Thursday, April 24, 2008

HTML/Infected.WebPage.Gen.

We were recently informed by some people that apparently the Avira anti-virus protection shows an alert on MS Internet Explorer 7 for this blog "HTML/Infected.WebPage.Gen.", which is a trojan around since last fall (damage potential: low). This alert which seems to appear since 2-3 weeks is not reproducible neither with Symantec, nor Trend-Micro on neither MS Internet Explorer nor Firefox. Some googling brought up that others have reported the same problem for blogs on blogger or wordpress.

I suspect this is a bug with the virus protection, not with this website, and that it wrongly interprets part of the html code. I haven't changed anything about template (e.g. add-ons) for several months, and the rest of the website is generated by a blogger-script that runs for everybody on blogspot. There also aren't any trackbacks which show up on the entry site, so that can't be a cause either (in some forum you'll find a recommendation to delete all trackbacks, but it doesn't sound plausible to me).

Another bloggy thing: Stefan and I, we had to notice that the 'publish' button under the comment preview presently doesn't work. Again this is a script we have no influence on, so we can't do anything about it. Please use instead the 'publish' button under the word-verification which seems to work just fine. If you use the wrong button and notice your comment doesn't appear (there is no error message), scroll up - the comment isn't lost unless you leave the site, it just stays in the textbox.

25 comments:

  1. http://www.kaspersky.com/
    http://www.kaspersky.com/scanforvirus

    Kaspersky is the rabid Russian wolverine of malware detectors/removers. It doesn't hog system resources like McAfee or Norton (that are second rate in any case). If you install it locally, reset the database update period to every 1-3 days. Every 3 hrs default is excessive.

    ReplyDelete
  2. Interesting. I am using Avira as well and the error only appears here, not at The Reference Frame.

    ReplyDelete
  3. It is incredible but the error message is actually generated by the SiteMeter script.

    Even more amusingly, if you change s31 to s24 and s31hossi to s24lumidek, i.e. if you introduce my counter instead of yours, the error goes away. ;-)

    This is what I call a localization of a problem.

    Now, for you not to feel overly paranoid, let us localize it a bit more. The error is not induced by hossi but by the server s31.sitemeter.com. Change it to s24.sitemeter.com and the problem goes away.

    Keep s31.sitemeter.com and change the username and the error stays there.

    ReplyDelete
  4. Hi Bee,

    “Another bloggy thing: Stefan and I, we had to notice that the 'publish' button under the comment preview presently doesn't work.”

    I’m glad you told us about this, for I was afraid it was resultant of you and Stefan having had enough of my comments:-)

    Best,

    Phil

    ReplyDelete
  5. Hi Lubos,

    Thanks! That is indeed odd. I've send the Avira people a note.

    Hi Phil,

    No worries.

    Best,

    B.

    ReplyDelete
  6. For what it's worth, I contacted AVG about a similar problem. They informed me in no uncertain terms that there could be no errors in their software, so any discrepancy found between their results and any other anti-virus/anti-spyware software must by definition be the other software's fault.

    ReplyDelete
  7. You can find s31.sitemeter.com in a list of bad websites (with trojans) here. S24 is also there but in a different collection.

    ReplyDelete
  8. Okay, I didn't hear back from the avira people, which is unsurprising. Their customer service is more or less a joke, on their website there's no contact email, a form in which you can only submit infected files, and some phone numbers that look pricey even if you live in that country. They offer a 'forum', for which you have to register. If you do so however, you still can't post threads for whatever reason, so it's essentially useless.

    Anyway, I've removed the sitemeter counter and replaced it with Statcounter, starting with the last sitemeter number. This however means we lose all the statistics of the past year.

    Anybody could let me know whether this solves the problem?

    Best,

    B.

    ReplyDelete
  9. I use sitemeter and statcounter. I really prefer statcounter, though the 'outclicks' function of sitemeter is nice and the only reason I keep it.

    ReplyDelete
  10. Here's an update: I submitted the publish-button problem to the Google-help forum see here. This forum is completely weird, seriously, you read through the threads it's like thousands of people screaming, CAN'T BLOG, HELP, CAN'T BLOG, CAN'T UPLOAD VIDEOS, CAN'T BLOG!, MY BLOG IS GONE, MY BLOG DOES X BUT SHOULD DO Y, CAN'T SEE MY BLOG, CAN'T PUBLISH MY BLOG, CAN'T FIND MY BLOG, CAN'T BLOG!

    I've also heard back from the Avira people, but it's not very insightful. (They analyzed the dummy picture I had to attach because otherwise the form wouldn't let me submit a comment. They've found the picture doesn't contain anything suspicious but didn't read the comment.)

    Best,

    B.

    ReplyDelete
  11. Here is another update on the 'virus' alert:

    I've managed to get some feedback from the Avira people, which after all was quite useful. So, it's definitely a wrong alert, caused by the sitemeter script loading an iFrame of size 0. I've been explained this is usually an indicator for malware (for why would anybody try to hide an iFrame? I don't know, and what is an iFrame to begin with?). The part in the script causing the alert is this

    var newIFrame = document.createElement("iframe");
    newIFrame.frameBorder=0;
    newIFrame.width = 0;
    newIFrame.height = 0;

    So if you're thinking of writing a script, better don't do anything like that.

    Best,

    B.

    ReplyDelete
  12. Dear Bee,

    thanks a lot for investigating this strange case of the spurious virus alert! It's good to know that there hasn't been a real virus - it's easy to get paranoid, if these alerts coincide with strange surges of spam mail.

    BTW, iframes are clever ways to brush up the capabilities of blogger, for example by embedding snippets of HTML code that require JavaScript - reminds me of some ideas I have had in this respect.

    Cheers, Stefan

    ReplyDelete
  13. I got the same thing on opera today.

    I did some a test and Avira does not like iframe.

    Avira complained on this source code.

    <
    iframe src="http://google.com" height="0" width="0" frameborder=0>
    <
    /iframe>

    Avira definitively has a bug in it's detection algorithm.

    ReplyDelete
  14. Hi
    I get the same virus alert from Avira on http://www.astrologycom.com/
    I understand that the alert seems to be false, but why not ask the web developers to use correct code and allow them to get away with non-standard code which is fine in a test environment, but not on a public web site used by mostly non-technical people.
    I think Avira software and support are right in identifying an iFrame of size 0 as POTENTIAL malware.

    ReplyDelete
  15. Anonymous: I contacted the Avira people and they explained me there is nothing wrong with this 'virus alert' because it detects a feature (iframe of zero size) that, so they claim, is suspicious and often connected to malware. It doesn't seem to bother them much that this causes false alarms that are a significant annoyance for many of their customers, and in addition doesn't seem to be a problem for any other virus scan. I'd recommend you too contact them, the more often they hear it, the more likely they will listen.

    ReplyDelete
  16. uh, they did listen. Avira is doing exactly what it should do. I am a web developer by trade, and this is a very suspicious practice. It would be remiss if Avira were to totally ignore this. If you look at the error, it says it detects a signature of that infection. thats exactly what that is. If I were to test my own webpages with avira, I would want that to be a big red flag! Why does sitemeter need a zero size IFrame (which is a container for hosting content)?

    ReplyDelete
  17. Given that sitemeter is a very popular counter they should have put it on a whitelist instead of insisting the virus alert is good for something.

    ReplyDelete
  18. Kapersky is shit, and those who say that Symantec/McAfee hog resources, just have very shit computers....

    ReplyDelete
  19. I run avira and had no problems when I came to this site. The reason i visited is I had the same thing occuring on a Local tv news web site.

    ReplyDelete
  20. Possibly because I removed the applet that caused the fake alarm almost a year ago?

    ReplyDelete
  21. Hi,
    I'm a computer dummy and not a member of your site but thanks for all your work which reassures me I do not have a real virus here. I am getting the same alert all of you are. It is detected and I delete it. Is "Avira" that is refered to in some posts the same as "AntiVir"(a German company I use for anti virus protection?

    ReplyDelete
  22. this error is because in html code appears some site with spam or reported by google like saarcop.net, quosty.com, etc the code is something like 'iframe src="http:// m a i s l e x. c o m /?click=70F164" width=1 height=1 style="visibility:hidden;position:absolute"/iframe'
    I separate the name to don't call the anvirus.
    Yeah avira is great and detect this things too...

    ReplyDelete
  23. I get the HTML/Infected.WebPage.Gen warning from avira whenever I log out of hotmail. Very annoying indeed

    ReplyDelete
  24. Pues estamos a 28 de octubre y Avira no lo ha solucionado! No puedo tocar Picasa que me avida del virus. Como comentan que no es un virus... no me preocuparé pero es una problema el no poder eliminar ventana tras ventana avisando del virus. No me puedo mover por internet que no salta el antivirus avisando el peligro. No sé como solucionar las ventanas dichosas... Tendré que eliminar Avira?

    P.D. Siento que escriba en español, como segunda lengua estudié el francés.... vaya!

    ReplyDelete
  25. I have just recieved an alert about HTML/Infected.WebPage.Gen and my internet was blocked and avira disabled ? how to get rid of it?

    ReplyDelete

PLEASE READ THE COMMENT RULES BEFORE COMMENTING.

Comment moderation on this blog is turned on.
Submitted comments will only appear after manual approval, which can take up to 24 hours.
Comments posted as "Unknown" go straight to junk. You may have to click on the orange-white blogger icon next to your name to change to a different account.