VBS:Malware-gen

Viruses and worms
1

hi

i’ve been getting a message from avast (i run the free home edition) every time i try to access http://www.undergroundelectrics.com saying the page contains a virus: VBS:Malware-gen

the thing is - its my own web page. and there’s nothing on it except a handful of my own mp3s and a couple of html pages…and i can access it fine from my other PC, which is also running the same version of avast.

i’ve scanned my PC with adaware and trend micro and its coming up clean.

is this an avast issue?

2

Page seems clean.
But do not let a live link to malware or false positive ones. Can you edit it?
Thanks for posting and sorry for the inconvenience.

3

Linkscanner page reported it clean too –
However when I loaded that page in my IE (fully patched) and saw the below URLs loading – I made fast exit.

Yeah – best to edit that link you posted so noone else can click it & get infected.

Off to test box — (virtual machine set up specifically for malware study)

Indeed on an unpatched and possibly even a properly patched system one can get infected off that page.

Looking at the page sourse code there is an obfuscated java script at the very bottom which I believe translates to this url:

top100-counter.com/tds/in.cgi?default ← ewww

http://whois.domaintools.com/top100-counter.com ← info

those ESTDomains & IMHoster guys are some of the biggest malware distributers on the net.

Then tries to load these later on: (redirected from top100-counter )

hxxp://digitsdndletters.com/check/n14041.htm ← malware

http://www.virustotal.com/analisis/f6e13fbea538c15b070dca37f28e248d ← virus detections

hxxp://digitsdndletters.com/check/n14043.htm ← malware

http://www.virustotal.com/analisis/efb926bfdd3766df9f7d4f17ebbb5bcb ← virus detections

More obfuscated scripts…

As we speak my VM is infected to the nines with all kinds of junk.
Including but not limited to FakeAlert trojans, several installers for rogue antimalware apps, trojan.Sribzi, Peed and I’m r00ted to my eyeballs.
Had to kill internet on test box cus it is trying to hammer out spam like crazy.
Nasty infection should one run across it.

psthmn:

You should get in touch with your hosting provider to let them know.
At least to change your log in passwords/ftp passwords. Make sure they are good secure passwords and not easily hackable ones.

change passwords from a secure machine if unsure wether or not yours is OK.

You have backups of your page to replace the one you have there now?
Either replace the html page with your backup or …
Editing out the part at bottom beginning with this: (I put in code box so hopefully not to set off anyone’s alarms)

<script type="text/javascript">document.write('\u0 and a whole pile more junky numbers and stuff here and ending in 3e')</script>

You will want to go through your other folders on the site to make sure nothing else is put there that you didn’t.
I think though it is just the script at the bottom of the page that sets off the entire storm.

HTH

Blender

4

Hi blender,

This is a malware removal routine for VBS:Malware-gen:
http://forums.techguy.org/malware-removal-hijackthis-logs/624922-infected-vbs-malware-gen-win32.html

pol

5

Hey Polonus,

Thanks for the link :slight_smile:

Not too worried about removal here though –
this test run was done on virtual machine – meaning no harm done to host machine.
All I do is hit the “revert” button – clean in ~ 10 seconds flat. :slight_smile:

My main reason for posting was to inform victim his site is comprimised so he can get it fixed, :slight_smile:

6

great cooperation ;)… thx