Author Topic: Avast reports HTML:script-inf (Read 13397 times)

bestmen · « **on:** May 18, 2012, 08:52:02 PM »

Hello there,

as of right now I get a warning by Avast that malware has been blocked on a site that I visit regularly (it is a German site on mobile/portable OS) and is on the whole trustworthy. Is this a False Positive?

The site is: nexave.de/forum/palm-webos/board34-software/

The warning reads:

"Malware blocked
Avast webshield has blocked an infected website or file:

object: h**p://www.nexave.de/favicon.ico{gzip}
infection: HTML:script-inf
process: c:\program files\mozilla firefox\firefox.exe"

Any comment on this report is greatly appreciated.

Thank you!

DavidR · « **Reply #1 on:** May 18, 2012, 09:13:54 PM »

With an alert on the favicon.ico file, it looks like the site has been hacked as this file is loaded for every page (the little icon on the left of the address bar) and is a common target for hacking.

This one is even stranger as it is trying to load a a compressed script file (the {gzip} bit at the end of the path).

I have been trying to capture this file but I'm getting a 404 error, so the site may have taken it down.

I can currently open the site without alert (using firefox 12.0), but there is no favicon.ico being loaded, just the default firefox icon when there isn't on on the site. So as I said looks like they are working on it and have taken down the favicon.ico file.

bestmen · « **Reply #2 on:** May 18, 2012, 10:29:12 PM »

Hi,

thank you so much for the prompt reply.

This is not so good news.

What can I do or rather what do I have to do know now? Is my computer in danger of having been infected? Is it infected already?
I wonder because usually picture files like jpeg etc. are considered to be no infectable and I figured that a favicon is sth. of a picture.

I visited the site with FF 12, NoScript, AdblockPlus and Avast.

Thanks again!

DavidR · « **Reply #3 on:** May 18, 2012, 11:37:56 PM »

Your computer isn't in danger, that is the point of the web shield, it blocks any infected content from being downloaded and run/viewed in your browser. It aborts the connection for the infected element.

The favicon.ico isn't an image as such but a file with a reference on where to find the image to display in the address bar. Image files like .jpg can be infected and we regularly see that in the forums, where a script is placed at the end of the image file to try and execute malicious content.

Obviously the site are aware of it as A) they appear to have taken it down and B) I no longer get an alert by avast.

Are you still getting an alert ?

bestmen · « **Reply #4 on:** May 19, 2012, 10:27:51 AM »

Hi,

I posted in a German security forum and people with Avast or GData IS still get an alert with the same report that I posted when visiting the site. Some only with IE, not with Opera, some as myself only with Firefox.

I also send a message to the site owner.

DavidR · « **Reply #5 on:** May 19, 2012, 02:42:25 PM »

I can't vouch for anyone else, certainly not knowing their browser, detection information or virus database version, etc. I can and have shown my result in visiting the site.

Even if I go to the nexave.de/forum/palm-webos/board34-software/ location, it isn't loading a favicon.ico file, so also no subsequent loading of a {gzip} file.

bestmen · « **Reply #6 on:** May 20, 2012, 12:01:54 PM »

Hi,

first and foremost: thanks for your help!

I got news from the site owner and maybe you can help me out with trying to understand. The reply reads as follows:

Quote

our site has not been using a favicon.ico in years. There is the possibility of a False Positive on the side of Avast because we have used a 404-redirect. This 404-site of his CRM uses JS.

Does that bring any light into the question whether there is really sth. malicious going on or whether it is a FP?

Thanks again!

Asyn · « **Reply #7 on:** May 20, 2012, 12:27:58 PM »

http://sitecheck.sucuri.net/results/nexave.de/forum/palm-webos/board34-software/
http://zulu.zscaler.com/submission/show/41189423cedca5f930afb02901069af5-1337509565

DavidR · « **Reply #8 on:** May 20, 2012, 12:50:29 PM »

Quote from: bestmen on May 20, 2012, 12:01:54 PM

Hi,

first and foremost: thanks for your help!

I got news from the site owner and maybe you can help me out with trying to understand. The reply reads as follows:

Quote
our site has not been using a favicon.ico in years. There is the possibility of a False Positive on the side of Avast because we have used a 404-redirect. This 404-site of his CRM uses JS.

Does that bring any light into the question whether there is really sth. malicious going on or whether it is a FP?

Thanks again!

There is no issue with the 404 page or if there was a missing file and a hacked 404 page was present avast would have alerted on that page and not that relating to the favicon.ico and that it appeared to load a compressed file.

I have given as much information as I have been able to ascertain as an avast user like yourself.

As I said I have been unable to replicate the alert using firefox 12.0.

Author Topic: Avast reports HTML:script-inf (Read 13397 times)

bestmen

Avast reports HTML:script-inf

DavidR

Re: Avast reports HTML:script-inf

bestmen

Re: Avast reports HTML:script-inf

DavidR

Re: Avast reports HTML:script-inf

bestmen

Re: Avast reports HTML:script-inf

DavidR

Re: Avast reports HTML:script-inf

bestmen

Re: Avast reports HTML:script-inf

Asyn

Re: Avast reports HTML:script-inf

DavidR

Re: Avast reports HTML:script-inf