Author Topic: False Positive on AFF chat page? Or why Avast Forum is better than personals!!  (Read 19827 times)

0 Members and 1 Guest are viewing this topic.

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #15 on: November 05, 2005, 09:38:22 PM »
You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted.
Wait if the new VPS file corrects the false positive... Are you sure about it is not infected?

Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?
I won't think this... maybe something into the HTML code is warned as false positive, not only the scripts...

I just wanted to comment on your last point... You are totally right, but I analysed that in my very first mail - the combination of the script, and the head with the favicon.ico - there's many factors together that generate this false positive, of course. If it would only take window.open for avast to make this false positive, I'd say this AV is crap and I wouldn't waste any time. This case is a bit more complex. It is this exact combination of the call for the .ico file, the jscript with window.open and the html comments.... but why is this not corrected yet, since there's been many updates to the signature since my initial post?? And why won't support comment on that once and for all? Well, I guess this is no better than Symantec support... for me to make it better I would need to send my CV ;D
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline brijones

  • Newbie
  • *
  • Posts: 9
Re: False Positive on AFF chat page?
« Reply #16 on: November 06, 2005, 02:19:20 AM »
Have you tried lowering your security settings in avast? It would be great if you could have a play around with the sliders and see whether it's still detected.

Also, I am no newbie, I program in VB and VC++. I didn't get any messages from Avast on my computer when I ran the code. As for the .ico, is it possible this isn't a hidden script server side? There is an exploit of hiding code behind the premise of a gif, jpeg file. Could this be a similar thing?

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #17 on: November 06, 2005, 04:40:44 AM »
Have you tried lowering your security settings in avast? It would be great if you could have a play around with the sliders and see whether it's still detected.

I've put the code I pasted in a txt or htm file and scanned it with the shell extension... not the resident shield... so there is no way to change the settings, unless I am mistaken, but when the problem first happened, it was live on the web page chat, so it was the resident web shield, and it is set as it was installed, to normal setting that is. But I've checked the settings in the "custom" option for the different scanners shields, but there's not much to play with that would allow me to differentiate the problem. If only I could disable "heuristics" for instance... that would help. I can't.

Also, I am no newbie, I program in VB and VC++. I didn't get any messages from Avast on my computer when I ran the code. As for the .ico, is it possible this isn't a hidden script server side? There is an exploit of hiding code behind the premise of a gif, jpeg file. Could this be a similar thing?
I'm extremely surprised you didn't get any pop-up from Avast by scanning this code. Can you confirm that you pasted the whole code I put here in an .txt file, and scanned it with the shell extension and it didn't pop up as vbs/script worm? I have a hard time believing that... or are you saying that the resident shield didn't do anything after you ran the file? I should make this clear: If I paste this in a file, rename to html then DOUBLE-CLICK it, I get a script prevention warning from XP but nothing from Avast... but if I SCAN the file with the shell extension, it's detected as a virus, which makes no sense....

Your idea of a script hidden in an ico file is not bad, and I've alluded to that in my first mail, saying that they seemed to have hardcoded some symptoms of Code Red server side to trap my code, and it's a very liberal (and flaky) interpretation... and I doubt you can script much in 2k. But I downloaded the ico file from the server and I paste here what notepad shows, you can put that to a txt file, and rename to ico and you'll see this is an icon file....(well not really since I can't really preserve the formatting but hey, this is what's inside the .ico file) I see a BM8 in the header.... that may be either a batch tool for autocad or a compressor for images... which seems fair in this case...


BM8      6   (                               ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿZ9{Þÿÿÿÿÿÿÿÿÿÿ{Œy¥h„`Æl)yÖ~ÿÿÿÿÿÿÿÿ”zc`!T„d¥lc`!XÆlœÿÿÿÿÿœs~)yÆly)}ï}ï}çt¥lÎ}ÿÿÿÿ1~Œ}R~ï}­}­}k})})}ï})}ÿÿÿœ)}Œu÷vÿÿÿÿ9~)})}­}ÿÿÿÿ~Æl!X)i9÷~÷~½ÿ÷~)})}µ~ÿÿÿœk}uB\c\B\„dÆl”zÖ~R~)})}œÿÿÿ9)})}çtçp¥l„dB\„d)}Œ}Zÿÿÿÿÿ÷~)})}J}Î})}çpçtÎ}½ÿÿÿÿÿÿÿZÖ~ÞÞ­}Î}µ~ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 


Thanks for you help! ;)
« Last Edit: November 06, 2005, 04:50:50 AM by Trial_user »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline brijones

  • Newbie
  • *
  • Posts: 9
Re: False Positive on AFF chat page?
« Reply #18 on: November 06, 2005, 07:57:34 AM »
Your idea of a script hidden in an ico file is not bad, and I've alluded to that in my first mail, saying that they seemed to have hardcoded some symptoms of Code Red server side to trap my code, and it's a very liberal (and flaky) interpretation... and I doubt you can script much in 2k. But I downloaded the ico file from the server and I paste here what notepad shows, you can put that to a txt file, and rename to ico and you'll see this is an icon file....(well not really since I can't really preserve the formatting but hey, this is what's inside the .ico file) I see a BM8 in the header.... that may be either a batch tool for autocad or a compressor for images... which seems fair in this case...


BM8      6   (                               ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿZ9{Þÿÿÿÿÿÿÿÿÿÿ{Œy¥h„`Æl)yÖ~ÿÿÿÿÿÿÿÿ”zc`!T„d¥lc`!XÆlœÿÿÿÿÿœs~)yÆly)}ï}ï}çt¥lÎ}ÿÿÿÿ1~Œ}R~ï}­}­}k})})}ï})}ÿÿÿœ)}Œu÷vÿÿÿÿ9~)})}­}ÿÿÿÿ~Æl!X)i9÷~÷~½ÿ÷~)})}µ~ÿÿÿœk}uB\c\B\„dÆl”zÖ~R~)})}œÿÿÿ9)})}çtçp¥l„dB\„d)}Œ}Zÿÿÿÿÿ÷~)})}J}Î})}çpçtÎ}½ÿÿÿÿÿÿÿZÖ~ÞÞ­}Î}µ~ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 


Thanks for you help! ;)

What I did mean by the icon file, is not that it's sending you just a plain icon, or that there is anything in the icon file that in itself has any impact. It is possible to setup the server to send something else next to the icon file. Which you won't pick up plainly in downloading the file.

I suggest going to dos prompt and loading up Telnet against the server and port number, and I think typing GET (...file name with directory structure). I think that is the one, I have an ebook which lists in great detail HTTP connections and using other methods other then a browser to obtain the header information that goes back and forth which isn't visible in the HTML. There is even a proxy style program you can place inbetween to grab the header before it's sent and alter it. There are many types of vulnerabilities that reside in the HTTP headers.

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #19 on: November 12, 2005, 09:51:37 AM »
Pls delete
« Last Edit: November 12, 2005, 10:54:36 AM by Trial_user »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #20 on: November 12, 2005, 10:50:12 AM »

What I did mean by the icon file, is not that it's sending you just a plain icon, or that there is anything in the icon file that in itself has any impact. It is possible to setup the server to send something else next to the icon file. Which you won't pick up plainly in downloading the file.

I suggest going to dos prompt and loading up Telnet against the server and port number, and I think typing GET (...file name with directory structure). I think that is the one, I have an ebook which lists in great detail HTTP connections and using other methods other then a browser to obtain the header information that goes back and forth which isn't visible in the HTML. There is even a proxy style program you can place inbetween to grab the header before it's sent and alter it. There are many types of vulnerabilities that reside in the HTTP headers.

This is no voodoo magic my friend. "send something else next to the icon file"...."the header information that goes back and forth which isn't visible in the HTML". I mean, obviously you are referring to 2 things which must be named. 1- Content of headers 2- Packet headers. These are 2 different things.

You are implying specially crafted packet and headers, with buffer oveflows and privilege elevation, etc, but this has nothing to do with VBS.Jscript.worm - AVAST will not react to only the header of my code and will react to my code LOCALLY - it also needs the window.open part, which proves we are not talking only about stuff parsed in the html head - , nor does it actually react right away to the chat room code, it'll take some minute or so. In any case your point is moot since AVAST traps my code LOCALLY as containing a virus....I paste the code I put in my first post in notepad and scan the file with the shell extension... so there's no header stuff or anything. It is important to read the facts before speculating - were this a test you would have failed miserably. This is a lesson - read the facts. You can cut your network cable, paste my code to notepad then scan the file, it'll be trapped by big-mouthed AVAST... and he will bark VBS.Jscript.worm...!!!! Must be some hidden matrix signal in the tcp/ip ... in between 2 layers!!! Go Neo!

"loading up Telnet against the server " Man, this is right out of a comic book... :o you're an extra for the Hackers movie or what? ;D do you think I can "telnet" that commercial server? This is not Mission Impossible. GET a brain. lollllll This is so good! Yes I can read the packet content and headers using tools like etherpeek etc. so what? You want me to parse that garbage and look for what... your naked picture? I don't have to prove that there is no virus here; rather, once I think I have a well documented false positive, a support staff minimally concerned about their product and willing to respond to good questions instead of hiding behind newbies questions should confirm if this is a virus or not. Here, no one has confirmed anything nor dares anything, as if I were talking about area 51. Lame this is. We must always remember there is always an explanantion in IT, and I don't like that concept of technogical speculation babble rambling... with half-baked junk. It is obvious ppl here behave like they know but they're just clueless, most of the time well intentioned though... In my firm you could work xeroxing documents and things like that, bringing me nice coffees, and that would help ;) ;D Using you guys in my IT department and I would be bankrupt by now!

 I can only stress again that it is not by forwarding this idea that it is "cool" because your AV traps more false-positives than others that we help users. Are you wearing AVAST pins or caps, or bling? You guys think you're part of this cool bunch of virus super-heroes with their smart AV that "sees more things" than other AV... like daredevil....or is it the Million dollar Man Steve Austin??  nah, you're just suffering from a case of bad coding and ignorant fellow users and silent support staff who tell me: "Wait for a new def update", and it's been like 10 wtf.... wake up ppl. Your AV traps my harmless garbage script. I'm trying your software and helping along the way, and I deserve a nice little post.. don't you think?

Avast should correct this false positive or demonstrate that my code is harmful. Attemps at techno-babble will fail with me, as I am not easily impressed, and I am a professional, for one. It is doubtful any of you would pass an entry CCNA exam or C++ or even MS TCP/IP... or a college sat for that matter! There are many nice books readily available. College education is possible. It is possible to not say dumb things even without a degree. If you collect MS's little hologram cards, at some point you can call yourself an "engineer" lolllllll With reserved speech, limiting oneself to his own limited knowledge and not trying to impress ppl with techno-babble, we can discuss and come up with some answers. Weak reasonning, panic, secret agent cult AV club mentality is for dummies.

It is amazing in some week or so no one in the support team can write anything interesting... I mean, if I'd work there I'd find that fun, investigating a well documented issue. But no, I get the general verbiage and speculation from "power" users. When will someone with minimal knowledge of html/javascript take a look at this and stop speculating? Ppl are ready to tell me that the matrix is for real instead of just agreing with me that there is no virus in my code, simply because they like Avast - I mean, come on - avast is not perfect and I get the "you should parse the packets during html communication to capture the bit that triggered avast" and jokes like that. Children, leave the matter to grown-ups. When will I get someone's attention? 

But thanks anyway for the half-baked effort :D Better than support staff! I found it pretty imaginative.... I'd try maybe Newline or Paramount... good luck!
Trial_User until more and more soon uninstallation
« Last Edit: November 12, 2005, 11:01:00 AM by Trial_user »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Well, it's been sometime... it's clear I will get no intelligent replies whatsoever. It stinks. I have uninstalled Avast from my computer... Avast may look pretty good, and it "may" be, put it doesn't have such a small footprint, and I find it slows down my pc quite a lot, on top of the false positive and the lame support - but make no mistake, my forum experience is very good though, elevating ppl's thinking, crushing lame solutions provided by incompetent or ignorant ppl :P :o 8) :-X Some ppl are really  :-X :o ;D ??? f.. ::) :-X :-* ??? clueless about it... for them, Avast is great because it takes care of their need for false positives since they are really dying for something to shake their day, like an unknown virus in a simple script of a commercial website used by millions of people.... and avast provides. They'll find tons of viruses to brag about, like that tag team trio that brought this "virus" to my attention and which I have documented for you here to stear you maybe towards college education or prepare you for some SAT or sth like that. Yep, they have the privilege of having discovered a virus that does nothing at all.... I mean, I say it's a virus because Avast trapped it... hell, it even traps it when I remove all potency to the code...  so yeah, saying window.open at the same time as requesting favicon.ico will kill you!!!

I have uninstalled big-mouthed Avast nonetheless. I'll admit Avast looks cool... I have set the resident scanner to verbose mode and I saw it scanning all those files... and it looked almost like this tool from systeminternals to see OS file and process in real time! COOL! :P :-* :D Jaja

What else should I say? That this new virus we should call VBS.Jscript.window.open.favicon.AFF is really a great discovery by Avast... I mean, AVG doesn't see it, NAV neither, Kaspersky no, Panda no, McAfee no, TrendMicro no.... Avast YES! So I guess I'll have to side with all you and say that yeah, this is really a virus, it's spreading all over the place.... hidden between tcp and ip, in that layer  you know, in the headers of this all. You guys should sniff all those packets that go through your pc for all malformed and irregular packets, and if you see sth wrong, open your mouth and swallow. Then you will be very cool and you can come here post you theories :o :o ;D :o :-\

You better believe in college education!
Thanks for your "support"
Trial_user uninstalling as he is writing this.... support staff, you may reply within 2 mins and I may press the cancel button!
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Cloussau

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 897
  • AVAST! antivirus with balls
how did you go finding that friend?
sys- p4  3.0D ,  1024mb ddram ;arsenal :Avast IS 5.0 pro / Firefox / adblock /noscript : win xp/pro/sp3 32 bit

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Well, Inspector.... I have to admit I'm still waiting... since Avast almost convinced me there was a virus in that chat room there, I couldn't go anymore...so I couldn't find a friend you know.. :'( :( :-X So I had to resort to the only place where I can meet cool people with neet ideas on the world of viruses!!!! Avast "support" forum and its knowledgeable users!!! ???

And so far so good, i'm getting tons of IM thanks to ppl here who find my comments refreshing and my brilliant mind quite a turn on. I clearly see you're part of the crowd!!! :-* :-*

Thanks to Avast, I let go of my search for a date and became an undercover weird virus hunter and avast support post specialist and I can now do the rest in solo..!!!Thank you avast!!! This is better than personals! Guess that's why your engine trapped the code, to convert me to Avast support forum!

Thank you, friend!
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Boy! Somebody really needs to get out more!
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Boy! Somebody really needs to get out more!
Thanks for your enthusiasm! I wonder if you were always as spiritual in those 725 posts you wrote... or is your pointlessness only limited to this single post? I am flattered by your flatness.

Clearly if you cannot see beyond what I wrote and elevate your thinking and want to remain a first degree avast false positive evangelist, you should go out more:) I note you have like 725 posts! I have some 15. Have a nice day! :-X

p.s. Why not comment on the issue? What do you think of window.open... should it be trapped by Avast? Erectile diff?
« Last Edit: November 19, 2005, 12:04:28 PM by Trial_user_Uninstalling_Avast »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
I'm serious. Turn off the computer and get some fresh air, you'll feel better.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
I'm serious. Turn off the computer and get some fresh air, you'll feel better.
I'm serious too:) I don't take orders like that. Who are you to say... mind your own air fellow evangelist... :)

If you had taken even a second to read my analysis you would see I can challenge anyone technically but you hide behing vile words and sloppy rhetoric. Can you at least understand what I wrote initially or are you just pointlessly replying to my more humoristic comments? Please don't be a sissy... I am no threat... I will never miss going out or taking some air for 726 posts like you;-) Thank you for your concern... it is very much appreciated. A medal could be appropriate...

Thank you for behaving,
I advise college education for manners,
you may also elect training from home, and ask people about "behaving" and things like that!
Enjoy!
« Last Edit: November 19, 2005, 12:13:17 PM by Trial_user_Uninstalling_Avast »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
You have made your point with your posting and throwing insults around achieves nothing.

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
I just want to clarify here that no insult was intended. But I will not take orders.

The fact is, I just want a satisfactory answer and nothing would please me more than avast or anyone serious adressing the problem fortwith and with a minimum of knowledge.... have you read some of the replies I had? It's been like 15 updates + and still no one has even acknowledged really the issue! What the ??? is that?

Quote
We should not multiply the beings pointlessly
It is important to stick to the point at hand. As for me, I have detailed and documented amply my experience with avast and it may be a real good piece of soft but I can't chat on my site with it....I must be really infected by now!!! Virus!!! Virus!!!

People talk about their revised hallucination of tcp\ip and magic in html headers... I say:
Quote
It's like in a cv, you stick to what you know or you know someone will stick it up your  :o

But it's nothing personal, it's an acquired taste!
Take care!
Almost done uninstalling.... a few mins left...!
« Last Edit: November 19, 2005, 12:30:54 PM by Trial_user_Uninstalling_Avast »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>