Kaspersky and csshover.htc Possible False Positive?

This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.
Seems to be a false positive.
Virustotal shows the following:

File csshover.htc received on 04.09.2009 17:40:35 (CET)
Antivirus Version Last Update Result
a-squared 2009.04.09
AhnLab-V3 2009.04.09
AntiVir 2009.04.09
Antiy-AVL 2009.04.09
Authentium 2009.04.08
Avast 4.8.1335.0 2009.04.09
AVG 2009.04.09
BitDefender 7.2 2009.04.09
CAT-QuickHeal 10.00 2009.04.09
ClamAV 0.94.1 2009.04.09
Comodo 1107 2009.04.09
DrWeb 2009.04.09
eSafe 2009.04.07
eTrust-Vet 31.6.6447 2009.04.09
F-Prot 2009.04.08
F-Secure 8.0.14470.0 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
Fortinet 2009.04.09
GData 19 2009.04.09
Ikarus T3. 2009.04.09
K7AntiVirus 7.10.697 2009.04.08
Kaspersky 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
McAfee 5578 2009.04.08
McAfee+Artemis 5578 2009.04.08
McAfee-GW-Edition 6.7.6 2009.04.09
Microsoft 1.4502 2009.04.09
NOD32 3997 2009.04.09
Norman 6.00.06 2009.04.09
nProtect 2009.1.8.0 2009.04.09
Panda 2009.04.09
PCTools 2009.04.08
Prevx1 V2 2009.04.09
Rising 2009.04.09
Sophos 4.40.0 2009.04.09
Sunbelt 3.2.1858.2 2009.04.09
Symantec 2009.04.09
TheHacker 2009.04.09
TrendMicro 8.700.0.1004 2009.04.09
VBA32 2009.04.09
ViRobot 2009.4.7.1686 2009.04.09
VirusBuster 2009.04.09
Additional information
File size: 4314 bytes
MD5…: 4d50942ad963dd3d0cde4fe42ae1157b
SHA1..: ddb47d9f8d783f8ff1b79527b65ee7e6ac53a359
SHA256: afb97a5d637531616f85cffcd11dd68e7b85f2b5aa01b51b7959dbf2fcf8704c
SHA512: c829e90f6a3669320aec4bb489fb91aa39ed17a85f1584156b5eb8fc32c26b4d
ssdeep: 96:D+5yu5ugQhnmLzuAX6mLJ3FFD6wB5XhY/l1yYmLXiuiXqwCDGqh:Dju5ugQOF
PEiD..: –
TrID..: File type identification
PEInfo: –
RDS…: NSRL Reference Data Set

UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan’s entry in the comments.
My problem was compounded a bit becasue the BlueCoat cached the “infected” status, so I needed to clear the cache of that, before csshover.htc could be served.


  1. got a few calls from clients about this today. Appears to be fresh. Hopefully will be fixed in the next round of definitions?

  2. We are receiving complaints about this as well.
    I have checked the script in question on our server and it is intact, so this is definitely a false positive.

  3. ZoneAlarm Internet Security Suite 7.0.xxx and ZoneAlarm Antivirus uses Kaspersky code and is detecting it as Trojan-Downloader.JS.Iframe.aqo
    Kaspersky emailed me that the next set of definitions should correct the false alarm.

  4. My website was also hacked on 9th April, also with iframe worm to chinese server. But my http://www.hackalert24.com account informed me in time, to restore a backup from previous day, so i had no extensive downtime. Really recommendable this service!

Comments are closed.