Malware JS:Pdfka-DH [Expl]

[Oxydose]

Hello, I visited a wikianswer page and I got a warning that the page contained malware.  I aborted the connection, but went back to the page to check if it was just a goof.  So, my question is, if I aborted the connection, I'm safe?  I was still able to visit the page.

[Tarq57]

Yes, you are safe. The webshield would have prevented the transfer of any detected malware on that page.
What was the page concerned? Please don't post the link as-is; sanitize it first by replacing the "TT" s in http with "X's.

[Oxydose]

Alright, thanks.

Here's the link:  hxxp://wiki.answers.com/Q/Is_warhammer_fun
Do you want the link given in the on-access scanner as well?

[Tarq57]

Yes please.
Also, what version of Java do you use? http://java.com/en/download/dt_verify.jsp?plugin=true&latest=false&users_jre=1.6.0_11
I visited the site and got no warning.

[Oxydose]

Hm, I haven't updated java in a while, maybe that's the issue?  Version 6 update 11.

last infected: hxxp://site1.wikianswers.com/templates/scripts/~abcdekjfghilsMrNO.js?v=42356\{gzip}

[tenspound]

I clicked on wiki answers also and this biohazard symbol with a siren noise popped up and it said it was from avast.  I did the whole abort thing but i thought baout it after and was wondering if that is what show up when malware is trying to get in.  So if anyone knows for sure, please let me know. thanks josh.

[Tarq57]

Josh, if you aborted the connection, you are safe. Yes, malware would have downloaded without the shield. (Whether it would have done any damage on an up to date system is another matter, and beyond my knowledge.)

Oxydose, I have the latest Java version also. Yours is a version prior to mine, but has no known vulnerabilities. (Update if you wish, but no urgency, I think.)

The reason I got no warning initially is that I use the Noscript addon. Suspending it produces the Avast alert.
I have contacted the site with the information about the exploit.

Just goes to show you (assuming this is not a false alarm, generally a safe assumption with webshield warnings): sites can be hacked. The web can be a hazardous place.
(And Avast rocks!)

[Oxydose]

Indeed.  Thank you for the help!

[Tarq57]

Welcome. 

[DavidR]

JAVA Version 6 update 13 is now the latest version.

[WikiAnswers]

Which definition file do you guys have? We have tried to reproduce this warning on wiki.answers.com, but all is well. (Yes, we turned off No Script.) We even turned on "show detailed scanning" and watched Web Shield scan that script, but it didn't complain. We're using VPS 090324-0.

Could it be that this was a problem in 090323-0, which was already corrected? There's another discussion (topic 43627) that reported the same exact warning on a completely different script. That discussion did cite 090323-0. Could you guys please update your definitions and see if the problem persists?

[DavidR]

Well I'm using 090324-0 and using the url in reply #4 above I get an alert.

I have reported it as a possible false positive, so hopefully it should be quickly analysed as corrected as required.

[DavidR]

Update:

I captured the file when avast detected it and I uploaded it to virustotal, http://www.virustotal.com/analisis/a9c5a877257dc841530bf79a30a76137 for scanning and the results would suggest it is a false positive detection with only 2 of 40 scanners finding anything.

GData is the other scanner and since that also uses avast as one of its two scanners it is effectively only one detection.

[WikiAnswers]

Thanks a lot for the update, DavidR, as well as the validation. Indeed, a couple of our users have reported that the problem resolved itself, presumably via a definition file update.

Unfortunately, Avast's own customer support has yet to even acknowledge the urgent ticket I opened yesterday. Is that par? Any idea how long it usually takes them to follow up? Obviously, I'm pleased they seem to have fixed it. But I'd still like to know what happened, and how it can be prevented in the future.

Thanx again.

[igor]

I kind of doubt you'll get any reasonable response - as there is none.
False positives happen, that's an unfortunate fact... and we try to fix them as soon as possible. There's nothing more to say, I'm afraid.