Author Topic: FP in CF  (Read 11560 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
FP in CF
« on: January 31, 2009, 08:56:52 PM »
Hi guys,

Quote
Sign of "Win32:Oliga [trj]" has been found in "hxxp://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com" file.

That's webshield detection on dwonloading combofix. Same detection on all Cf download links.

Thanks

CharleyO

  • Guest
Re: FP in CF
« Reply #1 on: January 31, 2009, 09:00:45 PM »
***

Hopefully, the avast team can fix that real soon.


***

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: FP in CF
« Reply #2 on: January 31, 2009, 09:05:54 PM »
Hi CharleyO,
Quote
Hopefully, the avast team can fix that real soon.

Yes. Pausing the webshield is a work around, but sometimes convincing people that it is ok is tougher than the bugs.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: FP in CF
« Reply #3 on: January 31, 2009, 09:51:59 PM »
Hi oldman,


Some av's give it as riskware, but riskware can also be very helpful as a tool in the hands of malware fighters, so that should be going into another category altogether, and  should not be put "in limbo" as some av scanners do, but must be excluded real easily or only flagged with an alert and not blocked, because  One can ruin things with a hammer and one can also use it to repair!!!

It is because they consider the link to be an attack on the server that Exploit Prevention Lab's LinkScanner won't eat it, in spite of as many captcha's as I return,
and Norton Safe Web Scanner comes up with the following:
 forospyware.com
Summary
•Computer Threats:     5
•Identity Threats:     0
•Annoyance factors:    0
   
Total threats on this site:     5
       
•Community Reviews:    2

The Norton rating is a result of Symantec's automated analysis system. Learn more.
The opinions of our users are reflected separately in the community rating on the right.
General Info
Web Site Location     United States of America

Norton Safe Web has analyzed forospyware.com for safety and security problems. Below is a sample of the threats that were found.
   
forospyware.com
Threat Report

Total threats found: 5

Small-whitebg-red     Drive-By Downloads (what's this?)

Threats found: 4
Here is a complete list:
Threat Name:     Bloodhound.Exploit.6
File name:     C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\t-57166[1].htm
Signature (MD5):     161ed2c2b35bfbf505aab39faa303e5d
Location:     http://www.forospyware.com/archive/t-57166.html

   
Threat Name:     Bloodhound.Exploit.6
File name:     C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\t-6381[1].htm
Signature (MD5):     1609cc41e4795244ed665bdbf587432a
Location:     http://www.forospyware.com/archive/t-6381.html

   
Threat Name:     Bloodhound.Exploit.6
File name:     C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W96RIBA9\242496-post1[1].htm
Signature (MD5):     a5c756d36502096d8f65e7a58862c4db
Location:     http://www.forospyware.com/242496-post1.html

   
Threat Name:     Bloodhound.Exploit.6
File name:     C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GZKDIZWD\242842-post2[1].htm
Signature (MD5):     83ab222f3c363c1bed492eeeaaeebba6
Location:     http://www.forospyware.com/242842-post2.html

   
Small-whitebg-red     Viruses (what's this?)

Threats found: 1
Here is a complete list:
Threat Name:     Bloodhound.Exploit.6
Location:     http://www.forospyware.com/archive/t-48517.html
   

5.0
rated by 2 users 
secure and trusted
add your review
anonymous Anonymous
   
Click to rate:
not yet rated
(login to be recognized)
review title
review text
user reviews (2)
Sort by Date Added | Helpfulness     
   
anonymous Anonymous
   
Pointer
added about one day ago
Rating Level 5 out of 5
Forospyware no contiene exploits

Es una web totalmente limpia, al contrario ayuda a eliminar amenazas sin animo de lucro.

Creo que Norton se equivoca
Was this review helpful? Yes | No

Comments (0) | Report abuse
   
anonymous Anonymous
   
Pointer
added 2 days ago
Rating Level 5 out of 5
forospyware is secure

WEB INFOSPYWARE.COM & FOROSPYWARE.COM IS GOOG PAGES VERY SECURE
Was this review helpful? Yes | No
Comments (0) | Report abuse
tags

This is a list of keywords that have been tagged to this Web site. Click on a tag to see a list of other Web sites tagged with the same keyword. You need to login to add your own tags.

Click here to view the most popular tags for all sites.
WOT accepts as do finjan, MacAfee SiteAdvisor.

The BadStuff checker hick-up is totally green:
Quote from: IframeChecker
No zeroiframes detected!
Check took 10.93 seconds

(Level: 0) Url checked:
http://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=374
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/yui/connection/connection-min.js?v=374
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_global.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_menu.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/glossary_crosslinking.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_md5.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=es
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://pagead2.googlesyndication.com/pagead/show_ads.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
http://pagead2.googlesyndication.com/pagead/+b+
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
http://pagead2.googlesyndication.com/pagead/+nc(fd(c))+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.forospyware.com/sUBs/clientscript/vbulletin_read_marker.js?v=374
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=es
Zeroiframes detected on this site: 0
No ad codes identified

Hope this helps you, us...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: FP in CF
« Reply #4 on: January 31, 2009, 10:15:05 PM »
Hi Polonus,

I'm pretty sure it's within the program, not the site.

Try these.

Link 1
Link 2


Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: FP in CF
« Reply #5 on: January 31, 2009, 10:30:12 PM »
what does the prep.com file actually?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: FP in CF
« Reply #6 on: January 31, 2009, 10:38:18 PM »
Hi oldman,

That was pretty convincing, helped more that half an hour of discussion.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: FP in CF
« Reply #7 on: February 01, 2009, 12:20:11 AM »
Quote
Sign of "Win32:Oliga [trj]" has been found in "hxxp://www.forospyware.com/sUBs/ComboFix.exe\32788R22FWJFW\Prep.com" file.

That's webshield detection on dwonloading combofix. Same detection on all Cf download links.

I take it that you have sent the file to avast ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: FP in CF
« Reply #8 on: February 01, 2009, 12:36:15 AM »
Hi DavidR,

The list of other antivirus apps provided shows that roughly half do not flag combofix.
The ones that do flag it all seem to have a different name for it;
2 or 3 label it as a Visual Basic (VB) virus,
and all the others call it something totally different.
So I'd say that they are false positives.
Due to the nature of combofix, and the task it performs,
it may appear to be a virus just because of what it's designed to do.
Here's more detailed info about combofix direct from the folks that created it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
And here's more info about false positives, combofix, and components of combofix:
http://www.bleepingcomputer.com/forums/topic98878.html
That should clear it up for you,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: FP in CF
« Reply #9 on: February 01, 2009, 12:43:27 AM »
I just downloaded it and it also pings another file within the combofix.exe file, tail.com

Downloaded to my downloads folder - E:\Downloads\ComboFix.exe\32788R22FWJFW\Tail.com

@ polonus, it isn't uncommon for tools to get pinged.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: FP in CF
« Reply #10 on: February 01, 2009, 02:33:09 AM »
Quote
I take it that you have sent the file to avast
No, I gave them enough links, they can get the entire kit and caboodle.  ;)

Maxx

I don't know what that portion of CF does. Might be a bit simplistic, but the name suggests prepartion. Cf does kill a few things before it runs.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: FP in CF
« Reply #11 on: February 01, 2009, 03:54:50 AM »
I have submitted both prep.com and tail.com as false positives (using the new submission method) when I scanned combofix.exe after I downloaded it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: FP in CF
« Reply #12 on: February 01, 2009, 02:15:47 PM »
ook, we'll fix the detection.. anyway, it is not good to use an PE image with .com extension and obfuscate it when you are a legit tool :-\

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: FP in CF
« Reply #13 on: February 01, 2009, 04:40:24 PM »
Perhaps to combat the malware it seeks to kill ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: FP in CF
« Reply #14 on: February 01, 2009, 05:07:36 PM »
I believe you are right DavidR. Right now .com is commonly used to get a tool to run. The malware authors are really going after the tools.