VBS:Malware-gen warning when visit a site

[Reinger]

Hi. I have a warning that site have VBS:Malware-gen.
But i think the site is normal, can you help me?
link: hxxp://www.yatop.com.ua/

Thanks, Aleksej

[raman]

Be aware, it is not a false alarm. This exploit brings you several Malware, like a zbot(ntos.exe) Variant and several other malware!

[jsejtko]

hello,

not a false positive, contains encoded iframe pointing to mallicious web. You can find it by searching string "eval(function(p,a,c".

[lind]

Hi. I have a warning that site have VBS:Malware-gen.
But i think the site is normal, can you help me?
link: hxxp://www.yatop.com.ua/

Thanks, Aleksej

Hi Reinger

That site contain malware positive about that avast never give false/fake alarm about virus/trojan if you Ignore this alarm and allow it your computer might be severely damage if possible try choice another site. the worst of all your privacy might be violated giving away your email/Credit card and other important stuff

[wyrmrider]

you might benefit from one of the "site adviser" programs
what are you running for protection besides Avast
Firewall?
Script Blocker like "no script"
real time anti malware?
I f you are going to try and download from bad places or have unprotected p2p you are going to need all teh protection you can get

[Reinger]

Thank`s jsejtko. Guys from this site resolved problem when found eval function in their JavaScript

[wyrmrider]

great result

[alevin2352]

I am getting this warning when visiting www.yogavidatucson.com

is this a false positive?

thanks

[Lisandro]

I am getting this warning when visiting www.yogavidatucson.com
is this a false positive?

Hmmm... maybe something is wrong in their scripts and code...
avast is very sensible to encrypted and not legit malware present in homepages.
Maybe you can wait for the programmers to post what's wrong (if any).

[DavidR]

This looks suspect (for javascript) and may be why avast has alerted. I have broken the string from a single line of code so it isn't so long.

Code: [Select]

<SCRIPT LANGUAGE="JavaScript">
<!--
function Decode(){var temp="",i,c=0,out="";var str
="60!108!105!110!107!115!62!60!105!32!115!116!121!108!101!61!34!100!105!115!112!
108!97!121!58!110!111!110!101!34!62!60!102!111!110!116!32!115!105!122!101!61!34!
50!34!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')
temp=temp+str.charAt
(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
//-->

However it will need someone with a grasp of javascript than I to find out what it is trying to obfuscate.

[Lisandro]

This looks suspect (for javascript) and may be why avast has alerted. I have broken the string from a single line of code so it isn't so long.

David, how do you get this 'code'? I mean, I want to learn how to do it so I can help better.

[polonus]

Hi Tech,

I do not know why DavidR tries to scare with this code obfuscation, all it does is just print. Some heuristic may cry about it because it is (very slightly) obfuscated, but all it does is printing really. Real malware can have a similar look, but this code is not. DavidR should not present printing code as suspect code, this could put the user on the wrong footing. Here you have the two-sided sword of heuristics immediately demonstrated,

polonus

[DavidR]

@ Tech
First you have to be reasonably confident that if there is something malicious on that page you are able to deal with it or limit the potential for damage. Plus avast standard shield and SAS as resident AS and as a last resort you need a system recovery plan, back-up disk images. Better still would be a virtual environment that can be killed if needs be.

I had to pause the web shield to be able to display the page, in firefox (with noscript, plus running under DMR) there is a simple right click option in firefox to view page source this is also in IE but there is no way I would use IE for this sort of thing. Then check the page source for <script> tags and or <iframe> tags, now you are looking for them to be in strand locations before the start of the page code <html> tag or after the end </html> tag, e.g. not following html standards, etc.

You are also looking for suspect code, such as that I posted before. It isn't difficult, you have to be very careful and need a little experience of html. Or as I say a little knowledge is dangerous you could get in trouble trying to find any suspect code so the precautions should take priority.

@ polonus
I'm not trying to frighten anyone (bit strange coming from polonus ), merely trying to point out what avast may be alerting on, nothing more, nothing less.
Yes it is doing a document write but that could well be a url to be used, but why obfuscate the code, you have to ask why and what they are trying to hide

[polonus]

Hi DavidR,

If you had not started this, we would not have this discussion here, and we will all learn from it and better understand the underlying problematics. We tried to arouse avast attention to these problems in various ways, and we will see what good will come of this?
In the example you give, they are trying to hide nothing malicious there, I have this from the best of sources (NoScript developer Giorgio Maone - he knows his javascript code better as anyone else does, and especially the obfuscated variants of it, he is the best in the field, he has to be).
Probably they wanted to hide the printing code for whatever reason, that is the normal non-malicious use of obfuscation.
What this demonstrates in a grand way is what a two-sided sword heuristics can really be for av engines , and so what is flagged could easily lead to another False Positive. That's why this should be rule based.
If firekeeper in Fx will be further developed we will have a good tool there, and of course coders that code with security at heart,

polonus

[DavidR]

There is nothing to stop anyone raising a possible false positive detection report on it, you don't have to have a file to attach to it just email the url to virus (at) avast dot com and a link to this topic.