VBS:Malware-gen

[jsejtko]

False positive detection on

Code: [Select]

http://www.ziza.ru/ will be corrected in next vps update. Thanks for attention.

[lazor]

 No Matter what I do this will not go awat. Can anyone help
Thanks
Bob
C:\Documents and Settings\ROBERT LAZOR\Local Settings\Temporary Internet Files\Content.IE5\SPOH6J05\check[1].js
C:\Documents and Settings\ROBERT LAZOR\Local Settings\Temporary Internet Files\Content.IE5\SPOH6J05\check[2].js
Malware name VBS:Malware-gen
Malware type Virus/Worm
VPS version 080215-0, 02/15/2008

[kubecj]

They're in your cache, so delete the cache (Temporary Internet Files) and this should go away. If they reappear, that means that you're don't have Webshield turned on and they're getting downloaded and most probably executed.

If you want them checked, please send them to virus@avast.com and tell us we're catching them as a virus. But you may also want to check them using Virustotal for the detection of the other antiviruses.

[hawick]

My webshield is on but I am getting several of these BV:Malware-gen thingies too.

Apologies for the dumb questions; what sort of dangers do they pose? Also, what do you mean by 'delete the cache' and how do you do this?

EDIT: When the scan finished the items were successfully moved to chest; is it safe just leave them there?

[tVadio]

I run the website http://www.tVadio.com
 
Avast has been reported by a number of users to be providing a false positive virus announcement stating tVadio has the VBS:Malware-gen virus.
 
Could you please fix this or let me know if there is anything I need to do.

[kubecj]

After the end of </html> of site tvadio.com, there is added javescript, with encrypted string which contains hidden iframe pointing to salevisitor.net. This is highly suspicious. Do you know about the code?

[FreewheelinFrank]

avast! is not the only AV to detect malware on the page:

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.2.20.0   2008.02.20   -
AntiVir   7.6.0.67   2008.02.20   -
Authentium   4.93.8   2008.02.20   -
Avast   4.7.1098.0   2008.02.20   -
AVG   7.5.0.516   2008.02.20   -
BitDefender   7.2   2008.02.20   -
CAT-QuickHeal   9.50   2008.02.18   -
ClamAV   0.92.1   2008.02.20   -
DrWeb   4.44.0.09170   2008.02.20   Trojan.Click.4756
eSafe   7.0.15.0   2008.02.17   -
eTrust-Vet   31.3.5550   2008.02.20   -
Ewido   4.0   2008.02.19   -
FileAdvisor   1   2008.02.20   -
Fortinet   3.14.0.0   2008.02.19   -
F-Prot   4.4.2.54   2008.02.19   -
F-Secure   6.70.13260.0   2008.02.20   -
Ikarus   T3.1.1.20   2008.02.20   -
Kaspersky   7.0.0.125   2008.02.20   -
McAfee   5233   2008.02.20   -
Microsoft   1.3204   2008.02.20   -
NOD32v2   2889   2008.02.20   -
Norman   5.80.02   2008.02.19   -
Panda   9.0.0.4   2008.02.20   -
Prevx1   V2   2008.02.20   -
Rising   20.32.22.00   2008.02.20   -
Sophos   4.26.0   2008.02.20   Mal/Iframe-F
Sunbelt   3.0.884.0   2008.02.19   -
Symantec   10   2008.02.20   Downloader
TheHacker   6.2.9.224   2008.02.19   -
VBA32   3.12.6.1   2008.02.17   -
VirusBuster   4.3.26:9   2008.02.19   -
Webwasher-Gateway   6.6.2   2008.02.20   -

(I guess Webshield must decode unescape where the scanner at VirusTotal doesn't.)

[FreewheelinFrank]

The encrypted link is infected too:

[tVadio]

After the end of </html> of site tvadio.com, there is added javescript, with encrypted string which contains hidden iframe pointing to salevisitor.net. This is highly suspicious. Do you know about the code?

No I do not.

I downloaded a local copy of the homepage code and found this:

Code: [Select]

<script type="text/javascript">
<!-- -->
<!--
document.write(unescape('%3C%69%66 ...snip... %6D%65%3E'));
//-->
</script>

I got rid of that code and it is now fine.

Any explanation - I certainly did not put that code there.

How did you figure out it was from salesvisitor.net?

[kubecj]

I got rid of that code and it is now fine.

Any explanation - I certainly did not put that code there.

You've been hacked. There is non zero probability such code or similar will be there sooner or later again. You should check all of the software you're using for potential security issues. There is also probability that there is somewhere some other kind of malware.

How did you figure out it was from salesvisitor.net?

We've got tools for 'decrypting' such stuff.

[FreewheelinFrank]

We've got tools for 'decrypting' such stuff.

Very James Bond, but your tools are also available online:

http://www.linkedresources.com/tools/unescaper_v0.2b1.html

 

[kubecj]

Quite possible. I put it in quotes, because it's a really simple script (except that it does automatically extract all unescape sequences and print them without any manual work). No rocket science employed here 

[simple-it-solutions]

We are getting a false positive on http://www.littlemonkey.co.nz , VPS version 080220-0, 20/02/2008 could you look into this.

Regards

Graham.

[jsejtko]

alert on

Code: [Select]

http://www.littlemonkey.co.nz is not a false positive. Probably when your server redirects to another location, it sends suspicious code with encrypted iframe with following address:

Code: [Select]

http://tipocnt.com/....

Do you know this server?

[simple-it-solutions]

Where abouts in the code have you found a reference to http://tipocnt.com/?

I have downloaded all the scripts for the home page and cannot find a reference to this server in the code are you sure you are correct?

If so do you know which script may be infected?

Regards

Graham.