VBS virus attack on webpage

Discussion in 'malware problems & news' started by StevieO, Mar 6, 2006.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Here's something funny ! I went to a page via the link to their Various Technical Pages to VBScript Virus Fix - Modify the regisitry so that no variants will get you http://68.165.245.242/user/clemenzi/technical/

    I went to have a look at this topic vbs (virus) Protection and this is the link i mentioned above hxxp://68.165.245.242/user/clemenzi/technical/VBScript_Fix.htm

    As soon as i reached the page Bitdefender jumped in with this

    http://img134.imageshack.us/img134/2215/vbs19pd.png

    The curious thing is, that page is supposed to be all about fixing a VBS issue, but you get offered a VBS virus as well ? I'm not sure whether it's a FP or not.


    StevieO
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Probably because of the script language on the page. This from Wormguard:

    ---------------
    Risk Assessment: MAXIMUM - EXTREMELY VULNERABLE SITUATION.

    *> Contains a mIRC Script.
    WormGuard has determined that this file contains a mIRC script.

    *> Contains suspicious string: infect
    LINE=...

    *> Suspicious strings detected.
    WormGuard has found a few strings in this file that are suspicious.

    *> Contains suspicious string: virus
    LINE=.........

    *> Script Analysis: Security risks detected.
    WormGuard Script Analysis:

    > Contains suspicious string: "Worm"
    > Contains suspicious string: "Worm.g"
    > Contains suspicious string: "infect"
    > Hard-coded reference to c:\mirc - common IRC worm reference.
    > Hard-coded reference to c:\mirc\script.ini - very common IRC worm reference.
    > Hard-coded reference to script.ini - very common IRC worm reference.
    > Accesses the registry.
    --------------------------

    ---
     

    Attached Files:

  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It's a false positive. I looked at the page and found no sign of attempted infection whatsoever.
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi thanks to both of you for the info.

    I'm wondering if it definately is a FP though, if Wormguard reports what it does, and the 3 AV's all pick up on it. Any more thoughts on this at all ?


    StevieO
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wormguard will pick up what it thinks are malicious scripts in any file type. I tried it for a while and had to stop using it because it alerted everytime I opened a file that had words that flagged its analysis engine. See attachment. It's a text file with some notes I made about bots.
     

    Attached Files:

  6. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    this is very interesting but i think it's an FP...it's weird how 3 AV's would detect this...gotta admit....kaspersky didn't pick it up so it must be an FP!
     
  7. Robert Clemenzi

    Robert Clemenzi Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    2
    http://68.165.245.242/user/clemenzi/technical/VBScript_Fix.htm

    is my page ... it is definitely a false positive

    I have modified this page several times because symantec calls it a virus

    after a few months, it flags it again
    If I was paranoid, I would think they were targeting me

    Maybe they just don't like me explaining how to fix your machine without paying them money :)

    The new link is

    http://mc-computing.com/Parasites/VBScript_Fix.htm

    Lots of related stuff is here
    http://mc-computing.com/Parasites/index.html

    Sorry for the confusion

    Robert Clemenzi
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi Robert,

    I'm still getting the LoveLetter virus warning from BD even on the new link hxxp://mc computing.com/Parasites/VBScript_Fix.htm o_O

    By the way, i get a Page Not Found on the Author: Robert Clemenzi link !

    Thanks for the info on your site


    StevieO
     
  9. Robert Clemenzi

    Robert Clemenzi Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    2
    It appears that my new ISP automatically deleted the page
    (I've reloaded it)

    Another page, without the hacks to hide it from symantec, gets deleted as soon as I try to upload it

    I no longer have a virus checker to debug this with
    I would appreciate some help

    > By the way, i get a Page Not Found on the Author: Robert Clemenzi link !
    That's strange, that is just a mailto link. I don't know how that has a page not found error

    Robert
     
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi,

    What a naughty ISP you got lol.

    Why don't you just disable your AV whilst you upload ?

    The Author: Robert Clemenzi link is working now for me ! Microcline Computing - Feedback Form

    Rmus who posted earlier on is very good at analysing web pages and exploits. So if he hasn't seen this yet, maybe you could PM him and ask him to have a look at it for you, and post back in here.


    StevieO
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Dont you think it's because of the reference to loveletter in his page code?

    --------------------------
    META NAME="keywords"
    CONTENT=vbscript, visual basic script
    Love-Letter-For-You.txt.vbs,
    --------------------------

    See Post #5 above.
     
  12. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Yep...that explains it.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I wouldn't put too much faith in what a AV might be able to detect. Remember the postcards.com exploit: one of the trojan downloaders wasn't detected until the second day:

    postcards.com-case#2
     
    Last edited: Mar 29, 2006
Loading...
Thread Status:
Not open for further replies.