Avast WEBforum
Other => Viruses and worms => Topic started by: farelo on August 28, 2012, 02:57:17 PM
-
Hi I have a blog and when I enter the option menu of the blogger, I miss a warning. the aforementioned is:
How I can fix it?
(http://subir-imagenes.org/?di=JI5J)
Thanks in advance and sorry for my English
-
detection was added in latest update:http://www.avast.com/virus-update-history
can u test your site at urlquery.net
-
detection was added in latest update:http://www.avast.com/virus-update-history
can u test your site at urlquery.net
In urlquery.net not detect alerts and benign zulu.zscaler.com gives me 40/100
urlquery:
http://urlquery.net/report.php?id=148940 (http://urlquery.net/report.php?id=148940)
zulu.zscaler:
http://zulu.zscaler.com/submission/show/5e94889f13bbdf98acc670db915542d2-1346157096 (http://zulu.zscaler.com/submission/show/5e94889f13bbdf98acc670db915542d2-1346157096)
How I can do so I would not skip the notice if it was a false positive? or if it's a real positive as solved.
Thanks again.
-
This is most likely a false positive, I am a web developer and have been using Telerik products for years, there is no way that they contain trojans. Telerik provide professional class developer tools for web (and other) applications.
Also, it seems like Avast only has this false positive in Firefox. I have been checking my production websites in Chrome and IE8+, no trojans detected.
PLEASE AVAST PROVIDE QUICK UPDATE before our customers start complaining. Telerik products are WIDELY used in web development and having a false positive in such a context is not a good thing AT ALL.
-
Its may be correct detection..this is may be malicious appendchild/a child HTML malware
blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [img] blogger.com/static/v1/layouts/images/joiner.png
info: [img] blogger.com/static/v1/layouts/images/
info: [decodingLevel=0] found JavaScript
info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
info: [decodingLevel=1] found JavaScript
info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes
file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes
-
Its correct detection..this is a malicious appendchild/a child HTML malware
blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [img] blogger.com/static/v1/layouts/images/joiner.png
info: [img] blogger.com/static/v1/layouts/images/
info: [decodingLevel=0] found JavaScript
info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
info: [decodingLevel=1] found JavaScript
info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes <<----Malicious!!!
file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes
I beg to differ, how is this a malware. It is an advanced and fully featured HTML editor used by A LOT of websites/companies.
Detecting a Trojan on this IS a false positive.
http://demos.telerik.com/aspnet-ajax/editor/examples/default/defaultcs.aspx (http://demos.telerik.com/aspnet-ajax/editor/examples/default/defaultcs.aspx)
-
According to me its malicious..Anyway virus analyst is informed..he will give feedback on this
-
"saved blogger.com/static/v1/layouts/3994510508-layouts.js" might be malicious, don't know don't care, but Telerik's JS files used for the HTML editor are definitly not malicious and Avast is having a false positive on this.
This editor is widely used, on many blog providers, CMS, etc...
True indian, can you provide any information about the file being detected as malicious on the link I provided you ? being in contact with Telerik support, this might help getting things fixed.
-
Its correct detection..this is a malicious appendchild/a child HTML malware
blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [img] blogger.com/static/v1/layouts/images/joiner.png
info: [img] blogger.com/static/v1/layouts/images/
info: [decodingLevel=0] found JavaScript
info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
info: [decodingLevel=1] found JavaScript
info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes <<----Malicious!!!
file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes
If I delete it as malicious because I'm a little lost
-
Just to confirm, I've seen "new" blacole (av and c) reports now on two separate websites, including the McAfee user forum at
https://community.mcafee.com/thread/47670
Detection of this only started with today's signatures.
I have visited both sites on machines running the Microsoft AV, and it's not giving either as having this infection, despite the fact that it is not new malware.
And on one, where I have access to the site content, I've done full scans with two more AVs without getting a report.
So unless McAfee can have malware on their own forum for at least six hours without noticing, I have to say that I rather suspect it's a false positive.
If it is, you need to get an update out fast, because the Telerik component is indeed used on a LOT of websites.
Mind, if Telerik have let out an infected release, they are the ones going to need a very rapid update, and a number of other AV companies need to get their acts together on detection.
Best regards
D.
-
Just to confirm, I've seen "new" blacole (av and c) reports now on two separate websites, including the McAfee user forum at
https://community.mcafee.com/thread/47670
Detection of this only started with today's signatures.
I have visited both sites on machines running the Microsoft AV, and it's not giving either as having this infection, despite the fact that it is not new malware.
And on one, where I have access to the site content, I've done full scans with two more AVs without getting a report.
So unless McAfee can have malware on their own forum for at least six hours without noticing, I have to say that I rather suspect it's a false positive.
If it is, you need to get an update out fast, because the Telerik component is indeed used on a LOT of websites.
Mind, if Telerik have let out an infected release, they are the ones going to need a very rapid update, and a number of other AV companies need to get their acts together on detection.
Best regards
D.
I had Telerik support on phone, they hope they can send us a fix within 24h, wether or not this is a false positive. However, maintain this is a false positive and expect at least a response from AV companies to confirm / decline it.
-
thank you all, we will continue waiting for a solution, let me avast telephone on hold and never go through a telemarketer
-
I had Telerik support on phone, they hope they can send us a fix within 24h, wether or not this is a false positive. However, maintain this is a false positive and expect at least a response from AV companies to confirm / decline it.
Useful, thanks Charles.
D.
-
Hello,
it's FP, fix is just releasing.
Milos
-
Thanks Milos, no actual malware then, but the issue has not completely subsided,
jsunpack flags the code for CVE-2010-0806 for what that is worth, but I felt I had to report this
See how it is being flagged when analyzing the website code for layouts.js:
blogger dot com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.130.191) blogger dot com/static/v1/layouts/3994510508-layouts.js
status: (referer=http:/twitter dot com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
The vulnerability, see: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806
is under review and now has the status of "candidate"
So there is still an issue there for exploitability with CSRF,
polonus
-
Update manually now, issue has been fixed,
polonus
-
Update manually now, issue has been fixed,
polonus
Thanks, already solved