Avast Script Blocker

[dude2]

It is not a a mystery. Script Blocker scan EVERYYYYYYYYYYYYY  browser scripts and WSH scripts. The Webshield scan the javascript and any script that pass through your browser. If the script if in your computer already then it is scanned by ScripBlocker, because the WEbshield scan http traffic ONLY. What part you dont understand? Do you need a map?

READ AGAIN EVERY RESPONSE THAT YOU RECEIVED.

Read this for the explanations regarding the function of Script Blocker I received from Avast Tech Support by mail.
http://forum.avast.com/index.php?topic=45438.msg380729#msg380729

If anyone has explained with a source of reference that Script Blocker simply acts as Web Shield(with some minor differences) + WSH shield, then I would not repeatly point to the same mystery. Igor's advice in http://forum.avast.com/index.php?topic=45438.msg380636#msg380636 explained the minor differences, except the not-so-palpable encryption/decryption parts, but it went without source of reference. Plus, are you aware of any instance where damage is done by JavaScripts or other browser scripts when someone loads an infected web page from disk with only Web Shield protection turned on?

Nevertheless, I still want to know what Avast Home users can do to somewhat mitigate the WSH vulnerability before they get a chance to upgrade to PRO for full protection. Any comment on my proposed alternatives in http://forum.avast.com/index.php?topic=45438.msg380955#msg380955 from you?

[igor]

If anyone has explained with a source of reference that Script Blocker simply acts as Web Shield(with some minor differences) + WSH shield, then I would not repeatly point to the same mystery.

Well, if by "acts as" you mean "scans for viruses", then yes. Otherwise, Script Blocker and Web Shield have (technically) nothing in common, they work in a completely different way (regarding the way they get their data; yes, the final virus scanner is the same again).

[mkis]

Avast alerts on url - Hxxp://www.georgedillon.com/freeware/scriptsentry.shtml

Second link down on page Google search - 'script sentry'

-----------------------------------------------------------------------------------------

I have secured 4 instances of alert in the virus chest.
Event viewer reads:

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\T5IEBT4K\getfile-090213-dns[1].gif\[UPX]" file.  

Sign of "Win32:Tipa [Cryp]" has been found in "C:\Documents and Settings\bytebyte\Local Settings\Temporary Internet Files\Content.IE5\K7S95TWQ\getfile-090213-dns[1].gif\[UPX]" file.  
 

First analysis from virustotal

MD5:   6e139b35a2a2803cf7d93f9607e7586b
First received:   2009.05.23 00:50:17 UTC
Date:   2009.05.23 00:50:17 UTC [<1D]
Results:   0/40
Permalink:   analisis/945ea3afff21067d5d0d4ade8c5460d583e0ed87a379accf218f0b42a0afa30a-1243039817

So I dont know as I'm not an expert.
Have emailed the instances to Alwil as potential malware anyway.

I'll  secure my PC first then I'll retun to virustotal and Avast forum.

[mkis]

False positives?

Alerts perhaps triggered by some of George Dillons examples of malware?

[DavidR]

Well with firefox I didn't get an alert on that page (hXXp://www.georgedillon.com/freeware/scriptsentry.shtml), however WOT doesn't like that site either, see http://www.mywot.com/en/scorecard/georgedillon.com.

[mkis]

Thanks for response DavidR.

yes I noted comment by varnk. And WOT - site appears to have poor reputation.

I dont usual go through reporting process - in fact first time. So should be a learning experience. I think time for me to start working out a routine for these kinds of things.

I have to go out for a while to do a few things. So I will come back online later and pick up from there.
I'm currently on a different computer. but my PC seems fine.

Also, first time I will retain files in chest. Normally I would have prob deleted by now.

[mkis]

I returned to url - hxxp://www.georgedillon.com/freeware/scriptsentry.shtml

No alerts - secured page then looked through source code - nothing untoward but then I'm not an expert, just seems messy, so prob simple to hijack (no, I didn't try). Seems contain lots of references to malware so maybe something triggered there. George Dillon disassociates himself, but page still there. My post immediately took reference getfile-090213-dns[1].gif to top on Google search, so perhaps some  changes were subsequently made to page. The two entries below mine in Google search are mentioned below (Avira AntiVir and Kapersky).

(See .gif image attached below)

Still messy, unsafe page - http://forum.avast.com/index.php?topic=45472.msg381353#msg381353

There is a couple of entries for "Win32:Tipa [Cryp]" with "C:\Documents and Settings\xxxx\Local Settings\Temporary Internet Files\Content.IE5\xxxx\getfile-090213-dns[1].gif\[UPX]" file. A warning from Avira AntiVir - executable file, quarantined - and Kapersky reported a trojan downloader. An earlier Malwarebytes scan had not registered an alert.

Win32:Tipa [Cryp] - indicates a trojan downloader (from what I can gather). This is what F-secure
says about these downloaders - http://www.virus.fi/v-descs/trojdown.shtml

Trojan Downloader (generic description)

Trojan downloader is usually a standalone program that attempts to hiddenly download and run other files from remote web and ftp sites. Usually trojan downloaders download different trojans and backdoors and activate them on an affected system without user's approval. Trojan downloader, when run, usually installs itself to system and waits until Internet connection becomes available. After that it attempts to connect to a web or ftp site, download specific file or files and run them.

There is not a lot more that I can do now except wait for Avast. I have given the computer a good clean out and will keep running a few checks on Registry to see if there were any associated entries. But seems like Avast Home did what it was supposed to.

[mkis]

First things first. I could afford to lose this PC. It holds a copy of music archive that generates auto playlists to stream constant music in house when I want. Just happens to be in a warm part of house in cold Auckland winter, so I happened to be using it to surf web instead of usual web PC (at reception). But never nice to lose anything, so I should have been more careful. I have learned a few things.

At the time I went to web page link and clicked without first securing page - better to 'Save target as'...then scan target html copy saved to my HDD would have been good option, or perhaps just trying to scan link first.

This is what I think happened. I click Google search link for page, Avast Home 'Abort connection' alert comes up, but I hit to kill page (X at top right corner of page) instead of 'Abort connection' - don't ask me why, I guess I in the mood, PC not my regular. And page does not kill. Instead Avast 'Save to chest' alert comes up on top of 'Abort connection' alert. So now I have to save a download to virus chest, followed by three more before I can finally out of connection kill page. These downloads are inject of malware (so I gather).

So what happen. By hit on page to kill it rather than hit Avast "Abort connection' I have effectively said okay you allowed to download your malware onto my HDD. (I would say many protects like Defender and like have to comply with this okay, so malware is through). SO MALWARE IS THROUGH.

Obviously Avast Home then stepped in with okay you through but you still not permitted on HDD unless you pass through next check which enables user to quarantine you in chest. And this is what happen. The malware was secured in the virus chest and sent off to/picked up by Avast as 'potential malware' and also checked through Virustotal and on Google search.

Now one important question here - would Avast Pro 'Script Blocker' have disallowed the download, stop inject of malware to HDD, and simply left user to 'Abort connection' to alerted page?

Next important - was downloader malware instances actually on HDD and try outbound to connect with page? I dont think so, unless they arrived the day before. More likely they were loaded onto web page the day before - drive-by loading of virus on insecure web page.

Most important resident Avast Home did everything A1   - even with user faulty practice.


These downloaders Win32:Tipa [Cryp] are not accorded a high danger rating by AV agencies. Virustotal did not raise one query on any of the four instances. But you cannot let them inject. Maybe next time more lethal brew malware. And its not nice to lose any PC. I'm using the (dis)infected PC now and a music playlist is running. 
I've checked the HDD for inject of any associate entries and I'll keep running tests.