Hi!
Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.
Well, I decided to analyze your engine's behavior in the code I sent to your support team, by removing/adding tidbits of code and rescanning to see what triggers the positive.... as funny as it may sound, there seems to exist many conditions to create a trap for your engine in the context of the code I hereby supply and I get the funny feeling this has been hardcoded in your engine. I'm using the latest free home edition, with the latest definitions db on WinXP SP2, latest patches. The conditions I note are as follows:
1- Request of favicon.ico in the head section of the html page - really, the name of the file itself.
2- Standard html comments <---! with string numbers date/version of their page I guess
3- <script> declaration with function declaration + window.open (even with partial code and no argument passed to window.open)!!!
Have you hardcoded these conditions in your engine? That would be some strange and funnily liberal interpretation of some of the Code Red symptoms, server side.... For what purpose? I noticed if I put another name than favicon.ico, then your engine no longer sees a virus. The favicon.ico in question is 2kb and does not contain viral code as your engine doesn't flag it. Note that I can omit language=javascript and arguments passed altogether but window.open seems another condition as your engine no longer traps if I remove that code. I mean, I'm not asking if this is a virus. I know it's not, I'm just wondering, as a trial user, why should I continue using your product if hardcode in your engine creates such flaky false positives?
I mean, if I were not a power user, extremely familiar and proficient field, I would go around tell all my friends I found a virus when in fact this is the consequence of a poorly coded routine in a heuristic scanner, I guess... unless this is really a virus?
I mean, we all know favicon.ico is used to add a website to the favorites list in IE and we also know that html comments are just comments and that declaring window.open is not enough in itself to warrant an alarm, or is it? I wonder if an engine that considers this code viral is of any service to low-level users, who will waste lots of time dealing with false positives and warning others, and ppl like me wil waste time explaining and debugging, which is why I come to you now.
Please reply promptly, as I need confirmation on your part that my analysis is correct. No engine is perfect I know. Don't get me wrong, I'm trying the product, free, and I like many things I see in it. Please be technical if you answer this mail as I have no use for general support jargon.
Thanks in advance,
A trial user wondering,
Code (if I put that in notepad and save and scan, this is detected as VBS.Jscript/virus/worm):
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='
http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'><meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>
function vp( viewurl )
{
window.open( );
}
</script>
