Avast WEBforum

Other => Viruses and worms => Topic started by: Klauwkikker on July 27, 2011, 07:15:20 PM

Title: False posite?
Post by: Klauwkikker on July 27, 2011, 07:15:20 PM

Is this a false positive?
It is a welknown Dutch opinionsite.

Infection Details
URL:   http://xxx.joop.nl/fileadmin/template/inc/js/redirMobile-min.js|%3E{gzip}
Process:   file://C:\Program Files\Mozilla Firefox\firefox.exe
Infection:   html:Iframe-inf

xxx stands for www

Title: Re: False posite?
Post by: Pondus on July 27, 2011, 07:18:12 PM

Sucuri say infected....

see attached screenshot


malware type
http://sucuri.net/malware/malware-entry-mwiframehd421

Title: Re: False posite?
Post by: Pondus on July 27, 2011, 07:27:40 PM

Filename:    redirMobile-min.js
 Status:    Scan finished. 2 out of 20 scanners reported malware.
http://virusscan.jotti.org/en/scanresult/c9e8b1cc2b524e7f963dfac40bdc6321b57ba3ec

VirusTotal - redirMobile-min.js - 4/43
http://www.virustotal.com/file-scan/report.html?id=bac3240d18bfa6194aa65701e799946bdad1a975fa069013652f584eb5d44965-1311787300

Title: Re: False posite?
Post by: polonus on July 27, 2011, 09:12:40 PM

Hi Klauwkikker & Pondus,

Scanned the IPframe redirect here: http://wepawet.iseclab.org/view.php?hash=52ee1c0c20d38b7edb071123b878a5aa&t=1311793379&type=js (malicious)
Exploit being abused is HPC URL   Help Center URL Validation Vulnerability - CVE-2010-1885;
see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
Also see attachec source code for the url you provided,

polonus

Title: Re: False posite?
Post by: Pondus on July 28, 2011, 07:47:24 AM

Quote

Is this a false positive?
It is a welknown Dutch opinionsite.

Norman analysis confirms the detection is correct

Quote

redirMobile-min.js : Processed - HTML/Iframe.KY