Author Topic: False positive?  (Read 3991 times)

0 Members and 1 Guest are viewing this topic.

Offline zenzor

  • Jr. Member
  • **
  • Posts: 80
False positive?
« on: July 08, 2010, 05:02:24 PM »
AIS is blocking the file spx-dxf.exe on this page

hxxp://xaraxtv.at.tut.by/spx.htm

claiming it's a trojan, but I think it's a false positive?

Can Avast confirm this?
« Last Edit: July 08, 2010, 10:49:22 PM by misak »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88761
  • No support PMs thanks
Re: False positive?
« Reply #1 on: July 08, 2010, 05:34:47 PM »
There seems to be something else going on at the time of the download of that one file that doesn't happen with the other two, an iframe injection to reddii.org (see below), see image 1 of the decoded script file that is run when you click the spx-dxf.exe link.

http://www.mywot.com/en/scorecard/reddii.org and http://www.siteadvisor.com/sites/reddii.org/summary/

avast isn't the only AV scanner to find that script file suspect 24 of 44 scanners (60%), see http://www.virustotal.com/analisis/1ebe1c0f91af0da6a6e73bc0c17b5eef3ecaededcc228f7feb9f62f3daf896a7-1278602534.

So there is if nothing else something strange happening with that download which isn't happening with the other two.
« Last Edit: July 08, 2010, 05:39:03 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33869
  • malware fighter
Re: False positive?
« Reply #2 on: July 08, 2010, 07:21:47 PM »
Hi zenzor,

Please make the link to the site non-clickable by putting hxtp or wXw.

Enough malware coming from there:
 Threats found: 6
Here is a complete list:
Threat Name:    Packed.Generic.114
Location:    htxp://ironfist.at.tut.by/ipasetup.exe

   
Threat Name:    Backdoor.Trojan
Location:    htxp://ironfist.at.tut.by/guiz.exe

   
Threat Name:    Suspicious.MH690
Location:    htxp://ironfist.at.tut.by/zeratssl.zip

   
Threat Name:    Trojan Horse
Location:    htxp://ironfist.at.tut.by/rssbot.zip

   
Threat Name:    Packed.Generic.114
Location:    htxp://ironfist.at.tut.by/iparus.exe

   
Threat Name:    JS.Qsiframe
Location:    htxp://xaraxtv1.at.tut.by/spx-dxf.exe
Last detection found supicious here: http://wepawet.iseclab.org/view.php?hash=9d2c42b038c610f57240def45c3c4a41&t=1278609680&type=js
See the VT report there: avst detects as HTML:IFrame-BN

polonus

P.S. also see: htxp://jsunpack.jeek.org/dec/go?report=852fb9a3aa290487ffb9fa4667ac6ac36451af9a
(Make clickable only for those that know what to do, have NS up and active in the browser)

   
« Last Edit: July 08, 2010, 07:25:53 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline zenzor

  • Jr. Member
  • **
  • Posts: 80
Re: False positive?
« Reply #3 on: July 09, 2010, 03:49:48 PM »

Thanks for your replies. I've contacted the owner of the site, to get him to look into it. I'll report back here when things have been cleared up.

thanks!
Rich

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88761
  • No support PMs thanks
Re: False positive?
« Reply #4 on: July 09, 2010, 03:59:26 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security