Have you a FP from this page ?

Discussion in 'other anti-virus software' started by Mack Jones, Jul 3, 2006.

Thread Status:
Not open for further replies.
  1. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Wow...NOD32 alerts me but seems like that page is safe.
    What about you ?
    ****://www.bellamyjc.org/fr/iloveyou.html"]http://www.bellamyjc.org/fr/iloveyou.html
     
    Last edited by a moderator: Jul 3, 2006
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    pas de problem
    no problems
     
    Last edited: Jul 3, 2006
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I also get the warning and the page really seems to be infected. See the scanning result.
    Seems NOD32 caught another piece of malware. :D
    Hope ESET will take a look at it soon... sample sent :)
     

    Attached Files:

  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Mack Jones,

    Please do not post possible live malware links. BTW, i also got the alert from NOD32.



    snowbound
     
  5. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    Humm...
    How can you explain these differences ?
    This page contains the code, modified, but some detect it, some don't.
    Strange to my (rookie) eyes o_O
     

    Attached Files:

    • VBS.JPG
      VBS.JPG
      File size:
      56.3 KB
      Views:
      499
  6. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France

    Sure. :)
    This page doesn't containt a malware I presume.
    The author just explains the code and the routines.
    Sorry if I'm wrong :oops:
     
  7. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    I checked with the Dr.Web FF plugin but the doc found nothing :doubt:

    Gerard
     
  8. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Visited it in Firefox. Got the Nod32 alert as well. Then had what seemed to be a redirect to a page that did not stay up long enough to see what it was, then a page can not be displayed error. I know I`m not going back. :eek: :D
     
  9. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    The jotti pic's you see is done when I copy some part of this page in a document.
    May be the reason DrWeb doesn't alert you...
     
  10. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I noticed that too, but is this page really unsafe? As far as I understand the author is examining the loveletter code. The virus itself doesnt run actually and maybe thats why Drweb and others doesnt react?
    But if merely printing the code on a web page is malicious then it is good that NOD32 detects it.
    Maybe all depends on how different AV´s attack a problem?
     
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    let's wait for ESET's answer. perhaps it's indeed a FP. ;)
     
  12. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    In IE one scripts opens up a popup that contains this text:

     
  13. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is the translation of the previous post)


    26/05/2006 VBScript VBS Examples Script EXPORTFAV which exports automatically in a file HTML of all favourites (shortened Internet) 22/05/2006 VBScript VBS Exemples Script RENEWDHCP which causes the renewal of beams DHCP on a local or distant computer. March at April 2006 the site Put “in temporary sleep� following problems of health. 23/01/2006 VBScript VBS Examples Updated of script LOGUSERS (temporary desactivation of a safety Internet To explore preventing its local execution) 19/01/2006 Tools Updated of the bonds of Tweak UI and GadWin Windows Windows2000 Updated of the article the its problem and prolonged deactivation Year 2005 Year 2004 Year 2003 Year 2002 Year 2001
     
  14. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
    The main question isn't "Should an AV detect harmless code ?" ?
    The approch is different but the security level is not higher.
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    strange again ESET gives no answer on this issue and NOD32 still flags that webpage as infected. :(
     
  16. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    The page contains a script code which is malicious :)
     
  17. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    FProt beta doesn't alert on that page. Neither does McAfee corporate beta.

    Neither does KAV 2006.

    Maybe it is because I don't have QT installed on any machine? And that is required for that page?
     
  18. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.


    Do not have Quicktime either. Still got the nod32 alert the last time I went there. Now the page seems to be down.
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As already quoted:

    Cheers :D
     
  20. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I find it rather interesting that F-Prot 3.16 detects this, but F-Prot beta does not. KAV doesn't either, nor does McAfee enterprise beta so I don't think there is anything malicious there. It's a FP for NOD32 that is all.
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As already stated, it is NOT a FP.

    Blackspear.
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Must be an FP since the latest FProt doesn't detect but the old version does. Plus, if KAV doesn't get it then it is an FP...even if KAV didn't have a signature on July 3, it updates every 5 minutes so it would certainly be detecting it now if it were for real.
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Well the actual facts are it is NOT a FP according to Eset, as well as Bitdefender and many others also detect it. How many times have you seen multiple AV's detect a FP :blink: Just because KAV doesn't detect it doesn't make it a FP, that's ludicrous :blink:

    Blackspear.
     
  24. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Source-code for the "I love you" virus is printed in the web page. In script-form, presented on a web page. Even if the code isn't being executed on the page, it's still there so what do you expect an antivirus to do with it?
     
  25. ASpace

    ASpace Guest

    :thumb: :thumb: :thumb:
     
Loading...
Thread Status:
Not open for further replies.