Author Topic: False Positive on Jemsite? (Read 3085 times)

gideond · « **on:** September 05, 2011, 06:17:26 PM »

wxw.jemsite.com]www.jemsite.com

A lot of people are getting a blocked js file on every page but it only occurs with Avast. No other AV software seems to be picking it up. Possible false positive.

The exact file my logs are showing is:
wxw.jemsite.com/components/com_jreviews/jreviews/views/js/jquery/jquery-1.2.6.pack.js

Pondus · « **Reply #1 on:** September 05, 2011, 06:21:56 PM »

Edit the links you posted so that they are not clickable, like this wxw.jemsite.com

Sorry - INFECTED - see screenshot (click to enlarge)

Malware entry: MW:ANOMALY:SP7
http://sucuri.net/malware/malware-entry-mwanomalysp7

polonus · « **Reply #2 on:** September 05, 2011, 07:05:33 PM »

Hi gideond,

Make that url non-click-through like wXw etc. or -www etc.
Here is what is being scanned: http://www.virustotal.com/file-scan/report.html?id=8eb5b7e43c307e37d86dbb02f691ff16d08147a6fbe59686f99dcb0268429c97-1315241118
It is a heuristical find and the packer is being flagged...
Here found benign: http://siteinspector.comodo.com/public/reports/303481
The binairy analysis for the logfile you give is:
http://anubis.iseclab.org/?action=result&task_id=10051d85769240dd48d43255923e092c1
code also found for Fake AV/KatushaC.gen malware...keyboard key monitoring mutex
like CritOpMutex,

polonus

gideond · « **Reply #3 on:** September 05, 2011, 07:47:14 PM »

Sorry about that. I didn't realize the forums auto linkified the address without the URL tags.

Thanks for the input. I'll refer the site owner to this thread.

Author Topic: False Positive on Jemsite? (Read 3085 times)

gideond

False Positive on Jemsite?

Pondus

Re: False Positive on Jemsite?

polonus

Re: False Positive on Jemsite?

gideond

Re: False Positive on Jemsite?