AVG reports a page on your site infected with bv:autorun-as virus


while researching the js:agent-dzp trojan I visited your site (page: https://www.f-secure.com/v-descs/trojan_js_agent.shtml). On that page under technical details I clocked on the link "Trojan:JS/Agent.JP" which took me to the page at https://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml. When that page opened, AVG reported an infection with the bv:autorun-as worm. I tried to save the page for inspection, but AVG aborted the download fue to infection. I tried the link multiple times and each time AVG reported the infection.


As your company seems to be an antivirus orginization I thought you would like to know.


By the way, your reporting mechanisam wouldn't allow me to report this without submiting a sample file, but I couldn't download it to provide the sample, so I submitted a clean file of my own. You should allow people to contact you without having to provide a sample.


Thanks and good luck,




F-Secure.pngMessage from AVG


  • BuckyGoldstein
    BuckyGoldstein Posts: 2 New Member

    apparently I'm not alone. I just noticed a post on Avast's forum (september 2018) about the same issue.




    Good luck with that,


  • Ukko
    Ukko Posts: 3,634 Superuser



    Sorry for my reply. I am only an F-Secure user (their home solution).


    In general, there is possibility to contact them (for except your workaround):

    -> common official F-Secure Support Channels (chat or phone):

    -> ability to transfer URL (with further clear description) rather than file:

    works as your workaround, probably.


    But I think that, anyway, it is good to contact AVG about this. Likely that such detection is false positive.


    Because based on my try to research reason for detection - next piece of commands (even if saved as text-file) will trigger detection. Note! I changed all "o"-characters to "0" (zero) for avoid detection by AVG  (though, previous F-Secure engine and all companies who used it - will detect it anyway).

    Visible under F-Secure page as description for content of "autorun.inf"-file.

    [aut0run]0pen=WScript.exe //e:VBScript thumb.db aut0
      shell\0pen=0pen shell\0pen\C0mmand=WScript.exe //e:VBScript thumb.db
           //e:VBScript thumb.db aut0


    With original view (change "0" to "o" back) - there are twenty Virustotal companies who detected it.

    But only AVG/AVAST and two (at least) other companies will detect it as part of entire F-Secure HTML page markup (noted F-Secure HTML page). Too generic.


    Just this noted piece of text still with detection by AVG, Avast and two other companies as "BV:AutoRun-AS[WRM]", "INF.Autorun.M", "WinLNK.Trojan.Starter.a".

    But, also, another companies will detect it as "Generic.Cantix._hash_for_variaton_" (previous F-Secure engine and, at least, seven other companies), "Win.Trojan.Autorun-380", "VBS/Autorun.BQ!worm", "malware (score=87)", "Worm:VBS/Autorun (by Microsoft)", "Trojan.Autorun.gen", "Generic!atr.b", "virus.ini.infector.a", "Worm.Win32.AutoRun.wuw".


    Based on detection names - sounds that it is all about too generic detection against VBS tricks and maybe "thumb.db/.ini/.inf"-files design with different autorun opportunities. But I think that such text under F-Secure HTML page with description about related threat is not reason for "infected site"-detection.



  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hello BuckyGoldstein,


    Thanks for reporting this to us. I have highlighted your post to the labs as well.


  • MatthewTurner
    MatthewTurner Posts: 3 New Member

    Hey! Had same problems. Thanks for information

This discussion has been closed.