Avast WEBforum
Other => Viruses and worms => Topic started by: oldman on January 31, 2009, 08:56:52 PM
-
Hi guys,
Sign of "Win32:Oliga [trj]" has been found in "hxxp://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com" file.
That's webshield detection on dwonloading combofix. Same detection on all Cf download links.
Thanks
-
***
Hopefully, the avast team can fix that real soon.
***
-
Hi CharleyO,
Hopefully, the avast team can fix that real soon.
Yes. Pausing the webshield is a work around, but sometimes convincing people that it is ok is tougher than the bugs.
-
Hi oldman,
Some av's give it as riskware, but riskware can also be very helpful as a tool in the hands of malware fighters, so that should be going into another category altogether, and should not be put "in limbo" as some av scanners do, but must be excluded real easily or only flagged with an alert and not blocked, because One can ruin things with a hammer and one can also use it to repair!!!
It is because they consider the link to be an attack on the server that Exploit Prevention Lab's LinkScanner won't eat it, in spite of as many captcha's as I return,
and Norton Safe Web Scanner comes up with the following:
forospyware.com
Summary
•Computer Threats: 5
•Identity Threats: 0
•Annoyance factors: 0
Total threats on this site: 5
•Community Reviews: 2
The Norton rating is a result of Symantec's automated analysis system. Learn more.
The opinions of our users are reflected separately in the community rating on the right.
General Info
Web Site Location United States of America
Norton Safe Web has analyzed forospyware.com for safety and security problems. Below is a sample of the threats that were found.
forospyware.com
Threat Report
Total threats found: 5
Small-whitebg-red Drive-By Downloads (what's this?)
Threats found: 4
Here is a complete list:
Threat Name: Bloodhound.Exploit.6
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\t-57166[1].htm
Signature (MD5): 161ed2c2b35bfbf505aab39faa303e5d
Location: http://www.forospyware.com/archive/t-57166.html
Threat Name: Bloodhound.Exploit.6
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\t-6381[1].htm
Signature (MD5): 1609cc41e4795244ed665bdbf587432a
Location: http://www.forospyware.com/archive/t-6381.html
Threat Name: Bloodhound.Exploit.6
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\242496-post1[1].htm
Signature (MD5): a5c756d36502096d8f65e7a58862c4db
Location: http://www.forospyware.com/242496-post1.html
Threat Name: Bloodhound.Exploit.6
File name: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GZKDIZWD\242842-post2[1].htm
Signature (MD5): 83ab222f3c363c1bed492eeeaaeebba6
Location: http://www.forospyware.com/242842-post2.html
Small-whitebg-red Viruses (what's this?)
Threats found: 1
Here is a complete list:
Threat Name: Bloodhound.Exploit.6
Location: http://www.forospyware.com/archive/t-48517.html
5.0
rated by 2 users
secure and trusted
add your review
anonymous Anonymous
Click to rate:
not yet rated
(login to be recognized)
review title
review text
user reviews (2)
Sort by Date Added | Helpfulness
anonymous Anonymous
Pointer
added about one day ago
Rating Level 5 out of 5
Forospyware no contiene exploits
Es una web totalmente limpia, al contrario ayuda a eliminar amenazas sin animo de lucro.
Creo que Norton se equivoca
Was this review helpful? Yes | No
Comments (0) | Report abuse
anonymous Anonymous
Pointer
added 2 days ago
Rating Level 5 out of 5
forospyware is secure
WEB INFOSPYWARE.COM & FOROSPYWARE.COM IS GOOG PAGES VERY SECURE
Was this review helpful? Yes | No
Comments (0) | Report abuse
tags
This is a list of keywords that have been tagged to this Web site. Click on a tag to see a list of other Web sites tagged with the same keyword. You need to login to add your own tags.
Click here to view the most popular tags for all sites.
WOT accepts as do finjan, MacAfee SiteAdvisor.
The BadStuff checker hick-up is totally green:
No zeroiframes detected!
Check took 10.93 seconds
(Level: 0) Url checked:
http://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=374
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/yui/connection/connection-min.js?v=374
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_global.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_menu.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/glossary_crosslinking.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_md5.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=es
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://pagead2.googlesyndication.com/pagead/show_ads.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 2) Url checked: (iframe source)
http://pagead2.googlesyndication.com/pagead/+b+
Blank page / could not connect
No ad codes identified
(Level: 2) Url checked: (iframe source)
http://pagead2.googlesyndication.com/pagead/+nc(fd(c))+
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_read_marker.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=es
Zeroiframes detected on this site: 0
No ad codes identified
Hope this helps you, us...
polonus
-
Hi Polonus,
I'm pretty sure it's within the program, not the site.
Try these.
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
-
what does the prep.com file actually?
-
Hi oldman,
That was pretty convincing, helped more that half an hour of discussion.
polonus
-
Sign of "Win32:Oliga [trj]" has been found in "hxxp://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com" file.
That's webshield detection on dwonloading combofix. Same detection on all Cf download links.
I take it that you have sent the file to avast ;D
-
Hi DavidR,
The list of other antivirus apps provided shows that roughly half do not flag combofix.
The ones that do flag it all seem to have a different name for it;
2 or 3 label it as a Visual Basic (VB) virus,
and all the others call it something totally different.
So I'd say that they are false positives.
Due to the nature of combofix, and the task it performs,
it may appear to be a virus just because of what it's designed to do.
Here's more detailed info about combofix direct from the folks that created it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
And here's more info about false positives, combofix, and components of combofix:
http://www.bleepingcomputer.com/forums/topic98878.html
That should clear it up for you,
polonus
-
I just downloaded it and it also pings another file within the combofix.exe file, tail.com
Downloaded to my downloads folder - E:\Downloads\ComboFix.exe\32788R22FWJFW\Tail.com
@ polonus, it isn't uncommon for tools to get pinged.
-
I take it that you have sent the file to avast
No, I gave them enough links, they can get the entire kit and caboodle. ;)
Maxx
I don't know what that portion of CF does. Might be a bit simplistic, but the name suggests prepartion. Cf does kill a few things before it runs.
-
I have submitted both prep.com and tail.com as false positives (using the new submission method) when I scanned combofix.exe after I downloaded it.
-
ook, we'll fix the detection.. anyway, it is not good to use an PE image with .com extension and obfuscate it when you are a legit tool :-\
-
Perhaps to combat the malware it seeks to kill ;D
-
I believe you are right DavidR. Right now .com is commonly used to get a tool to run. The malware authors are really going after the tools.
-
Hi "oldman",
The malcreants have many more devious things up their sleeves. Did anyone see the number of daily vundo detection updates when checking their SAS update oversight? - mind dazzling, really. I do not know how detection can keep up with this rate of metamorphosis, and this just for one type of nasty, so....
polonus
-
Hi "oldman",
The malcreants have many more devious things up their sleeves. Did anyone see the number of daily vundo detection updates when checking their SAS update oversight? - mind dazzling, really. I do not know how detection can keep up with this rate of metamorphosis, and this just for one type of nasty, so....
polonus
Look at this from Malwarebytes MBAM:
Newest Rogue Threats
http://www.malwarebytes.org/forums/index.php?showforum=30
-
I just tried it again. No detection for prep.com on download. tail.com is still being detected.
@DavidR
Did you happen to test prep.com at virusTotal? If you did do you have a link? Interested if AVG is also detecting it.
-
No I didn't because I would have had to extract it from the combofix.exe file.
I have an extractor somewhere, if I can find it.
-
OK, I found I can extract the file using 7zip.
Prep.com (no alert when I extracted it) http://www.virustotal.com/analisis/054c873a118934903a83e4980547a1c8 (http://www.virustotal.com/analisis/054c873a118934903a83e4980547a1c8) 12/39 detections.
Tail.com (avast alerted when I extracted it, so that hasn't been resolved yet) http://www.virustotal.com/analisis/4962d871439748ff7417cdd0f677fb7a (http://www.virustotal.com/analisis/4962d871439748ff7417cdd0f677fb7a) 13/39 detections.
No detection by AVG on either.
-
Thanks David. I tested tail.com earlier. same results as you. Webshield didn't detect prep.com on the d/l. So half way there.
-
No problem, didn't take long for prep.com, hopefully it won't be long for tail.com.
-
i've made some small changes to the detection, which should prevent future false positives on these files..
-
Thanks Maxx.
-
Thanks guys. I just scanned my sample of tail.com. No detection. :D
-
Snap, nice when a plan comes together ;D
-
Hi folks,
Fully agree, DavidR, this forum in optima forma,
polonus
-
***
Nice job getting this fixed, avast team! :)
***