Author Topic: Another blocked site, possible FP? (Read 10728 times)

saluqi · « **on:** July 10, 2010, 10:23:15 PM »

I'm using Avast Free 5.0.594, definitions 100710-1. When I try to access this site http://aumha.net/viewtopic.php?f=27&t=44253 I get a MALWARE BLOCKED warning BV:AutoRun-AG (Wrm) and access to the site is blocked. That was also the case yesterday, with yesterday's definitions. AumHa staff have scanned the site and can't find anything dangerous. What to do?

The site is a page on the AumHa forum dealing with virus and antivirus. The name of the thread is "bumpy tasty trojan". I can access the second page of the thread, but not the first.

If this is not the right forum for this question, please tell me where to post it <G>.

Thanks,

John

Asyn · « **Reply #1 on:** July 10, 2010, 10:27:20 PM »

Report    2010-07-10 22:25:57 (GMT 1)
Website    aumha.net
Domain Hash    e95f70b1b91d5344668cc1878f6a5b92
IP Address    64.130.45.31 [SCAN]
IP Hostname    aumha.net
IP Country    US (United States)
AS Number    7859
AS Name    PAIR-NETWORKS - pair Networks
Detections    0 / 17 (0 %)
Status    CLEAN

polonus · « **Reply #2 on:** July 10, 2010, 11:00:15 PM »

Hi saluqi,

Finjan also finds it clean. Here it is also found benign: http://jsunpack.jeek.org/dec/go?report=2943fbc6076b7204f053f9b6c2345327f5dc69b2
Make the address non-click-through by putting hxtp or wXw, because avast still flags it,
DrWeb URL checker:
Checking: htxp://aumha.net/viewtopic.php?f=27&t=44253
Engine version: 5.0.2.3300
Total virus-finding records: 1553539
File size: 69.76 KB
File MD5: 8fb8dcc4e332f466c6e1dec666844d96

htxp://aumha.net/viewtopic.php?f=27&t=44253 - archive HTML
>hxtp://aumha.net/viewtopic.php?f=27&t=44253/Script.0 - Ok
htxp://aumha.net/viewtopic.php?f=27&t=44253 - Ok

polonus

Pondus · « **Reply #3 on:** July 10, 2010, 11:51:26 PM »

I get no warning from avast

NoVirusThanks - INFECTED - 1/16
http://scanner.novirusthanks.org/analysis/5e5ec21edde647d38e64f2e396533612/dmlld3RvcGljLnBocA==/

probably a FP that GData have not updated for yet ?

Asyn · « **Reply #4 on:** July 10, 2010, 11:56:51 PM »

Quote from: Pondus on July 10, 2010, 11:51:26 PM

I get no warning from avast

Hi Pondus,
I do get the warning...
asyn

Pondus · « **Reply #5 on:** July 11, 2010, 12:12:00 AM »

do you have update 100710-2

Lisandro · « **Reply #6 on:** July 11, 2010, 12:16:08 AM »

This is a good test...
Generally avast picks the infection before Dr. Web (that misses a lot) and NoVirusThanks the same.
Please, inform the last position. Should we believe on avast or on the others?

Asyn · « **Reply #7 on:** July 11, 2010, 12:21:03 AM »

Quote from: Pondus on July 11, 2010, 12:12:00 AM

do you have update 100710-2

Yes..!!
Don't know, why it's blocked here and not blocked at your machine...!??
asyn

Asyn · « **Reply #8 on:** July 11, 2010, 12:27:44 AM »

Quote from: Tech on July 11, 2010, 12:16:08 AM

Should we believe on avast or on the others?

Well, even avast seems to be not sure...

asyn

bob3160 · « **Reply #9 on:** July 11, 2010, 02:05:34 AM »

I get a warning here. Wonder if it's something on that forum rather than the link itself

saluqi · « **Reply #10 on:** July 11, 2010, 02:13:32 AM »

I have the update (100710-2) and it's still blocked.

Getting to that site is not a life or death matter, it's just curiosity - but of course I don't like to be blocked when I can't understand why.

I can get to other pages on that forum, and even the second page on that same thread, without difficulty. It's only that one page that is being blocked.

John

Asyn · « **Reply #11 on:** July 11, 2010, 02:15:17 AM »

Quote from: bob3160 on July 11, 2010, 02:05:34 AM

I get a warning here. Wonder if it's something on that forum rather than the link itself

We all wonder what's going on...

As Pondus is on the same VPS and also has a similar system but no alert...!??
asyn

DavidR · « **Reply #12 on:** July 11, 2010, 02:32:31 AM »

For whatever reason there would appear to be packed file run when you click on that link, see image 1 and that is what I think avast is alerting on (that is what the gzip bit in the location indicates, image 2).

There is also another javascript file that is loaded that has some obfuscated script in it, but I don't think that that is the problem.

What I do believe the true problem is, is that someone has posted an autorun script in the first post (image 3), that should have been posted as an image as the text of the contents of an autorun.inf file wouldn't be differentiated from actual code, hence the malware name BV:AutoRun-AG [Wrm] as to all intents an purposes avast believes that is what it is an autorun script.

This happens with monotonous regularity when someone posts the actual code on a page.

Asyn · « **Reply #13 on:** July 11, 2010, 02:36:55 AM »

Thanks, David..!
Still I don't get why Pondus didn't get the alert...!??
Meanwhile I'm more interested in that, than what's going on on that site..

asyn

DavidR · « **Reply #14 on:** July 11, 2010, 02:40:39 AM »

You're welcome.

I have no idea why Pondus didn't get an alert based on the fact he didn't give any information, browser and any security add-ons. etc.

Author Topic: Another blocked site, possible FP? (Read 10728 times)

saluqi

Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

polonus

Re: Another blocked site, possible FP?

Pondus

Re: Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

Pondus

Re: Another blocked site, possible FP?

Lisandro

Re: Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

bob3160

Re: Another blocked site, possible FP?

saluqi

Re: Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

DavidR

Re: Another blocked site, possible FP?

Asyn

Re: Another blocked site, possible FP?

DavidR

Re: Another blocked site, possible FP?