Avast WEBforum

Other => Viruses and worms => Topic started by: mathboyx215 on December 27, 2008, 01:01:47 AM

Title: avast detects wikipedia as virus
Post by: mathboyx215 on December 27, 2008, 01:01:47 AM
i was on wikipedia then a avast warning pops up telling me about HTML:iframe-gen virus/worm.

i also made a video about it : http://www.youtube.com/watch?v=cMqEy3ZHRxg&fmt=18

here is the link to the wikipedia page that i was on : http://en.wikipedia.org/wiki/Hunan_Satellite_Television

so is that a false positive or is that really a worm?if its a FP can you fix it in next update?
Title: Re: avast detects wikipedia as virus
Post by: Jtaylor83 on December 27, 2008, 03:15:37 AM
False Positive. Dr. Web's Online Check says it's clean. I hope Alwil fixes it.
Title: Re: avast detects wikipedia as virus
Post by: Jahn on December 27, 2008, 04:19:45 AM
i was on wikipedia then a avast warning pops up telling me about HTML:iframe-gen virus/worm.

i also made a video about it : http://www.youtube.com/watch?v=cMqEy3ZHRxg&fmt=18

here is the link to the wikipedia page that i was on : http://en.wikipedia.org/wiki/Hunan_Satellite_Television

so is that a false positive or is that really a worm?if its a FP can you fix it in next update?
Hi mathboyx215 and welcome to the forum.

Does Avast still detect this page on your system? I followed the procedure you used in your video, and Avast doesn't detect anything. Try updating Avast and retesting. I see it was VPS version: 081224-0 which detected it. The current version is 081226-0.
Title: Re: avast detects wikipedia as virus
Post by: mathboyx215 on December 27, 2008, 05:54:38 AM
avast is still detecting it


Title: Re: avast detects wikipedia as virus
Post by: igor on December 27, 2008, 11:58:09 AM
The detected JPEG image has an iframe appended to the file, pointing to some Chinese site.
I don't think it's really a false positive.
Title: Re: avast detects wikipedia as virus
Post by: mathboyx215 on December 27, 2008, 03:48:27 PM
but i have one person who commented on my video saying that he have avast pro and went to that link but nothing happened.so maybe its only happening to me?
Title: Re: avast detects wikipedia as virus
Post by: igor on December 27, 2008, 08:02:42 PM
No, it's not happening only to you - I get the same detection when I visit the corresponding page.
Title: Re: avast detects wikipedia as virus
Post by: Lisandro on December 27, 2008, 09:26:50 PM
Maybe the page is hacked?  ???
avast is very sensible - generally correct detections - on encrypted frames on webpages  ::)
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 27, 2008, 09:31:25 PM
Most certainly this is no FP the image has been hacked to include an iframe tag at the bottom of the file.

Remember Wiki is user modified so there is a possibility of user images too I guess.

@ Igor
So would this also be considered a type of jpg exploit ?
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 27, 2008, 09:33:34 PM
avast is very sensible - generally correct detections - on encrypted frames on webpages  ::)

Tech it isn't in the page content but is embedded in the actual .jpg image. See the image I posted that is at the bottom of the .jpg viewed in a text editor (editpad lite).
Title: Re: avast detects wikipedia as virus
Post by: mathboyx215 on December 27, 2008, 09:36:23 PM
but why when some people go on the page avast don't detect it?
Title: Re: avast detects wikipedia as virus
Post by: Lisandro on December 27, 2008, 09:43:11 PM
but why when some people go on the page avast don't detect it?
Maybe the avast is not updated? Or well configurated...
For me, the page is set as infected as the picture showed.
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 27, 2008, 09:52:53 PM
but why when some people go on the page avast don't detect it?

I don't know and as we only have one person saying they don't have an alert we would need to know what browser, OS and set-up they have as any of those things could lead to it not being detected.

I didn't watch the video (dial-up) so I have no idea what Jahn meant when he said he I followed the procedure you used in your video, and Avast doesn't detect anything.

Now why this didn't alert on one or more, is a different issue, but this detection is IMHO correct, why would a .jpg file be hacked in this way. It is still detected in the latest VPS 081227-0
Title: Re: avast detects wikipedia as virus
Post by: Jtaylor83 on December 27, 2008, 10:27:50 PM
I think the Wikipedia administrator needs to delete the image or edit the description.

Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 28, 2008, 12:00:09 AM
I don't know what there is to edit in the description, that isn't what launches the iframe, but the manipulated .jpg with the embedded iframe tag.
Title: Re: avast detects wikipedia as virus
Post by: Jahn on December 28, 2008, 11:26:11 AM
but why when some people go on the page avast don't detect it?

I don't know and as we only have one person saying they don't have an alert we would need to know what browser, OS and set-up they have as any of those things could lead to it not being detected.

I didn't watch the video (dial-up) so I have no idea what Jahn meant when he said he I followed the procedure you used in your video, and Avast doesn't detect anything.

Now why this didn't alert on one or more, is a different issue, but this detection is IMHO correct, why would a .jpg file be hacked in this way. It is still detected in the latest VPS 081227-0
I'm still not getting any detection on this page after a repair of Avast/reboot. I do believe Avast is working properly, though. Avast recently detected JS:XMLParse-A [Expl] during Scanit tests HERE (http://forum.avast.com/index.php?PHPSESSID=da74cf4048c354186c3524c37040c56b&topic=41268.0), and later detected the leftover TIF's and SysVolume entries during a Standard demand scan.

My Avast providers are at default values, except I've added a redirected HTTP port (for proxy server) to Web Shield.

I can only guess that another security program is blocking the exploited jpg iframe before Avast sees it. XP SP2, Firefox 3.0.5 with ABP, Dr.Web link checker, Finjan, SiteAdvisor, NoScript, Perspectives and WOT. No detection either in IE7 with flash disabled by Toggle Flash, Finjan, WOT and Dr. Web link checker. I also use SAS Pro (my forever gratitude to CastleCops [R.I.P.] and Nick for my free lifetime licenses), Comodo Internet Security in ProActive Safe Modes (AV module not installed) and a custom Hosts file. I'm betting on CIS, though nothing shows in the firewall or Defense+ logs.

According to the video, mathboyx215 accessed the Wikipedia page via a link in a Google search for hunantv. I was attempting to duplicate the occurence, so that is what I meant when I said I went there in the same manner. Hope this clears some mud out, and sorry I couldn't get back here sooner. :)
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 28, 2008, 03:57:43 PM
I don't know why you needed to add to the redirect port (what application ?), but I believe that you would also need to uncheck the Ignore Local Communication, or whatever is coming through the other redirect port might not be being scanned.

You could check the avast web shield detailed view and see if your web traffic is actually being scanned. Or if none or only partially scanned as I haven't a clue what your other proxy is doing.

You could also uncheck the option ignore local communication (see image) and try the above link again and see what happens.
Title: Re: avast detects wikipedia as virus
Post by: Jahn on December 29, 2008, 03:41:44 AM
I don't know why you needed to add to the redirect port (what application ?), but I believe that you would also need to uncheck the Ignore Local Communication, or whatever is coming through the other redirect port might not be being scanned.

You could check the avast web shield detailed view and see if your web traffic is actually being scanned. Or if none or only partially scanned as I haven't a clue what your other proxy is doing.

You could also uncheck the option ignore local communication (see image) and try the above link again and see what happens.
Hi David, I have to add the port to Web Shield to enable Avast to scan Proxyconn traffic on port 6198. I have just verified that Avast is indeed scanning both ports 80 and 6198. I bumped Web Shield sensitivity up to High and went to the Wikipedia page - nothing. But if I run all browser tests at Scanit, or try to open a zipped file with eicar in it Avast will alert. Avast seems to be working. Checking or unchecking Ignore local communication doesn't seem to make any difference.
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 29, 2008, 03:51:51 PM
All I think that is happening is the traffic is passing through the web shield and because it is effectively local traffic, it isn't being scanned. So why it isn't being detected when you uncheck the Ignore local communication is beyond me, but using additional port redirects you should uncheck that option.

Well I haven't got a clue what Proxyconn does or how it goes about its task, so I don't know what might go through its proxy port.
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 29, 2008, 04:13:55 PM
After a little googling, I now know a little more about proxyconn that I did earlier and now possible a little more than you in one regard :P

The probably reason nothing is found, proxyconn is supposed to detect and block viruses, see image.

Title: Re: avast detects wikipedia as virus
Post by: Jahn on December 30, 2008, 03:50:34 AM
After a little googling, I now know a little more about proxyconn that I did earlier and now possible a little more than you in one regard :P

The probably reason nothing is found, proxyconn is supposed to detect and block viruses, see image.
Thanks David, what you found through Google is Proxyconn's hard-sell product. I only use the accelerator, not their security suite. But it got me thinking about what security software they may have on their servers. I disabled Proxyconn and removed port 6198 from Web Shield. I went back to the Wikipedia page which did show as being scanned now on port 80, still no detection. I will leave Ignore local communication unchecked.

I don't know. I have turned off/disabled every security software I can think of; ran Firefox and IE in safe modes. Avast just isn't seeing it, yet does see other malware. Since a repair of Avast didn't help I will try a fresh download/install later tonight.
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 30, 2008, 02:48:03 PM
Well I still get the alert, so I don't know what is going on in your system.

If you aren't going to use proxyconn (It didn't come out as making a significant difference in browsing according to comparative reviews, can't recall which) and you remove the proxy port redirect, then you should leave the ignore local communication enabled.

Only when addition ports are added to the web shield redirect should the ignore local communication be disabled.
Title: Re: avast detects wikipedia as virus
Post by: Jahn on December 31, 2008, 03:37:19 AM
Success! Well, eventually... After a complete Avast uninstall including aswclear, a fresh install and VPS updates, Avast still didn't detect anything on the Wiki page and showed no last scanned activity in Web Shield. But after I added port 6198 to Web Shield and returned to the Wiki page, Avast alerted me to the jpg issue and I selected Abort the connection. I then deselected Ignore local communication since you say I should.

At this point my best guess is Avast became corrupted maybe through a VPS update. It's been more than a year since I installed the whole program.

I couldn't survive the net without Proxyconn which boosts my surfing speed from 40KB/s to 100KB/s according to CNET's bandwidth meter. It does nothing for download speeds, however. When I tried the local DSL it kept disconnecting me every few hours. The techs were out here weekly swapping modems and filters. Nothing helped so I finally told them to take it out.

I think I'm in good shape now, a thorough and boot scan with archives revealed no problems. Thanks again for your help, David. And thanks to mathboyx215 for starting this thread or I wouldn't have known there was a problem.
Title: Re: avast detects wikipedia as virus
Post by: mathboyx215 on December 31, 2008, 07:16:49 AM
i'm glad that i helped you through my thread ;D
Title: Re: avast detects wikipedia as virus
Post by: DavidR on December 31, 2008, 03:10:08 PM
You're welcome.

Getting other proxies to work in co-operation with the web shield proxy can take a little tweaking, though what you did previously should have resolved it as it was after all picking up the eicar test file. If the VPS was actually corrupt the avast integrity checking should have (I believe) picked up on that.

The main thing is that everything is now working as it should.
Title: Re: avast detects wikipedia as virus
Post by: zone12 on January 02, 2009, 11:29:18 PM
It  isnt a virus if you still get this come back and post what does the thing say about the page.
Title: Re: avast detects wikipedia as virus
Post by: DavidR on January 03, 2009, 12:40:45 AM
I think you should read this topic again, this is most certainly not an FP, see the code in the .jpg that is causing the alert in my post, http://forum.avast.com/index.php?topic=41300.msg346726#msg346726 (http://forum.avast.com/index.php?topic=41300.msg346726#msg346726).

Now that, no matter how you try to paint it shouldn't be in a .jpg file, so it has been modified.