website: False positive?

rdsu · February 28, 2009, 8:03pm

Hi,

Can you check if this is a false positive?

hXXp://www.celeirodoalgarvio.com

avast! said:
File name: hXXp://www.celeirodoalgarvio.com/{gzip}
Malware name: VBS:Malware-gen
Malware type: Virus/Worm
VPS version: 090227-0, 27-02-2009

Thanks

system · February 28, 2009, 8:52pm

how do you know it is a false positive?

system · February 28, 2009, 8:54pm

it does warn you about the malware but it might be as well a real threat. it stoped me too

DavidR · February 28, 2009, 8:58pm

There is a big block of a script at the end of the page source code, which is indicated as an ad, but it uses a strange form of obfuscation to supposedly hide what it is doing and this may be what avast is alerting on.

There is certainly an obscured url in the very last bit by the look of it and when people go to these lengths to hid what should be a benign ad I get suspicious, but I can’t say with certainty it is infected.

Lisandro · February 28, 2009, 9:21pm

avast detection on websites is quite accurate.
Can you edit the post to hxxp:// to avoid accidental clicks on it?

system · February 28, 2009, 11:12pm

Infected.

rdsu · February 28, 2009, 11:28pm

Thanks

rdsu · April 3, 2009, 11:30pm

hxxp://www.mytvshows.org/

And this is also infected?

I’m using this site for more than 2 months, and now avast! detect it as:

File name: hxxp://www.mytvshows.org/{gzip}
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 090403-0, 03-04-2009

Thanks

DavidR · April 3, 2009, 11:44pm

This one is an interesting one, this site has been completely hacked, the only thing on that page is a hidden iframe tag to a suspect/malicious site.

Where are you coming up with these sites ?

rdsu · April 3, 2009, 11:52pm

Both sites are made in Portugal…

I already reported this to MyTVShows author, and will wait for a reply…

DavidR · April 4, 2009, 12:27am

Looks like you are getting hit heavily in Portugal then.

rdsu · April 4, 2009, 12:18pm

The problem with the last site was resolved by the author…

system · April 9, 2009, 6:53pm

I have a similar warning message displaying on one of the sites I manage:

hXXp://www.refresh-detroit.org/ (replace the hXXp with http)

File name:hXXp://www.refresh-detroit.org/{gzip}
Malware name: HTML:lframe-inf
Malware type: Virus/Worm
VPS version: 090409-0,04/09/2009

I get the warning messages on two different machines running Windows XP and Vista

Can another person confirm that they receive a similar warning message?

Lisandro · April 9, 2009, 6:58pm

Wasn’t the site hacked?
Is there any encrypted/obsfuscated info in that site, like scripts?

system · April 9, 2009, 7:05pm

There are several scripts that run on the site, JavaScript and an iFrame is used to insert a video on the home page. The site runs on WordPress.

By your comment “Wasn’t the site hacked?”, I’m assuming your computer displayed the Avast warning message. Is that correct?

Lisandro · April 9, 2009, 7:09pm

Yes, it’s there the Webshield alert.

DavidR · April 9, 2009, 7:10pm

The site has been hacked, on that link you gave there is a hidden iframe pointing at a malicious site trying to look like google ad site, it is also after the closing html tag, a standards no, no.

There is also another alert based on the favicon.ico, so it looks like that icon file has been replaced with a malicious file.

system · April 9, 2009, 7:14pm

DavidR, Tech,

Thanks for the confirmation.

Questions for both of you:

How were you able to view the source? Since I aborted the viewing of the page, I couldn’t view the source. Forgive me for my ignorance, I figured if I viewed the source, my computers would get infected.
Just confirming, the hidden iframe is after the closing html tag, is that correct?

DavidR · April 9, 2009, 7:29pm

You’re welcome.

I don’t abort the connection until I have captured the temp file avast is scanning. This isn’t something I would advise unless you are set-up to deal with the potential consequences.

Yes on your link (home page) the image is manipulated as I broke the single line down to make it easier to see. It is actually on the same line as the closing html tag (after the tag). I wasn’t able to capture the favicon.ico page I tried other things but it looks like that favicon.ico file is no longer there as I get a 404 error.

system · April 9, 2009, 7:37pm

DavidR,

Thank you for the quick response. I haven’t done anything on the site yet, so I’m not sure how the favicon.ico file is missing. Most interesting.

This site was set up by a former member of the group, and I’m one of the leaders of the group trying to find out how to fix the issue. I’ve notified other people in the group, with the hopes they would have some time to help troubleshoot.

Is there any step(s) I can take to view the contents of the files, without risking a virus?

website: False positive?

Announcements