AVG reports a page on your site infected with bv:autorun-as virus
while researching the js:agent-dzp trojan I visited your site (page: https://www.f-secure.com/v-descs/trojan_js_agent.shtml). On that page under technical details I clocked on the link "Trojan:JS/Agent.JP" which took me to the page at https://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml. When that page opened, AVG reported an infection with the bv:autorun-as worm. I tried to save the page for inspection, but AVG aborted the download fue to infection. I tried the link multiple times and each time AVG reported the infection.
As your company seems to be an antivirus orginization I thought you would like to know.
By the way, your reporting mechanisam wouldn't allow me to report this without submiting a sample file, but I couldn't download it to provide the sample, so I submitted a clean file of my own. You should allow people to contact you without having to provide a sample.
Thanks and good luck,
Bucky
Message from AVG
Comments
-
apparently I'm not alone. I just noticed a post on Avast's forum (september 2018) about the same issue.
https://forum.avast.com/index.php?topic=222047.0
Good luck with that,
Bucky
-
Hello,
Sorry for my reply. I am only an F-Secure user (their home solution).
In general, there is possibility to contact them (for except your workaround):
-> common official F-Secure Support Channels (chat or phone):
-> ability to transfer URL (with further clear description) rather than file:
works as your workaround, probably.
But I think that, anyway, it is good to contact AVG about this. Likely that such detection is false positive.
Because based on my try to research reason for detection - next piece of commands (even if saved as text-file) will trigger detection. Note! I changed all "o"-characters to "0" (zero) for avoid detection by AVG (though, previous F-Secure engine and all companies who used it - will detect it anyway).
Visible under F-Secure page as description for content of "autorun.inf"-file.
[aut0run]0pen=WScript.exe //e:VBScript thumb.db aut0 shell\0pen=0pen shell\0pen\C0mmand=WScript.exe //e:VBScript thumb.db aut0shell\0pen\Default=1shell\expl0re=Expl0reshell\expl0re\C0mmand=WScript.exe //e:VBScript thumb.db aut0
With original view (change "0" to "o" back) - there are twenty Virustotal companies who detected it.
But only AVG/AVAST and two (at least) other companies will detect it as part of entire F-Secure HTML page markup (noted F-Secure HTML page). Too generic.
Just this noted piece of text still with detection by AVG, Avast and two other companies as "BV:AutoRun-AS[WRM]", "INF.Autorun.M", "WinLNK.Trojan.Starter.a".
But, also, another companies will detect it as "Generic.Cantix._hash_for_variaton_" (previous F-Secure engine and, at least, seven other companies), "Win.Trojan.Autorun-380", "VBS/Autorun.BQ!worm", "malware (score=87)", "Worm:VBS/Autorun (by Microsoft)", "Trojan.Autorun.gen", "Generic!atr.b", "virus.ini.infector.a", "Worm.Win32.AutoRun.wuw".
Based on detection names - sounds that it is all about too generic detection against VBS tricks and maybe "thumb.db/.ini/.inf"-files design with different autorun opportunities. But I think that such text under F-Secure HTML page with description about related threat is not reason for "infected site"-detection.
Thanks!
-
-
-
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!