VBS: Malware-gen at my site

[adrive]

Hello.

Some users noticed me about Virus/worm that reports avast when they will visit any content from http://hip-hop.sk

I have no idea what should be wrong.

From one user I got this detail about it:
Internet Explorer 7
Avast! version 4.7 professional , virus database 21.3.,
Virus name: VBS: Malware-gen
Malware type: virus/worm
VPS Version:        080321-0, 21.03.2008

I have a thick knowledges about viruses, therefor I installed into VirtualBox some Windows XP with latest free Avast Home, but I got no warning.

I think that this is false positive. What should I do?

[Lisandro]

If it is a false positive, you can temporarily add the URL to WebShield exceptions.
Hope they correct it soon.
Dr. Web and LinkScanner come back clean when scanning that page.

[rdmaloyjr]

I didn't get any alert from avast! when surfing http://hip-hop.sk , but I use Opera browser.  Many times when I click on sites that members report fp's from, I often don't get alerts.  Opera seems to be immune to some fp's, really it's just that the fp's affect Firefox & IE in those cases.

[DavidR]

I too didn't get any alert using firefox (noscript allowed for the site) perhaps you can try with the latest virus signatures, 080322-0, right click the avast 'a' icon, select Updating, iAVS Update and see if you are still getting the alerts.

DrWeb link scanner doesn't find anything on the url you gave above either.

[Lisandro]

I'm not receiving any alert from WebShield now...

[rdmaloyjr]

Some fp's only affect certain browsers...
http://forum.avast.com/index.php?topic=33947.msg283760#msg283760

[Lisandro]

Some fp's only affect certain browsers...
http://forum.avast.com/index.php?topic=33947.msg283760#msg283760

Tested IE and Opera and both return clean...

[heathdew2006]

This morning my wife started losing all of her browsers as she was logged on, when she went to network places to look for a problem with our home network it was gone on her computer. After running thru all the tests everything checks out fine. However when she reboots her computer avast alerts her to the VBS:Malware-gen at my site. No matter how she tries to remove it, even running a sweep in safe mode she can't get rid of it. Don't know if her losing her network and the VBS are a coincedence or not. Our provider told her it's a hardware problem even though everything test ok. Any thoughts or comments would be greatly appreciated. Also don't know if it's a coincidence or not but it all started right after avast automatically updated on her computer. Thank you.

[DavidR]

What is the site URL that the alert is on so that it can be checked ?

When posting the URL, please break it so that it isn't active (avoiding accidental exposure) or instead of the http use hxxp, e.g. hxxp //: www .example-url.com/index.html, etc.

The infection isn't on her system as the alert is on your site and was intercepted by the Web Shield provider. The only option given on the alert would be abort connection (see image example), this stops the infected file/page from being downloaded, so she won't find it.

[heathdew2006]

Was not on a site. The alert pops up on computer start up.

[DavidR]

Was not on a site. The alert pops up on computer start up.

I'm confused now, as this was in your first post ?

However when she reboots her computer avast alerts her to the VBS:Malware-gen at my site.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx, may also be a URL, if so break it up as previously suggested) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

[paddybudg]

Hi, I am new to this forum but I have started to get this "VBS:Malware-gen" warning against one of my sites also!
The site is http://www.karenwilson.net and if you select the Gallery link.  From within that page, if you select any of the gallery items (basically load the list.php page) then I am getting the Virus warning.  This happens on the live site and also my local hosted test site?  I cannot see any "extra" dangerous code.

I only updated to v4.8 of avast yesterday and since then this has started.  Please can you help.

[psw]

Probably it is false positive (e.g. for the page http://www.karenwilson.net/gallery/list.php?cID=2 ). It is curious to obtain VBS:Malware... message for a page without any VB script, JS only.
More specifically false positive in the following code, if you comment this alert wll gone

Code: [Select]

function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}


[paddybudg]

hi psw, thanks for that.  i agree as i have a similer site that has no issue with that code !!  I did comment it out and sure enough no virus warning ??  any ideas?
Its strange that its started after I have installed v4.8 also ?

[paddybudg]

Just to post my details also  ...
- Vista Ultimate (with SP1 and patched todate)
- IE7 (Patched todate!)
- Avast 4.8 Home Edition (build Apr2008 (4.8.1169))
- VPS Compilation date: 01/04/2008 version 080401-0