is this even possible?

a client sent me this link today. it's to a yahoo message board. when i click on the link i get a "skowar.A" warning from NOD32, but it's obviously just a web URL. If you "quarantine" the virus and then try to restore, there's no file there. it seems like it has to be some kind of false positive.

can anyone else confirm that this is happening w/ NOD32?

hXXp://messages.yahoo.com/Cultures_%26_Community/Issues_and_Causes/Current_Events/World%255FNews/threadview?m=ts&bn=7088119-israelipalestinianconflict&tid=1315057&mid=1315154&tof=4&frt=2

 

I receive the same warning where IMON shuts down the link on trying to access it:

17/10/2007 15:51:00 PM - IMON - Internet monitor Threat Alert triggered on BLACKSPEAR: hXXp://messages.yahoo.com/Cultures_&_Community/Issues_and_Causes/Current_Events/World%5FNews/threadview?m=ts&bn=7088119-israelipalestinianconflict&tid=1315057&mid=1315154&tof=4&frt=2 > GZ > file.htm is infected with Win32/Skowor.A worm.

Will need to wait for Marcos or someone else to advise further.

Cheers

 

Thanks for the confirmation, Blackspear. I've never seen anything quite like this before.

 

You are welcome.

I have, this is normal action for NOD32 with an infected site.

Cheers

 

Oh yes, I have seen the warning from actual infected sites before, too. I know it *is* normal for an infected site, but the site is *not* infected, as you can see from this link to the message board....

http://messages.yahoo.com/Cultures_...gesview?bn=7088119-israelipalestinianconflict

Also it a Yahoo message board. I'm fairly certain Yahoo doesn't allow Infected pages to exist on it's servers. It's only that particular thread that generates the warning, not the entire site.

Furthermore, visiting the "infected" link with NOD32 disabled, then scanning with on-demand scanner shows no sign of infection. No warnings from kasperski, Symantec, AVG or McAffee, either. I've tested this as many ways as I can think of and from all results there is no actual virus.

 

Not true . Moreover , Yahoo uses Symantec to scan what they scan and just one vendor cannot guarantee 100% success.

Hey , this doesn't guarantee that these vendors are ok and that NOD32 flags false positive . There are many cases where NOD32 is the only one to detect a threat and many other "big names" report nothing . No AV is perfect and that's why one may need a confirmation from a specialist . I have once before visited a trusted site on which IMON poped-up about a probable threat . None of "big names" reported a threat but it later appeared real malware which NOD32's heuristics detected .

One more thing - I don't know if it is that important but the board message has been removed

 

Thanks for the reply, HiTech Boy.

yes, it appears that that post has been deleted, but the thread still exists and still gives the same warning.

hXXp://messages.yahoo.com/Cultures_...nconflict&tid=1315057&mid=1315086&tof=6&frt=2

I know the lack of warning from other vendors doesn't guarantee anything, but as I noted, visiting the alleged infected site with NOD32 disabled, then scanning the system with NOD32 on demand scanner detects no infection. A manual search for the virus file also is negative. Also this is a well-known virus and I know for a fact that the other AVs I mentioned *do* detect it. The "file" that is reported as quarantined isn't even a file name, it's a URL, and attempting to "restore" it to a temp folder doesn't restore any file. Also the size of the file being reported as detected differs with each message in that thread. It's just not behaving like an actual threat.

Anyway, I have escalated this to ESET development at samples@eset.com

In the meantime if anyone can duplicate or negate my test results I'd appreciate the input.

Thanks

 

As of 5:26pm EST on 10/17/07 the url doesn't cause any problems in NOD32 3.0 RC1.

 

Thanks Travis. That makes it appear even more likely that it's a false positive, as I'm still getting the warning with V. 2.70.39

Hey I know a Travis from another tech forum... you aren't associated with an anti-malware product called "ImmuneEngine" by any chance, are you?

Edit: Just tried 3.0 RC1 in a virtual machine and getting the same virus warning as with 2.7. "Skowor.A" virus.

 

Warning here too, with Nod32 2.7

 

Thanks dean. I've attached the file that's giving the warning. It's just a plain HTML file (i changed extension to "txt".) with no malicious code, but it surely triggers a virus warning from NOD32.

 

Clicking the attachment triggers NOD32 v3 RC1 here.

 

Yeah... see what I mean. I assure you it's NOT infected, however.

OK, I zipped it w/ password protection and added "txt" extension.... password is "infected".

I'd appreciate if any NOD32 guru on here could tell me why this is flagged as a virus.

 

Good question.

The thing about this thread that caught my attention was that it appears to be a specific detecion and not a generic one.

In the head of the document there are two lines of style code in the document head that trigger the detection. If I remove either

Code:

#cal1 { width: 100%;}

or

Code:

#cal2 { width: 100%;}

or the

Code:

<style></style>

tags that surround them or other parts of the document head then the detection goes away...

Cheers

 

Thanks for the input, NOD32user. I appreciate you taking the time to look at this.

The odd thing is only that one thread triggers the warning. Each post on that board contains those lines and none of the others trigger the alert. Also each post in the "infected" thread has a different message contents, so it couldn't be that either. The only thing that's common to the "infected" thread is the thread ID in the <a href=..." > links. (see attachment of post that doesn't trigger an alert). Since the part you removed is common to the "non-infected" posts, NOD32 must be doing some type of hash on the file and coming up with a positive match. If a guru here could explain how NOD32 does it's detection might shed a little light on this.

 

Hi whitey1200,

I don't really consider myself a guru but you are right - only 1 thread I can see and the attached archive protected with the password 'infected' contains just the headers from one of the pages in question.

Cheers

 

Thanks NOD32 user! That narrows it down a bit. I'm trolling for this virus with kazaa on a virtual machine so I can take a look at it and compare (it's a powershell script that supposedly spreads through kazaa, so would also just be a text file), but a search of all the files it supposedly drops in the shared folder doesn't turn up anything. It figures that when you WANT a virus you can't get one. lol.


Although this isn't really a problem curiosity has gotten the better of me and I'd really like to know why this is being detected. Thanks again for your input!