cancel
Showing results for 
Search instead for 
Did you mean: 

AVG reports a page on your site infected with bv:autorun-as virus

Scholar

AVG reports a page on your site infected with bv:autorun-as virus

while researching the js:agent-dzp trojan I visited your site (page: https://www.f-secure.com/v-descs/trojan_js_agent.shtml). On that page under technical details I clocked on the link "Trojan:JS/Agent.JP" which took me to the page at https://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml. When that page opened, AVG reported an infection with the bv:autorun-as worm. I tried to save the page for inspection, but AVG aborted the download fue to infection. I tried the link multiple times and each time AVG reported the infection.

 

As your company seems to be an antivirus orginization I thought you would like to know.

 

By the way, your reporting mechanisam wouldn't allow me to report this without submiting a sample file, but I couldn't download it to provide the sample, so I submitted a clean file of my own. You should allow people to contact you without having to provide a sample.

 

Thanks and good luck,

Bucky

 

 

F-Secure.pngMessage from AVG

1 ACCEPTED SOLUTION

Accepted Solutions
Community Manager

Re: AVG reports a page on your site infected with bv:autorun-as virus

Hello BuckyGoldstein,

 

We have now updated the page you reported and this page is no longer detected by other products.

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
4 REPLIES
Scholar

Re: AVG reports a page on your site infected with bv:autorun-as virus

apparently I'm not alone. I just noticed a post on Avast's forum (september 2018) about the same issue.

 

https://forum.avast.com/index.php?topic=222047.0

 

Good luck with that,

Bucky

Highlighted
Superuser

Re: AVG reports a page on your site infected with bv:autorun-as virus

Hello,

 

Sorry for my reply. I am only an F-Secure user (their home solution).

 

In general, there is possibility to contact them (for except your workaround):

-> common official F-Secure Support Channels (chat or phone):

-> ability to transfer URL (with further clear description) rather than file:

works as your workaround, probably.

 

But I think that, anyway, it is good to contact AVG about this. Likely that such detection is false positive.

 

Because based on my try to research reason for detection - next piece of commands (even if saved as text-file) will trigger detection. Note! I changed all "o"-characters to "0" (zero) for avoid detection by AVG  (though, previous F-Secure engine and all companies who used it - will detect it anyway).

Visible under F-Secure page as description for content of "autorun.inf"-file.

[aut0run]0pen=WScript.exe //e:VBScript thumb.db aut0
  shell\0pen=0pen shell\0pen\C0mmand=WScript.exe //e:VBScript thumb.db
  aut0shell\0pen\Default=1shell\expl0re=Expl0reshell\expl0re\C0mmand=WScript.exe
       //e:VBScript thumb.db aut0

 

With original view (change "0" to "o" back) - there are twenty Virustotal companies who detected it.

But only AVG/AVAST and two (at least) other companies will detect it as part of entire F-Secure HTML page markup (noted F-Secure HTML page). Too generic.

 

Just this noted piece of text still with detection by AVG, Avast and two other companies as "BV:AutoRun-AS[WRM]", "INF.Autorun.M", "WinLNK.Trojan.Starter.a".

But, also, another companies will detect it as "Generic.Cantix._hash_for_variaton_" (previous F-Secure engine and, at least, seven other companies), "Win.Trojan.Autorun-380", "VBS/Autorun.BQ!worm", "malware (score=87)", "Worm:VBS/Autorun (by Microsoft)", "Trojan.Autorun.gen", "Generic!atr.b", "virus.ini.infector.a", "Worm.Win32.AutoRun.wuw".

 

Based on detection names - sounds that it is all about too generic detection against VBS tricks and maybe "thumb.db/.ini/.inf"-files design with different autorun opportunities. But I think that such text under F-Secure HTML page with description about related threat is not reason for "infected site"-detection.

 

Thanks!

Community Manager

Re: AVG reports a page on your site infected with bv:autorun-as virus

Hello BuckyGoldstein,

 

Thanks for reporting this to us. I have highlighted your post to the labs as well.

 

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Community Manager

Re: AVG reports a page on your site infected with bv:autorun-as virus

Hello BuckyGoldstein,

 

We have now updated the page you reported and this page is no longer detected by other products.

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.