Possible virus on BladeForums...

A

axeldoomeyer

Joined
Dec 31, 2005
Messages
87
I recently clicked on a link from Google.com to view a particular thread and I get a virus warning from my firewall. I am running Endian Firewall community version with ClamAV installed and I get the following error:


HAVP - Access Denied




Accesss to the page has been denied

because the following virus was detected
ClamAV: HTML.Phishing.Bank-462
If you have any queries contact your ICT Co-ordinator or Network Manager.
Click to expand...

Here is the link that I clicked on that apparently is infected. http://www.bladeforums.com/forums/showthread.php?p=3526766

I can't seem to find much information on it and I am not sure if it is a false-positive. This may be purely text based search throught ClamAV? I am not sure as this is the first time that ClamAV has blocked any part of BladeForums.com.

If you have any questions, please feel free to email me at: axeldoomeyer:NOSPAM:@sbcglobal.net

Just remove the :NOSPAM: part.

-Axel
 
The page you linked to is not infected. It is possible that you have some malicious code on your PC. I searche dthe thread in question in Google and came up clean. I even did a virus and spyware scan and came up clean.
 
Since the detail provided by your firewall indicates a phishing hit and the thread you link to contains the text of a phishing message, isn't the hit most likely just the result of a text search?
 
i had a similar warning a while back when i went into read a thread. i thought it might have been a one time thing so i tried again and the same thing happened. i went into another thread in the same forum and nothing happened. i went back again into that thread and the same warning popped up. i mentioned this to ken or cougar, i cant remember. i run my security programs daily so i know my system was clean that day. axeldoomeyer, take a screenshot of what you see and post it.
 
I think it's complaining about the "playpal" link.

Basically your anti virus told you "Playpal" is html phishing, which is is. It would probably cite any HTML page with "playpal" in it, in this case it happens to be a BF page.
 
First of a little more background. My firewall is detecting that the thread may be infected. I can't honestly say. This is a corporate firewall that I have installed at my house, and I administer it. If I turn off the firewalling and AV that is installed in the firewall itself the page will load just fine.

Here is a screenshot.
HAVPError.jpg


I have tried on all PC's and servers that I have in my network with the same result. I am not sure why ClamAV is picking it up as a virus.

ClamAV is the virus program that runs on the hardware firewall itself. I am not sure that a regular PC virus detecter would pick up a remote virus. The difference is that this install of ClamAV is running within my firewall. I am not 100% certain that it is not text based query thereby blocking access to that page. Maybe a link somewhere in the thread and ClamAV detects as a threat?

ClamAV would rather error on the side of caution than not for obvious reasons.

I will do some more testing, as I am curios as to why Clam thinks that particular thread is infected. I have ClamAV installed on my linux box, so as a test I will disable my firewall completely and try to load the thread from my linux box and see if ClamAV throws an error message. I will also try using symantec, as this will help determine if in fact it is a false positive.

I have a sneaky suspicion that there is actually a keyword or link in the thread that is causing ClamAV to pick it up as a threat.

-Axel
 
As others have said, that thread contains links to known "phishing" sites. Norton shuts me down if I try to open the links, your AV shuts you down before you even seen the links. Different levels of paranoia, that's all.
 
The problem is easy to test:

Create a new reply in this thread:

  1. Type support(at)playpal(dot)com (replace the appropriate characters)
  2. Ensure the Automatically parse links in text option is selected (under the Submit Reply button)
  3. Press the Preview Post button.

Your software should block the preview, if it is doing a text scan on the HTML source of the page.
 
DaveH said:
I think it's complaining about the "playpal" link.

Basically your anti virus told you "Playpal" is html phishing, which is is. It would probably cite any HTML page with "playpal" in it, in this case it happens to be a BF page.
Click to expand...

yablanowitz said:
As others have said, that thread contains links to known "phishing" sites. Norton shuts me down if I try to open the links, your AV shuts you down before you even seen the links. Different levels of paranoia, that's all.
Click to expand...

What they said...
 
"Phishing" does not mean "virus." It means an attempt to trick you into giving out information you shouldn't be giving out, such as your credit card number. Don't be alarmed; let the thread load and read it. It has information you need to know.
 
Cougar Allen said:
"Phishing" does not mean "virus." It means an attempt to trick you into giving out information you shouldn't be giving out, such as your credit card number. Don't be alarmed; let the thread load and read it. It has information you need to know.
Click to expand...

Ya I was one of the contributors to that particular thread. I am fully aware of the difference between phishing and an actual virus. What is weird is that typically my firewall will notate a possible phishing or error stating that it cannot display the page becuase the Content Filter has picked up phrases that are typically that of phishing sites.

I am still curios as to why this is showing as a virus. When I disable the AV it loads fine and it appears to be a false positive. Oh, well better safe than sorry.

Also, there are viruses that attack web code and known websites such as vBulliten, phpNuke, phpBB, etc... They typically use zero-day attacks against the website in order to get user information, and those are sometimes picked up by virus scanners. But sometimes, they can be as simple as an IFrame tag within a website in order to get users to put information into the site, still phishing but it is also considered a virus in nature as code on the actual website has/had been compromised.

Thanks for the reply fellas. Just a false positive...

-Axel
 
You must log in or register to reply here.
Back
Top