AVG reports a page on your site infected with bv:autorun-as virus

while researching the js:agent-dzp trojan I visited your site (page: https://www.f-secure.com/v-descs/trojan_js_agent.shtml). On that page under technical details I clocked on the link "Trojan:JS/Agent.JP" which took me to the page at https://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml. When that page opened, AVG reported an infection with the bv:autorun-as worm. I tried to save the page for inspection, but AVG aborted the download fue to infection. I tried the link multiple times and each time AVG reported the infection.

 

As your company seems to be an antivirus orginization I thought you would like to know.

 

By the way, your reporting mechanisam wouldn't allow me to report this without submiting a sample file, but I couldn't download it to provide the sample, so I submitted a clean file of my own. You should allow people to contact you without having to provide a sample.

 

Thanks and good luck,

Bucky

 

 

F-Secure.pngMessage from AVG

Comments

  • BuckyGoldstein
    BuckyGoldstein Posts: 2 New Member

    apparently I'm not alone. I just noticed a post on Avast's forum (september 2018) about the same issue.

     

    https://forum.avast.com/index.php?topic=222047.0

     

    Good luck with that,

    Bucky

  • Ukko
    Ukko Posts: 3,668 Superuser

    Hello,

     

    Sorry for my reply. I am only an F-Secure user (their home solution).

     

    In general, there is possibility to contact them (for except your workaround):

    -> common official F-Secure Support Channels (chat or phone):

    -> ability to transfer URL (with further clear description) rather than file:

    works as your workaround, probably.

     

    But I think that, anyway, it is good to contact AVG about this. Likely that such detection is false positive.

     

    Because based on my try to research reason for detection - next piece of commands (even if saved as text-file) will trigger detection. Note! I changed all "o"-characters to "0" (zero) for avoid detection by AVG  (though, previous F-Secure engine and all companies who used it - will detect it anyway).

    Visible under F-Secure page as description for content of "autorun.inf"-file.

    [aut0run]0pen=WScript.exe //e:VBScript thumb.db aut0
      shell\0pen=0pen shell\0pen\C0mmand=WScript.exe //e:VBScript thumb.db
      aut0shell\0pen\Default=1shell\expl0re=Expl0reshell\expl0re\C0mmand=WScript.exe
           //e:VBScript thumb.db aut0

     

    With original view (change "0" to "o" back) - there are twenty Virustotal companies who detected it.

    But only AVG/AVAST and two (at least) other companies will detect it as part of entire F-Secure HTML page markup (noted F-Secure HTML page). Too generic.

     

    Just this noted piece of text still with detection by AVG, Avast and two other companies as "BV:AutoRun-AS[WRM]", "INF.Autorun.M", "WinLNK.Trojan.Starter.a".

    But, also, another companies will detect it as "Generic.Cantix._hash_for_variaton_" (previous F-Secure engine and, at least, seven other companies), "Win.Trojan.Autorun-380", "VBS/Autorun.BQ!worm", "malware (score=87)", "Worm:VBS/Autorun (by Microsoft)", "Trojan.Autorun.gen", "Generic!atr.b", "virus.ini.infector.a", "Worm.Win32.AutoRun.wuw".

     

    Based on detection names - sounds that it is all about too generic detection against VBS tricks and maybe "thumb.db/.ini/.inf"-files design with different autorun opportunities. But I think that such text under F-Secure HTML page with description about related threat is not reason for "infected site"-detection.

     

    Thanks!

  • Hello BuckyGoldstein,

     

    Thanks for reporting this to us. I have highlighted your post to the labs as well.

     

  • MatthewTurner
    MatthewTurner Posts: 3 New Member

    Hey! Had same problems. Thanks for information

This discussion has been closed.