…
avast is very sensible to encrypted and not legit malware present in homepages.
Maybe you can wait for the programmers to post what’s wrong (if any).
This looks suspect (for javascript) and may be why avast has alerted. I have broken the string from a single line of code so it isn’t so long.
<SCRIPT LANGUAGE="JavaScript">
<!--
function Decode(){var temp="",i,c=0,out="";var str
="60!108!105!110!107!115!62!60!105!32!115!116!121!108!101!61!34!100!105!115!112!
108!97!121!58!110!111!110!101!34!62!60!102!111!110!116!32!115!105!122!101!61!34!
50!34!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')
temp=temp+str.charAt
(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
//-->
However it will need someone with a grasp of javascript than I to find out what it is trying to obfuscate.
David, how do you get this ‘code’? I mean, I want to learn how to do it so I can help better.
Hi Tech,
I do not know why DavidR tries to scare with this code obfuscation, all it does is just print. Some heuristic may cry about it because it is (very slightly) obfuscated, but all it does is printing really. Real malware can have a similar look, but this code is not. DavidR should not present printing code as suspect code, this could put the user on the wrong footing. Here you have the two-sided sword of heuristics immediately demonstrated,
polonus
@ Tech
First you have to be reasonably confident that if there is something malicious on that page you are able to deal with it or limit the potential for damage. Plus avast standard shield and SAS as resident AS and as a last resort you need a system recovery plan, back-up disk images. Better still would be a virtual environment that can be killed if needs be.
I had to pause the web shield to be able to display the page, in firefox (with noscript, plus running under DMR) there is a simple right click option in firefox to view page source this is also in IE but there is no way I would use IE for this sort of thing. Then check the page source for tags and or
Hi DavidR,
If you had not started this, we would not have this discussion here, and we will all learn from it and better understand the underlying problematics. We tried to arouse avast attention to these problems in various ways, and we will see what good will come of this?
In the example you give, they are trying to hide nothing malicious there, I have this from the best of sources (NoScript developer Giorgio Maone - he knows his javascript code better as anyone else does, and especially the obfuscated variants of it, he is the best in the field, he has to be).
Probably they wanted to hide the printing code for whatever reason, that is the normal non-malicious use of obfuscation.
What this demonstrates in a grand way is what a two-sided sword heuristics can really be for av engines , and so what is flagged could easily lead to another False Positive. That’s why this should be rule based.
If firekeeper in Fx will be further developed we will have a good tool there, and of course coders that code with security at heart,
polonus
There is nothing to stop anyone raising a possible false positive detection report on it, you don’t have to have a file to attach to it just email the url to virus (at) avast dot com and a link to this topic.
Update, I have captured the page and uploaded it to virustotal and avast isn’t alone but only 6/36 (5/35 if you discount GData) and these aren’t conclusive either.
See http://www.virustotal.com/analisis/8351bd13eebb0eb327eaa53598a83c7c.
I have sent the sample html page to avast.
The how comes from a little knowledge (as I said enough to get in trouble ;D) of html and javascript, when you view the page source it is just a text file view (firefox lays it out neatly) of the source code of the web page.
So knowing how you code an html page (it isn’t that complicated) you know generally how it would be laid out according to the html wc3 standards and what the tags represent and can do.
See image example of an extract of the source code of this page. So you can see the tags ,script. that I mentioned.
How did you get that window in Firefox? Did you save the page and then open in Firefox… but how do you get the code?
No as I said before just right click on the page and select view source.
I had to pause the web shield to be able to display the page, in firefox (with noscript, plus running under DMR) there is a simple right click option in firefox to view page source this is also in IE but there is no way I would use IE for this sort of thing.