False positive doodling.org.uk

Nick · Dec 5, 2006

A few people have posted over at Castle Cops about this site generating an alert from NOD 32, hXXp://www.doodling.org.uk/startups/bad_startupsall.htm.

You can see the talk at Castle Cops here. There's a link to a screen shot of the alert a few posts into the topic.

I've submitted the file to Eset using the internal submit for analysis in NOD 32. The alert is listed as a BAT/generic trojan, which sounds like a heuristic detection.

Thanks for looking into this.

Blackspear · Dec 5, 2006

Here is a screenshot.

Please also send a email to support @ eset.com with a link to this thread.

Cheers

Bubba · Dec 5, 2006

Nick said:

A few people have posted over at Castle Cops about this site generating an alert from NOD 32, hXXp://www.doodling.org.uk/startups/bad_startupsall.htm
Click to expand...

To narrow it down further....if one goes to the Index of /startups page....the only alpha\numeric on this end that burps with that same Nod alert is http://www.doodling.org.uk/startups/bad_startups_c.htm

It appears it does not like the description of the chart.vbs I-Worm.Gigger worm contained in the bad_startups_c.htm file.

kjempen · Dec 5, 2006

Is it really considered a "false positive" when they put parts of the source code of a malicious script in a malware description?

pykko · Dec 5, 2006

well, I think not quite. As IC suggested once, it is usefull to post that code as a picture not text and so it will result in no FP.

Log in or Sign up

False positive doodling.org.uk

Nick Registered Member

Blackspear Global Moderator

Attached Files:

Threat Detected.jpg

Bubba Updates Team

Attached Files:

NodFPburp.gif

kjempen Registered Member

pykko Registered Member

Log in or Sign up

False positive doodling.org.uk

Nick Registered Member

Blackspear Global Moderator

Attached Files:

Threat Detected.jpg

Bubba Updates Team

Attached Files:

NodFPburp.gif

kjempen Registered Member

pykko Registered Member

Useful Searches