VBS:Malware-gen

[reodis]

Seems no one has had this problem for a while. I installed Avast! on a friends' system awhile ago and she called me up today to say that she got this message when she went to the yahoo main page. I assured her  it was a mistake but to make sure, I told her to scan her whole computer. She did and came up with no viri or malware. I advised her to try to go  to other websites. She successfully went to 5 or 6. She even went to other Yahoo! websites. It was just when she typed in "http://www.yahoo.com/" that she got the warning and the option to "Abort Connection". Just because I was curious, I did it myself. I too got the message that a "virus" was found when I went to the site. It's funny that the URL showing is "http://www.yahoo.com/" but the Avast Warning indicates "http://www.yahoo.com/\unp34785754". Fooling around, I find the numbers at the end change every time I connect to this page. I believe I have the latest VPS version (080622-0, 06/22/2008) even though in previous posts on this thread indicate it was a False-Positive and would be fixed in the next VPS version - and that was months ago.

The reason this is important is because this friend knows just about enough about computers to ask the most stupid questions (a la, "What kind of bait do I use to get rid of that mouse pointer?") You know, you've met computer users like that. It took 20 minutes to get her off the phone after I showed her how to do a scan. She has a 250GB drive and wanted to stay on the phone until it was done. This is even though I told her what to expect if she FOUND a virus/malware and told her to call me back if that happened.  Anyway, I'm stuck with her for another 11 months (contractual phone/home technical AND hardware support), but she's driving my nuts.

[Casper34]

i got the same msg too. first it was on my dads comp. i looked to see what vps he was running, it is 080622-0. i was running the next older one, i went to www.yahoo.com with no problems. then i did a manual update, went to yahoo and got the msg.     file name: http://www.yahoo.com/\unp150501928    this only happens when you type the URL in or click on a link. i can access my mail through YahooIM with no problems.  BTW we are both running Avast 4.8 Pro.



:EDIT:  as soon as i posted this, there was an update. 080623-0     seems to have fixed yahoo.  :EDIT:

[arecus]

I run two websites, www.labki.pl and www.laboteka.pl  and receive many messages from the Avast users about bugs founded. Other users have ho problems, could you please check the sites?

[kubecj]

Do you know what is the purpose of the huge encrypted javascript stuff at the end of the frontpage?

[arecus]

As I'm not very experienced I'm not sure what are you asking about. There should be typical elements for Joomla only and additionally Google Analitics, nothing more. 

[kubecj]

After the analytics, there is one line with obfuscated and encoded javascript, about 6KBs long. Highly suspicious and since you dont' know what is it about?

[arecus]

There is nothing I know about. Analitics is added to HTML of the template and there, it looks, is nothing more then required, no unexpected scripts after it.

[kubecj]

Load the homepage and then inspect the source code...

<script language="javascript">$="%64b%3d%22%3c7`7%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%

[zoomphoto]

Any idea what could be causing is warning on my site: www . zoomphoto . ca

it was reported by a user today.

The site is custom coded... not an off the shelf software package.

Thanks,

[kubecj]

The very same thing as for the user before you. There is something huge and encrypted on the end of the homepage, after the Google Analytics. Do you have an idea, what may it be?

[zoomphoto]

No clue!  I just removed it... time to change the root pw on the box!

[DavidR]

You might want to report this to your Host as I doubt that your site was alone if they can do it to you they in theory could and would do it to other hosted sites.

[zoomphoto]

I am my own host, and own my own servers... I've already changed root... now it's just searching through logs... yay!

It was phpfake that I was hit with... or so it the function was named.

[visionex]

Hi,

I've some members on my website who have the same matter on this site : hxxp://www.internetdvd.org
"Nom du fichier : hxxp://internetdvd.org/
Nom du logiciel malveillant : VBS:Malware-gen
Type de logiciel malveillant : Virus/Ver"

I've Kaspersky and i've none problem.

Thanks to see and correct the problem.

PS : Sorry for my english, i'm french ^^'

[DavidR]

Your English is fine.

I wasn't able to get a look at the page source (using FF 3.0.1) as it didn't display, just displays a blank page, so if this is a measure to protect against stealing content, it also stops checking.

There is a auto redirect to display hxxp://internetdvd.org/catalog.php, so I couldn't see if the problem is at hxxp://internetdvd.org/ or the catalog.php page, php is vulnerable to hacking so I don't know if you have checked your pages for unknown code.

I have reported it as a possible false positive, but I don't know if they won't hit the same problem I did.