False positive maybe?

[dixy]

On a website that I visit on daily basis avast detects images as worms.This is what the report says:

Name of file: "hXXp://pixhost.ws/media/images/\{gzip}"

Name of malware: HTML:Iframe-inf





                    "hXXp://pixhost.ws/avaxhome/2006-11-08/toic1.jpg\{gzip}"

                    HTML:Iframe-inf
And so on and on... On every page.

Are there really any viruses there or is this a false positive?
Just to mention: not downloading anything, just loading pages, on literally every page warning window pops up, offers to terminate connection and that's really annoying. Avast reacts when resident shield is set both to normal and high..

Many regards!

[.: L' arc :.]

-= From what I know, avast's web defense module is accurate.. iFrame threats are commonly caused by hacked sites [which is very widespread as of now]..

-= Note: Please change http:// to hXXp:// to prevent any accidental clicks on the link..

[dixy]

Thanks...
Changed to hXXp...
That site was one of my favorites...

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

[mkis]

I'm no expert here, but Jutaky reading on this url (both instances) --

No zeroiframes detected!
Check took 0.28 seconds

(Level: 0) Url checked:
http://pixhost.ws/media/images/
Blank page / could not connect
No ad codes identified

Best have expert opinion. Should be forthcoming.

[.: L' arc :.]

I'm no expert here, but Jutaky reading on this url (both instances) --

No zeroiframes detected!
Check took 0.28 seconds

(Level: 0) Url checked:
http://pixhost.ws/media/images/
Blank page / could not connect
No ad codes identified

Best have expert opinion. Should be forthcoming.

-= A little same here.. LinkScanner cant scan it..

-= Status was 403. Forbidden...?

-= By the way, I found 2 iFrames:

(1) hXXp://yx0banners.com/ts/in.cgi?unforgivenn
(2) hXXp://ad.103092804.com/st?ad_type=iframe&ad_size=728x90&section=586830

-= Could one of those be the infected iFrame..?

[dixy]

This is the actual page:
hXXp://avaxhome.ws/search?commit=Go&page=64&q=biochemistry
somebody who knows better should check.
Warning always appears there and it's clear that an image is in question. Which one, I don't know.
I'm not sure that I understood previous posts.
Many regards and thanks.

[Lisandro]

Checking the code with http://www.selfseo.com/html_source_view.php reveals almost nothing to me.
Maybe a .jpg exploit, maybe an infected .js (script) file.
Sorry for not helping that much 

[.: L' arc :.]

-= It seems odd.. There seems to be nothing.. The JPEG images seems to be the cause..? plus a GZIP compressed file..

-= Sorry, I'll pass, I can't help anymore..

-= *yawn* I guess its time to sleep.. Good night everyone..

[mkis]

I'm not sure that I understood previous posts.

Just opening up the proof a bit, dixy - to put it in academic speak. We've been approaching site pages (urls) from relatively safe vantage points to see if anything interesting is revealed. Pin-pointing something substantive, looking for robust indicators, and basically saving the next person the trouble of having to check all the avenues themself. Or passing the issue(s) amongst ourselves on basis something will stand out (a proof) that can be tested. Often something obvious turns up straight away.

In this case, not so as yet. Blank page / could not connect doesn't help, and doesn't say anything one way or the other. But information will be coming in through the channels, including external to avast, as a result of your query. And there are some very experienced people on board, so just a matter of waiting.

But nothing substantive yet. If there was, you would be informed by now.

[mkis]

Hi there dixy, nothing blatant stands out on page hXXp://avaxhome.ws/search?commit=Go&page=64&q=biochemistry.

There seems a couple of adverts but look like visible iframes - perhaps with out of normal code that triggered the alert.

Also some analytics stuff on the page and there has been some trouble from that quarter lately - but not here.
And some pageTracker stuff at the very bottom of page but stll inside main of code, so no, not really.

First glance, a false positive. But that is not at all a confirmation until lab has analysed.
You probably get some okay from your end.

Also possible link to infected images off-page. But that's about it for now, dixy.

[dixy]

Sure thing...
Thanks and many regards!

[polonus]

Hello dixy,

The site may have had some malcode attention, you'd better fill in the site admins or the webmaster there on details considering the following results from unmasked parasites web security report:
What happened since Google has visited this site last?
From 4877 pages that have been tested during the last 90 days on mentioned sites, 7 pages have been downloading and installing malware without user's consent, the last visit there being 2009-06-13. Suspicious content there was malicious software including 4 trojan(s), 2 scripting exploit(s), 1 virus. Successful infection resulted in an average of 9 new process(es) on the target machine.

Malcode is being hosted on 17 domain(s) e.g.: trafficstatic.com/, aaqkweoslz.com/, catjepzcft.com/.

11 domains seemingly are functioning as stations for the spreading of malware to visitors of the site, e.g.: yieldmanager.com/, zedo.com/, 103092804.com/.

This site was hosted on 1 network(s) including AS31103 (Keyweb AG),

The check with the bad stuff detektor gave:
No zeroiframes detected!
Check took 33.77 seconds

(Level: 0) Url checked:
htxp://avaxhome.ws/search?commit=Go&page=64&q=biochemistry
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
htxp://avaxhome.ws//banners/search_top1
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxtp://ad.yieldmanager.com/st?ad_type=iframe&ad_size=728x90&section=587412
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (script source)
hxtp://ad.yieldmanager.com/+rm_url+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://avaxhome.ws//banners/float_left
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxtp://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=587412
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (script source)
hxtp://ad.yieldmanager.com/+rm_url+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://avaxhome.ws//banners/float_right
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
htxp://avaxhome.ws//banners/search_bottom1
Zeroiframes detected on this site: 0
No ad codes identified    should definitely be checked

(Level: 1) Url checked: (iframe source)
htxp://avaxhome.ws//banners/left1
Zeroiframes detected on this site: 0
No ad codes identified should definitely be checked, as mentioned above

(Level: 2) Url checked: (iframe source)
htxp://ad.yieldmanager.com/st?ad_type=iframe&ad_size=160x600&section=587412
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (script source)
hxtp://ad.yieldmanager.com/+rm_url+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://avaxhome.ws//banners/left2
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/prototype.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
hxtp://avaxhome.ws//javascripts///:
Blank page / could not connect
No ad codes identified Could have been source of exploit

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/effects.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/application.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/jquery-1.2.6.pack.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/date.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://avaxhome.ws//javascripts/jquery.datepicker.js?1244026110
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://avaxhome.ws//javascripts/japplication.js?1244026110
Zeroiframes detected on this site: 0
No ad codes identified

Let us hope you can soon return to a secured website, and we wish you lots of success with your online activities during which we hope you stay safe and secure,

polonus

[mkis]

Thanks Polonus. Just checked back in see if the query was being serviced.   

[dixy]

Thanks Polonus 
Many regards!!