Avast WEBforum

Other => Viruses and worms => Topic started by: 12-es_csaj on February 09, 2011, 08:01:28 PM

Title: FP or real malware? [Now solved]
Post by: 12-es_csaj on February 09, 2011, 08:01:28 PM: INF:AutoRun-BJ [Wrm] on hxxp://prohardver.hu/tema/avg_antivirus_2/friss.html
Title: Re: FP or real malware?
Post by: REDACTED on February 09, 2011, 08:12:10 PM: Quote from: 12-es_csaj on February 09, 2011, 08:01:28 PM
INF:AutoRun-BJ [Wrm] on hxxp://prohardver.hu/tema/avg_antivirus_2/friss.html

http://www.unmaskparasites.com/security-report/?page=http%3A//prohardver.hu/tema/avg_antivirus_2/friss.html
http://www.virustotal.com/url-scan/report.html?id=80a26c0b415c0698a1b328df3adb29e9-1297275292

FP :(
Title: Re: FP or real malware?
Post by: DavidR on February 09, 2011, 08:32:16 PM: Quote from: 12-es_csaj on February 09, 2011, 08:01:28 PM
INF:AutoRun-BJ [Wrm] on hxxp://prohardver.hu/tema/avg_antivirus_2/friss.html

What are you trying to do in visiting this URL ?

Whilst it is only avast and gdata alerting on this page it might well be an FP.
But it is a strange malware name to be detected on a web page, it is this bit that makes me ask the first question (/avg_antivirus_2/). If you happened to be trying to run an on-line virus scan it may be detecting something to autorun that scan.
Title: Re: FP or real malware?
Post by: 12-es_csaj on February 09, 2011, 08:36:47 PM: Quote from: DavidR on February 09, 2011, 08:32:16 PM
What are you trying to do in visiting this URL ?
Whilst it is only avast and gdata alerting on this page it might well be an FP.
But it is a strange malware name to be detected on a web page, it is this bit that makes me ask the first question (/avg_antivirus_2/). If you happened to be trying to run an on-line virus scan it may be detecting something to autorun that scan.

No, it's a Hungarian PC forum, and I tried to visit the AVG topic, but I failed.
I already saw the VPS history, and this worm is in the database for several days.

Since that, a member answered on that forum's antivirus topic. There is an autorun.inf malware code "printed" on one of the posts, and avast! alerts because of this.

Sorry for my bad English.
Title: Re: FP or real malware?
Post by: spg SCOTT on February 09, 2011, 08:40:49 PM: Actually, not quite a FP...

The page has a script posted in plaintext, which will exist in the source code, hence avast detects it.

This is why I, and others post scripts in image form, as this will happen. First image is the actual page, second is the source code, where it exists. avast! alerts on that code when isolated.

EDIT: http://www.virustotal.com/file-scan/report.html?id=95fffb050f4eb6695fc419c3a85910e48f59528fb92822fa70b4c96b75373a15-1297280530

The isolated script, sent to VT
Title: Re: FP or real malware?
Post by: 12-es_csaj on February 09, 2011, 09:00:00 PM: Moderators deleted the problematic post.
So, this wasn't FP.
And now, it is solved