Author Topic: Probable false positive malware warning. Why? (Read 5489 times)

Robert Gault · « **on:** June 08, 2010, 01:36:03 PM »

There is a site I use which is trustworthy. This site uses a style sheet script to place a shadow border around a picture. This script is rejected by Avast 5 for some reason.

Does anyone know why the following should be rejected as malware?

hxxp://www.coco3.com/gallery2/main.php?g2_view=imageframe.CSS&g2_frames=shadow%7CNone [L]
HTML:Script-inf (0)

spg SCOTT · « **Reply #1 on:** June 08, 2010, 01:49:12 PM »

Hi Robert Gault, welcome to the forum

Please can you modify your post to deactivate the link to prevent others from potentially becoming infected. (change http to hXXp)

The problem with that script is that at the end is another script that points to a malicious site...

http://www.mywot.com/en/scorecard/zettapetta.com

This inline script is what avast! is correctly alerting on.

-Scott-

polonus · « **Reply #2 on:** June 08, 2010, 03:01:41 PM »

Hi Robert Gault, spg SCOTT & others,

See that only GData detects it heuristically and avast does not (well actually does now):
flagged as: HTML:Script-inf B
http://scanner.novirusthanks.org/analysis/7b9ca1492a36f2d553bb306de6ebd843/bWFpbi5waHA=/
zettapetta*com: the last time suspicious content was found on this site was on 2010-05-14.
Malicious software includes 2 scripting exploits. Wepawet gives them as benign...
htxp://zettapetta.com/js2.php 200 text/javascript
htxp://www3.ruboidmon-64td.com/?p=p52dcWpkbmmHnc3KbmNToKV1iqHWnG3LXpSYx2ibZmqemA== Timeout application/x-empty
link to: www4*miymiy3*net benign
link to: htXp://zettapetta.com/js.php blocked by the avast network shield
source: www4*miymiy3*net/07a9037379f74c5178575d905661ee1086d3010611.js
This site was hosted on 2 network(s) including AS39150 (VLTELECOM), AS50108 (KALUGANET),
dangerous site:
http://www.siteadvisor.com/sites/zettapetta.com
http://www.mywot.com/en/scorecard/zettapetta.com
http://www.surbl.org/lookup/
TrendMicro: This URL is currently listed as malicious,

polonus

igor · « **Reply #3 on:** June 08, 2010, 03:16:16 PM »

novirusthanks.org seems to use... erm... a bit obsolete virus database?
I mean, avast! having a virus database from March? No wonder it doesn't detect it...

polonus · « **Reply #4 on:** June 08, 2010, 03:23:45 PM »

Hi igor,

Anyway anyone in our user base knows about this now, and "bariéra je dolů"...

polonus

Pondus · « **Reply #5 on:** June 08, 2010, 04:23:26 PM »

Quote

hxxp://www.coco3.com/gallery2/main.php?g2_view=imageframe.CSS&g2_frames=shadow%7CNone

VirusTotal - main.css - 4/41
http://www.virustotal.com/analisis/48f8897b49526afaca1d7a7fb0bdab0d6b3926b88125177181ab9bfd4627a7c1-1276006810

Quote

link to: htXp://zettapetta.com/js.php blocked by the avast network shield

VirusTotal - js.php - 3/40
http://www.virustotal.com/analisis/034803c0ace893aeb20596e62ab683d9380d02bc2d101d10af8d3a9cbd0f8bfb-1276007126

Robert Gault · « **Reply #6 on:** June 08, 2010, 06:13:12 PM »

Guys,

Thanks very much for the information. I'll forward it to the site operator.

Author Topic: Probable false positive malware warning. Why? (Read 5489 times)

Robert Gault

Probable false positive malware warning. Why?

spg SCOTT

Re: Probable false positive malware warning. Why?

polonus

Re: Probable false positive malware warning. Why?

igor

Re: Probable false positive malware warning. Why?

polonus

Re: Probable false positive malware warning. Why?

Pondus

Re: Probable false positive malware warning. Why?

Robert Gault

Re: Probable false positive malware warning. Why?