Kaspersky and csshover.htc Possible False Positive?

This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.
Seems to be a false positive.
Virustotal shows the following:

File csshover.htc received on 04.09.2009 17:40:35 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.09
AhnLab-V3 5.0.0.2 2009.04.09
AntiVir 7.9.0.138 2009.04.09
Antiy-AVL 2.0.3.1 2009.04.09
Authentium 5.1.2.4 2009.04.08
Avast 4.8.1335.0 2009.04.09
AVG 8.5.0.285 2009.04.09
BitDefender 7.2 2009.04.09
CAT-QuickHeal 10.00 2009.04.09
ClamAV 0.94.1 2009.04.09
Comodo 1107 2009.04.09
DrWeb 4.44.0.09170 2009.04.09
eSafe 7.0.17.0 2009.04.07
eTrust-Vet 31.6.6447 2009.04.09
F-Prot 4.4.4.56 2009.04.08
F-Secure 8.0.14470.0 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
Fortinet 3.117.0.0 2009.04.09
GData 19 2009.04.09
Ikarus T3.1.1.49.0 2009.04.09
K7AntiVirus 7.10.697 2009.04.08
Kaspersky 7.0.0.125 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
McAfee 5578 2009.04.08
McAfee+Artemis 5578 2009.04.08
McAfee-GW-Edition 6.7.6 2009.04.09
Microsoft 1.4502 2009.04.09
NOD32 3997 2009.04.09
Norman 6.00.06 2009.04.09
nProtect 2009.1.8.0 2009.04.09
Panda 10.0.0.14 2009.04.09
PCTools 4.4.2.0 2009.04.08
Prevx1 V2 2009.04.09
Rising 21.24.32.00 2009.04.09
Sophos 4.40.0 2009.04.09
Sunbelt 3.2.1858.2 2009.04.09
Symantec 1.4.4.12 2009.04.09
TheHacker 6.3.4.0.305 2009.04.09
TrendMicro 8.700.0.1004 2009.04.09
VBA32 3.12.10.2 2009.04.09
ViRobot 2009.4.7.1686 2009.04.09
VirusBuster 4.6.5.0 2009.04.09
 
Additional information
File size: 4314 bytes
MD5…: 4d50942ad963dd3d0cde4fe42ae1157b
SHA1..: ddb47d9f8d783f8ff1b79527b65ee7e6ac53a359
SHA256: afb97a5d637531616f85cffcd11dd68e7b85f2b5aa01b51b7959dbf2fcf8704c
SHA512: c829e90f6a3669320aec4bb489fb91aa39ed17a85f1584156b5eb8fc32c26b4d
610ede9a8060ce5a82b945930796c7033c55a8e48e7c13a4a179d2aa41b459c0
ssdeep: 96:D+5yu5ugQhnmLzuAX6mLJ3FFD6wB5XhY/l1yYmLXiuiXqwCDGqh:Dju5ugQOF
zLJ3FF5B5S/l1B8XiuiXtCP
PEiD..: –
TrID..: File type identification
Unknown!
PEInfo: –
RDS…: NSRL Reference Data Set

UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan’s entry in the comments.
My problem was compounded a bit becasue the BlueCoat cached the “infected” status, so I needed to clear the cache of that, before csshover.htc could be served.

6 Comments

  1. got a few calls from clients about this today. Appears to be fresh. Hopefully will be fixed in the next round of definitions?

  2. We are receiving complaints about this as well.
    I have checked the script in question on our server and it is intact, so this is definitely a false positive.

  3. ZoneAlarm Internet Security Suite 7.0.xxx and ZoneAlarm Antivirus uses Kaspersky code and is detecting it as Trojan-Downloader.JS.Iframe.aqo
    Kaspersky emailed me that the next set of definitions should correct the false alarm.

  4. My website was also hacked on 9th April, also with iframe worm to chinese server. But my http://www.hackalert24.com account informed me in time, to restore a backup from previous day, so i had no extensive downtime. Really recommendable this service!

Comments are closed.