Thursday, April 24, 2008

HTML/Infected.WebPage.Gen.

We were recently informed by some people that apparently the Avira anti-virus protection shows an alert on MS Internet Explorer 7 for this blog "HTML/Infected.WebPage.Gen.", which is a trojan around since last fall (damage potential: low). This alert which seems to appear since 2-3 weeks is not reproducible neither with Symantec, nor Trend-Micro on neither MS Internet Explorer nor Firefox. Some googling brought up that others have reported the same problem for blogs on blogger or wordpress.

I suspect this is a bug with the virus protection, not with this website, and that it wrongly interprets part of the html code. I haven't changed anything about template (e.g. add-ons) for several months, and the rest of the website is generated by a blogger-script that runs for everybody on blogspot. There also aren't any trackbacks which show up on the entry site, so that can't be a cause either (in some forum you'll find a recommendation to delete all trackbacks, but it doesn't sound plausible to me).

Another bloggy thing: Stefan and I, we had to notice that the 'publish' button under the comment preview presently doesn't work. Again this is a script we have no influence on, so we can't do anything about it. Please use instead the 'publish' button under the word-verification which seems to work just fine. If you use the wrong button and notice your comment doesn't appear (there is no error message), scroll up - the comment isn't lost unless you leave the site, it just stays in the textbox.

25 comments:

Uncle Al said...

http://www.kaspersky.com/
http://www.kaspersky.com/scanforvirus

Kaspersky is the rabid Russian wolverine of malware detectors/removers. It doesn't hog system resources like McAfee or Norton (that are second rate in any case). If you install it locally, reset the database update period to every 1-3 days. Every 3 hrs default is excessive.

Lumo said...

Interesting. I am using Avira as well and the error only appears here, not at The Reference Frame.

Lumo said...

It is incredible but the error message is actually generated by the SiteMeter script.

Even more amusingly, if you change s31 to s24 and s31hossi to s24lumidek, i.e. if you introduce my counter instead of yours, the error goes away. ;-)

This is what I call a localization of a problem.

Now, for you not to feel overly paranoid, let us localize it a bit more. The error is not induced by hossi but by the server s31.sitemeter.com. Change it to s24.sitemeter.com and the problem goes away.

Keep s31.sitemeter.com and change the username and the error stays there.

Phil Warnell said...

Hi Bee,

“Another bloggy thing: Stefan and I, we had to notice that the 'publish' button under the comment preview presently doesn't work.”

I’m glad you told us about this, for I was afraid it was resultant of you and Stefan having had enough of my comments:-)

Best,

Phil

Bee said...

Hi Lubos,

Thanks! That is indeed odd. I've send the Avira people a note.

Hi Phil,

No worries.

Best,

B.

Ed said...

For what it's worth, I contacted AVG about a similar problem. They informed me in no uncertain terms that there could be no errors in their software, so any discrepancy found between their results and any other anti-virus/anti-spyware software must by definition be the other software's fault.

Lumo said...

You can find s31.sitemeter.com in a list of bad websites (with trojans) here. S24 is also there but in a different collection.

Bee said...

Okay, I didn't hear back from the avira people, which is unsurprising. Their customer service is more or less a joke, on their website there's no contact email, a form in which you can only submit infected files, and some phone numbers that look pricey even if you live in that country. They offer a 'forum', for which you have to register. If you do so however, you still can't post threads for whatever reason, so it's essentially useless.

Anyway, I've removed the sitemeter counter and replaced it with Statcounter, starting with the last sitemeter number. This however means we lose all the statistics of the past year.

Anybody could let me know whether this solves the problem?

Best,

B.

Rae Ann said...

I use sitemeter and statcounter. I really prefer statcounter, though the 'outclicks' function of sitemeter is nice and the only reason I keep it.

Bee said...

Here's an update: I submitted the publish-button problem to the Google-help forum see here. This forum is completely weird, seriously, you read through the threads it's like thousands of people screaming, CAN'T BLOG, HELP, CAN'T BLOG, CAN'T UPLOAD VIDEOS, CAN'T BLOG!, MY BLOG IS GONE, MY BLOG DOES X BUT SHOULD DO Y, CAN'T SEE MY BLOG, CAN'T PUBLISH MY BLOG, CAN'T FIND MY BLOG, CAN'T BLOG!

I've also heard back from the Avira people, but it's not very insightful. (They analyzed the dummy picture I had to attach because otherwise the form wouldn't let me submit a comment. They've found the picture doesn't contain anything suspicious but didn't read the comment.)

Best,

B.

Bee said...

Here is another update on the 'virus' alert:

I've managed to get some feedback from the Avira people, which after all was quite useful. So, it's definitely a wrong alert, caused by the sitemeter script loading an iFrame of size 0. I've been explained this is usually an indicator for malware (for why would anybody try to hide an iFrame? I don't know, and what is an iFrame to begin with?). The part in the script causing the alert is this

var newIFrame = document.createElement("iframe");
newIFrame.frameBorder=0;
newIFrame.width = 0;
newIFrame.height = 0;

So if you're thinking of writing a script, better don't do anything like that.

Best,

B.

stefan said...

Dear Bee,

thanks a lot for investigating this strange case of the spurious virus alert! It's good to know that there hasn't been a real virus - it's easy to get paranoid, if these alerts coincide with strange surges of spam mail.

BTW, iframes are clever ways to brush up the capabilities of blogger, for example by embedding snippets of HTML code that require JavaScript - reminds me of some ideas I have had in this respect.

Cheers, Stefan

Lassar said...

I got the same thing on opera today.

I did some a test and Avira does not like iframe.

Avira complained on this source code.

<
iframe src="http://google.com" height="0" width="0" frameborder=0>
<
/iframe>

Avira definitively has a bug in it's detection algorithm.

Anonymous said...

Hi
I get the same virus alert from Avira on http://www.astrologycom.com/
I understand that the alert seems to be false, but why not ask the web developers to use correct code and allow them to get away with non-standard code which is fine in a test environment, but not on a public web site used by mostly non-technical people.
I think Avira software and support are right in identifying an iFrame of size 0 as POTENTIAL malware.

Bee said...

Anonymous: I contacted the Avira people and they explained me there is nothing wrong with this 'virus alert' because it detects a feature (iframe of zero size) that, so they claim, is suspicious and often connected to malware. It doesn't seem to bother them much that this causes false alarms that are a significant annoyance for many of their customers, and in addition doesn't seem to be a problem for any other virus scan. I'd recommend you too contact them, the more often they hear it, the more likely they will listen.

Greg said...

uh, they did listen. Avira is doing exactly what it should do. I am a web developer by trade, and this is a very suspicious practice. It would be remiss if Avira were to totally ignore this. If you look at the error, it says it detects a signature of that infection. thats exactly what that is. If I were to test my own webpages with avira, I would want that to be a big red flag! Why does sitemeter need a zero size IFrame (which is a container for hosting content)?

Bee said...

Given that sitemeter is a very popular counter they should have put it on a whitelist instead of insisting the virus alert is good for something.

Anonymous said...

Kapersky is shit, and those who say that Symantec/McAfee hog resources, just have very shit computers....

Anonymous said...

I run avira and had no problems when I came to this site. The reason i visited is I had the same thing occuring on a Local tv news web site.

Bee said...

Possibly because I removed the applet that caused the fake alarm almost a year ago?

Anonymous said...

Hi,
I'm a computer dummy and not a member of your site but thanks for all your work which reassures me I do not have a real virus here. I am getting the same alert all of you are. It is detected and I delete it. Is "Avira" that is refered to in some posts the same as "AntiVir"(a German company I use for anti virus protection?

Ivan Eduardo said...

this error is because in html code appears some site with spam or reported by google like saarcop.net, quosty.com, etc the code is something like 'iframe src="http:// m a i s l e x. c o m /?click=70F164" width=1 height=1 style="visibility:hidden;position:absolute"/iframe'
I separate the name to don't call the anvirus.
Yeah avira is great and detect this things too...

Anonymous said...

I get the HTML/Infected.WebPage.Gen warning from avira whenever I log out of hotmail. Very annoying indeed

Montse said...

Pues estamos a 28 de octubre y Avira no lo ha solucionado! No puedo tocar Picasa que me avida del virus. Como comentan que no es un virus... no me preocuparé pero es una problema el no poder eliminar ventana tras ventana avisando del virus. No me puedo mover por internet que no salta el antivirus avisando el peligro. No sé como solucionar las ventanas dichosas... Tendré que eliminar Avira?

P.D. Siento que escriba en español, como segunda lengua estudié el francés.... vaya!

Shane said...

I have just recieved an alert about HTML/Infected.WebPage.Gen and my internet was blocked and avira disabled ? how to get rid of it?