Got a Virus just by clicking on a URL

[Ant]

"Ant":

I agree. I ran a test using IE on lowest possible security. I had KAV
3.5 realtime monitor active. No alert and no malware infestation.

The script does get downloaded to IE temp, and some av may alert on
this. For example, F-Prot for DOS finds VBS/Petch.A@dl (exact)
If KAV alerted (which it doesn't) it would name it Psyme rather than
Petch, as would McAfee. I checked this using Project VGREP.

I also Saved the page as a html file and scanned on demand. Both
F-Prot and F-Secure alert as VBS/Petch.A@dl

Sophos ignores the page with scan on demand, as it should. However,
if I create an html file from the ADODB Active-X/wmplayer code sample,
which would be dangerous if all the components were present, it
correctly detects the exploit (Troj/Psyme-Fam).

I suspect that some other scanners besides NOD32 will false alarm when
accessing the harmless web site.

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are aware
that AV software will falsely alert, so they often replace "<" and ">"
characters in the examples with "[" and "]".

 

[Duane Arnold]

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are aware
that AV software will falsely alert, so they often replace "<" and ">"
characters in the examples with "[" and "]".

I work on HTML everyday along with ASP, ASPscript and Javascript and if I
could view the code, which NOD32 is preventing me from viewing the code, I
think I could make that determination.

So, I'll leave it at that and NOD32 is doing its job whether it's dangerous
or not.

Duane

 

[Beauregard T. Shagnasty]

Quoth the raven Duane Arnold:

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are
aware that AV software will falsely alert, so they often replace
"<" and ">" characters in the examples with "[" and "]".

I work on HTML everyday along with ASP, ASPscript and Javascript
and if I could view the code, which NOD32 is preventing me from
viewing the code, I think I could make that determination.

So, I'll leave it at that and NOD32 is doing its job whether it's
dangerous or not.

So, I guess the Final Answer is a NOD32 false alarm on posted code,
not executable code. I ran Avast! on all my browser caches and no
threats were reported.

Glad we got this all figured out. ;-)

 

[Ant]

...

"Ant":

I work on HTML everyday along with ASP, ASPscript and Javascript and if I
could view the code, which NOD32 is preventing me from viewing the code, I
think I could make that determination.

Tun it off and have a look then. If you form the URL like so:

view-source:http://www.tjhsst.edu/~agupta/ecard-hijack/

for IE, it'll display the page source unrendered in Notepad.

So, I'll leave it at that and NOD32 is doing its job whether it's dangerous
or not.

It's hardly doing a proper job if it's giving false positives.

 

[Duane Arnold]

Quoth the raven Duane Arnold:

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are
aware that AV software will falsely alert, so they often replace
"<" and ">" characters in the examples with "[" and "]".

I work on HTML everyday along with ASP, ASPscript and Javascript
and if I could view the code, which NOD32 is preventing me from
viewing the code, I think I could make that determination.

So, I'll leave it at that and NOD32 is doing its job whether it's
dangerous or not.

So, I guess the Final Answer is a NOD32 false alarm on posted code,
not executable code. I ran Avast! on all my browser caches and no
threats were reported.

Glad we got this all figured out. ;-)

No, I am not going to be concerned about a false positive or no false
positive. My concern is that IE should be doing the same on both
computers running IE 6 with SP 2 and they are not doing the same thing
with like configuration is my concern. NOD32 is doing what I expect it to
do. And if you're happy with the performance of the product you're using,
then be happy and be done with it.

You point here is moot as far as I am concerned.

Duane

 

[Duane Arnold]

...



Tun it off and have a look then. If you form the URL like so:

view-source:http://www.tjhsst.edu/~agupta/ecard-hijack/

for IE, it'll display the page source unrendered in Notepad.


It's hardly doing a proper job if it's giving false positives.

This is something I am not going to be concerned about.

Duane

 

[Uncle Mortimer]

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are aware
that AV software will falsely alert, so they often replace "<" and ">"
characters in the examples with "[" and "]".

I work on HTML everyday along with ASP, ASPscript and Javascript and if I
could view the code, which NOD32 is preventing me from viewing the code, I
think I could make that determination.

So, I'll leave it at that and NOD32 is doing its job whether it's dangerous
or not.

Duane

Doing its job a little like "perfect.bat" does its job.

 

[Uncle Mortimer]

Quoth the raven Duane Arnold:

It's easy to see that it's benign if you know html, and do a
"view-source:" on the URL. All the code samples are between <pre>
tags (preformatted text).

There are many sites which post similar code. Some of them are
aware that AV software will falsely alert, so they often replace
"<" and ">" characters in the examples with "[" and "]".

I work on HTML everyday along with ASP, ASPscript and Javascript
and if I could view the code, which NOD32 is preventing me from
viewing the code, I think I could make that determination.

So, I'll leave it at that and NOD32 is doing its job whether it's
dangerous or not.

So, I guess the Final Answer is a NOD32 false alarm on posted code,
not executable code

Code in HTML within <pre></pre> or <code></code> containers should not be a threat. But I don't believe it is a bad
thing to avoid having stuff like this "out there" downloaded to my network just by visiting a site. Maybe it is crud detection,
or maybe net nanny AV's time has come.

 

[me]

(e-mail address removed) wrote in

The script does get downloaded to IE temp, and some av may
alert on this. For example, F-Prot for DOS finds
VBS/Petch.A@dl (exact) If KAV alerted (which it doesn't) it
would name it Psyme rather than Petch, as would McAfee. I
checked this using Project VGREP.

I also Saved the page as a html file and scanned on demand.
Both F-Prot and F-Secure alert as VBS/Petch.A@dl

F-Prot bug?

When the page is saved without CR/LF at the end, i.e., the last
byte is an angle bracket (">"), F-Prot reports "Not scanned
(unknown file format)." After adding LF or CR or x1A, F-Prot
reports Infection: VBS/Petch.A@dl

Moral of the story: save w/o CR/LF/x1a <jk>

J

 

[null]

(e-mail address removed) wrote in


F-Prot bug?

When the page is saved without CR/LF at the end, i.e., the last
byte is an angle bracket (">"), F-Prot reports "Not scanned
(unknown file format)." After adding LF or CR or x1A, F-Prot
reports Infection: VBS/Petch.A@dl

Moral of the story: save w/o CR/LF/x1a <jk>

Moral? When the file is "Saved as" by IE there is a CR LF at the end
and the infection is reported. When the files is "Saved as" by
Mozilla, there is no CR LF and the end and F-Prot refuses to scan the
file. Go figure. I'd fool around with different scan settings but I
see no point in it. I'm going to bed and to hell with it

Anyone try F-Prot for Windows on the subject page?


Art
http://www.epix.net/~artnpeg

 

[me]

(e-mail address removed) wrote in

Moral? When the file is "Saved as" by IE there is a CR LF
at the end and the infection is reported. When the files is
"Saved as" by Mozilla, there is no CR LF and the end and
F-Prot refuses to scan the file. Go figure. I'd fool around
with different scan settings but I see no point in it. I'm
going to bed and to hell with it

Anyone try F-Prot for Windows on the subject page?


Art
http://www.epix.net/~artnpeg

Did you miss the "<jk>"? Heh, you need the sleep.

Don't bother to fool around with the scan settings -- I tried
and it makes no difference.

J

 

[kurt wismer]

How can I get a virus just by just clicking on a URL and looking at a
website???

I clicked on this URL, which seems to contain a virus:

WARNING: DO NOT CLICK ON THIS URL:
http://www.tjhsst.edu/~agupta/ecard-hijack/

When I ran AVG shortly afterwards, it reported the js/psyme virus. It was in
the Temporary Internet Files

hmmm... lets see... you clicked on a link that took you to a website
with malicious content and afterwards your scanner found malicious
content on your computer in the directory your browser temporarily
stores data from websites in... how could it have gotten there?

I traced it back to the above URL. It is also known as the
ecard-hijack(1).htm virus.

AVG did not complain about it when I clicked on the URL.

probably because avg only complains when malware is read from disk or
executed, not when it's written to disk... it's trying to prevent
active infections, not prevent you from receiving files that it might
think (rightly or wrongly) are infectious...

Since the virus was in the Temp Internet Files, it probably did not do any
damage. I just cleared the Temp Int Files. Was it ever a danger to my
computer while it was in the Temp Int. Files?

How can I avoid getting a virus just by viviting a website?

don't visit those websites anymore...