VBS:Malware-gen

system · 2009-01-07T09:43:50.000Z

Same here hxxp://www.live-magazine.eu/
Can you check it, please. Thanks

system · 2009-01-07T09:51:22.000Z

Mega-obfuscated script at the end of the page. Not a fp.

system · 2009-01-07T20:23:50.000Z

Hello,

I was looking at my “warning” log, and found the following from 6/23/2008:

"VBS Malware-gen has been found in “http://www.yahoo.com/\unp 113810025 file”

I never received any other notification of this problem, other than just noticing it in the log. I have had no problems, whatsoever, so I am proceeding under the assumption there is nothing to be concerned about. Am I correct? Thank you for any replies and corrections.

polonus · 2009-01-07T21:20:26.000Z

Hi foto,

The live-magazine dot eu link is also flagged by finjan as having malicious code,

polonus

system · 2009-01-10T14:00:46.000Z

I am also getting a VBS:malaware-gen message when visiting what I believe to be a safe company website.

hXXp://www.thelawrencegroup.com/

Filename hXXp://www.thelawrencegroup.com/AC_RunActiveContent.js
VBS:Malware-gen
Virus/Worm
090109-0, 01/09/2009

Please let me know if this is a false positive.

DavidR · 2009-01-10T14:29:39.000Z

There is a big chunk of obfuscated document write (javascript) at the bottom of the script.

I have no idea what that is intended to do or why it would be obfuscated in that way or even if it is meant to be there. Since javascript is meant to be a plain language scripting language when obfuscated in this way I get suspicious at what they have to hide.

So it may well be a legit detection but you could submit it (as a possible false positive) for further analysis.

system · 2009-02-21T20:29:13.000Z

I’m getting this same warning for hXXp://ssbresins.com/. It has the same line of compressed/weird JS as some of these other pages. Just thought I’d chime in.

DavidR · 2009-02-21T20:43:26.000Z

Well if it is your site or one you regularly visit it has probably been hacked.

Considering its location just before the closing Body and HTML taks it certainly looks like code injection into the page.

Please modify your post, changing the http tp hXXP so the link isn’t active, avoiding accidental exposure, e.g. hXXp://ssbresins.com/.

system · 2009-03-02T19:21:07.000Z

Getting Malware-gen for hXXp://icamaxi.se, any idea if it’s a FP?

Thanks

system · 2009-03-02T19:25:58.000Z

Not a false.

DavidR · 2009-03-02T20:05:37.000Z

Nicl@s post:206:

Getting Malware-gen for hXXp://icamaxi.se, any idea if it’s a FP?

As kubecj said not a false positive, a big chunk of javascript (which I have edited to make it easier to see in the image) trying to look like an advert script, but it has an obfuscated link at the end of it. There should be no legitimate reason to do that, e.g. what are they trying to hide.

So it looks like the site has been hacked.

Please modify your post change the http to hXXp to break the link to avoid accidental exposure (as in the quoted text above).

system · 2009-07-14T12:42:22.000Z

I plugged in my digital camera and the virus notification came up and said I had VBS:Malware-gen, so I put it in the virus chest and scanned it and it said it was in this file AutoRun.inf. I just had to completely wipe, format and reinstall vista the other day due to not having an antivirus and the first thing I did when I got it running was download avast. I know for sure theres nothing up with my laptop…

If anyone could help me please do!

DavidR · 2009-07-14T13:12:42.000Z

This is somewhat different to what is covered here, hacked web sites and is for a different malware name.

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help.
Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

system · 2009-08-07T16:29:38.000Z

barmon post:194:

It says Malware name: VBS:Obfuscated-gen [trj]

Malware type: Trojan Horse

I clicked on www.thtndc.org
avast 4.8 database 090806-1 08/06 also popped up and warned me of VBS:Obfuscated-gen [trj]
This site was a good one and meant no harm.
Can someone check it please to see if there is any more trojan or malware?

Please also check www.phiatruoc.net as it is a site administered by the same team of the above.

DavidR · 2009-08-07T16:44:44.000Z

Well it tries to install a chat-room-client without asking the user and at best is down right rude and at worst possibly malicious.

It is also creating an applet and an object where it appears to be hiding (obfuscating) what the purpose is and I don’t like what it tries to do directly in the C:\ drive.

avast isn’t alone in thinking there is something wrong with this, http://www.virustotal.com/analisis/d430171aface541b88b199daef5962168ec1686e0ab2d8cb95ea9f85dfecea59-1249663618

system · 2009-08-12T17:10:03.000Z

–post removed-- wrong section

system · 2009-08-12T17:17:19.000Z

Hello

Please can you start a new topic as your problem is unrelated to the original poster’s and will cause some confusion.

Also, please can you modify your post (and change your next one) to break the link (i.e.change http to hXXp)

Thanks,

-Scott-

http://sites.google.com/site/spg20scottsweb/_/rsrc/1249295824755/home/images/starting-a-new-topic/New%20Topic.gif

system · 2009-08-12T17:18:37.000Z

Sorry bout that. Will do.

DavidR · 2009-08-12T17:33:35.000Z

When you do, I didn’t find anything, so some more info is required.

I have just visited the home page hXXp://www.greenbeanery.ca/bean/home.php with firefox 3.5.2 and I had no alert, so if you can be more specific on the URL where the alert lies - Please ‘modify’ your post change the URL from http to hXXp or www to wXw (as in my example), to break the link and avoid accidental exposure to suspect sites, thanks.

Since I’m on dial-up and the site is media rich, it takes forever to load, so I can’t go browsing in the hope of finding it.

system · 2010-01-29T13:22:40.000Z

Hello,

yesterday, juste when closing the computer (Windows XP SP2), the Avast (visrus base updated) showed the alert VBS-malware-gen in logonui.exe and blocked the computer. Today, after the restart I checked logonui.exe with the Avast - same problem. Avast proposes me to cure it, I accept, then it proposes to change the file with a sane copy, I accept it, and the alert re-appears again and again.

I have no idea of where from the virus came. To check with an alternative mean, I launched CureIt! which ran also in Win32, and it didn’t find anything suspicious. Could it be an Avast error or shoul I really worry?

Thank you for help!

Announcements