VBS:Malware-gen

[kubecj]

visionex, check your security, you've been hacked. Check your index, there is some huge dirty encrypted thing after the Analytics code.You may also want to search for 'phpfake' in your sourcecode.

[krubach]

Hello guys,

I have several members of my website that use Avast! reporting me that Avast warns about VBS:Malware-gen trojan on my frontpage.
The url is http://f1portugal.com .
AFAIK there is no suspicious code in the frontpage, but maybe Avast is suspecting the DHTML code i put there.

Please let me know if it is clean, so i can assure people it's safe.

TIA

[kubecj]

Sorry, it's not. We're getting a script, most probably in the redirection?

Code: [Select]

<script language=JavaScript>var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abR

[krubach]

Ok. Thank you very much for helping me. I'll check that out.

[jimjams88]

I am getting an Avast VBS:malware warning for our site http://www.tangira.com.

My VPS is 080723-0 (programme build 4.8.1227).

Can you please advise?

Thanks!

[kubecj]

Do you know what is the encrypted stuff at the end of your webpage, after the analytics code?

[krubach]

Sorry, it's not. We're getting a script, most probably in the redirection?

Code: [Select]

<script language=JavaScript>var kco=" shapgvba hmdvx(oz){ine fz,we=\"{v^abR

Thank you very much for pointing me in the right direction kubecj.
Problem solved now.

[jimjams88]

Kubecj - I don't as I didn't design the site. There has never been a problem before in accessing before though? I can check with the designers if you think it's suspicious. Is there any way to tell (given it's encrypted).

[kubecj]

Basically it's encrypted iframe pointing to 202.164.52.199. That's a site somewhere in India.

[Vlk]

Basically it's encrypted iframe pointing to 202.164.52.199. That's a site somewhere in India.

In other words, _most_likely_ a code injection that you were unaware of...

[jimjams88]

OK - thanks a lot for the advice. I have deleted the offending code and the site loads fine now. (also changed the CMS panel passwords!)

[visionex]

visionex, check your security, you've been hacked. Check your index, there is some huge dirty encrypted thing after the Analytics code.You may also want to search for 'phpfake' in your sourcecode.

http://www.internetdvd.org isn't my site ^^
I just don't understand why BitDefender, Kaspersky and others antivirus detect none virus except Avast

[kubecj]

Right now it's clean, that's why they don't detect anything now. OTOH, our script malware detection is quite good, I'd say.

[Lisandro]

OTOH, our script malware detection is quite good, I'd say.

Congratulations. Keep your good work.

[decadechild]

I have a forum showing up the same Virus/Worm.
hxxp://www.syaoregon.us/forum

The url that Avast! shows is:

Code: [Select]

http://www.syaoregon.us/forum/\unp263177177VPS version: 080725-1, 07/25/2008

It's an outdated SMF forum. All links to it show up infected. This is just too weird.
All other sites & SMF forums work fine for me.