This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.
Seems to be a false positive.
Virustotal shows the following:
| File csshover.htc received on 04.09.2009 17:40:35 (CET) | |||
| Antivirus | Version | Last Update | Result |
| a-squared | 4.0.0.101 | 2009.04.09 | – |
| AhnLab-V3 | 5.0.0.2 | 2009.04.09 | – |
| AntiVir | 7.9.0.138 | 2009.04.09 | – |
| Antiy-AVL | 2.0.3.1 | 2009.04.09 | – |
| Authentium | 5.1.2.4 | 2009.04.08 | – |
| Avast | 4.8.1335.0 | 2009.04.09 | – |
| AVG | 8.5.0.285 | 2009.04.09 | – |
| BitDefender | 7.2 | 2009.04.09 | – |
| CAT-QuickHeal | 10.00 | 2009.04.09 | – |
| ClamAV | 0.94.1 | 2009.04.09 | – |
| Comodo | 1107 | 2009.04.09 | – |
| DrWeb | 4.44.0.09170 | 2009.04.09 | – |
| eSafe | 7.0.17.0 | 2009.04.07 | – |
| eTrust-Vet | 31.6.6447 | 2009.04.09 | – |
| F-Prot | 4.4.4.56 | 2009.04.08 | – |
| F-Secure | 8.0.14470.0 | 2009.04.09 | Trojan-Downloader.JS.Iframe.aqo |
| Fortinet | 3.117.0.0 | 2009.04.09 | – |
| GData | 19 | 2009.04.09 | – |
| Ikarus | T3.1.1.49.0 | 2009.04.09 | – |
| K7AntiVirus | 7.10.697 | 2009.04.08 | – |
| Kaspersky | 7.0.0.125 | 2009.04.09 | Trojan-Downloader.JS.Iframe.aqo |
| McAfee | 5578 | 2009.04.08 | – |
| McAfee+Artemis | 5578 | 2009.04.08 | – |
| McAfee-GW-Edition | 6.7.6 | 2009.04.09 | – |
| Microsoft | 1.4502 | 2009.04.09 | – |
| NOD32 | 3997 | 2009.04.09 | – |
| Norman | 6.00.06 | 2009.04.09 | – |
| nProtect | 2009.1.8.0 | 2009.04.09 | – |
| Panda | 10.0.0.14 | 2009.04.09 | – |
| PCTools | 4.4.2.0 | 2009.04.08 | – |
| Prevx1 | V2 | 2009.04.09 | – |
| Rising | 21.24.32.00 | 2009.04.09 | – |
| Sophos | 4.40.0 | 2009.04.09 | – |
| Sunbelt | 3.2.1858.2 | 2009.04.09 | – |
| Symantec | 1.4.4.12 | 2009.04.09 | – |
| TheHacker | 6.3.4.0.305 | 2009.04.09 | – |
| TrendMicro | 8.700.0.1004 | 2009.04.09 | – |
| VBA32 | 3.12.10.2 | 2009.04.09 | – |
| ViRobot | 2009.4.7.1686 | 2009.04.09 | – |
| VirusBuster | 4.6.5.0 | 2009.04.09 | – |
| Additional information | |||
| File size: 4314 bytes | |||
| MD5…: 4d50942ad963dd3d0cde4fe42ae1157b | |||
| SHA1..: ddb47d9f8d783f8ff1b79527b65ee7e6ac53a359 | |||
| SHA256: afb97a5d637531616f85cffcd11dd68e7b85f2b5aa01b51b7959dbf2fcf8704c | |||
| SHA512: c829e90f6a3669320aec4bb489fb91aa39ed17a85f1584156b5eb8fc32c26b4d 610ede9a8060ce5a82b945930796c7033c55a8e48e7c13a4a179d2aa41b459c0 |
|||
| ssdeep: 96:D+5yu5ugQhnmLzuAX6mLJ3FFD6wB5XhY/l1yYmLXiuiXqwCDGqh:Dju5ugQOF zLJ3FF5B5S/l1B8XiuiXtCP |
|||
| PEiD..: – | |||
| TrID..: File type identification Unknown! |
|||
| PEInfo: – | |||
| RDS…: NSRL Reference Data Set – |
|||
UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan’s entry in the comments.
My problem was compounded a bit becasue the BlueCoat cached the “infected” status, so I needed to clear the cache of that, before csshover.htc could be served.
got a few calls from clients about this today. Appears to be fresh. Hopefully will be fixed in the next round of definitions?
Hello Roger, this is now fixed. Apologies are in order.
_ryan
(I work as a security evangelist for Kaspersky)
We are receiving complaints about this as well.
I have checked the script in question on our server and it is intact, so this is definitely a false positive.
ZoneAlarm Internet Security Suite 7.0.xxx and ZoneAlarm Antivirus uses Kaspersky code and is detecting it as Trojan-Downloader.JS.Iframe.aqo
Kaspersky emailed me that the next set of definitions should correct the false alarm.
What a relief, we were planning to delete csshover.htc and a new hover menu.
My website was also hacked on 9th April, also with iframe worm to chinese server. But my http://www.hackalert24.com account informed me in time, to restore a backup from previous day, so i had no extensive downtime. Really recommendable this service!