Trojan-Downloader.JS.Iframe.aqo, False Positive?? Options

[TonyG5003]

Immediately after an update this morning, Kaspersky began indicating that our website included a "malicious script" in a file called "csshover.htc".

Because this file is included on every page, Kaspersky reports the problem on each and every click.

I have seen in a forum post elsewhere that this may be a potential false positive. Does anyone have any information about this?

[OCPAC1]

We are also experiencing this situation with one web site. They have scanned their web site and found it clean (don't know what scanner they used).

[RobertFranz]

Immediately after an update this morning, Kaspersky began indicating that our website included a "malicious script" in a file called "csshover.htc".

Because this file is included on every page, Kaspersky reports the problem on each and every click.

I have seen in a forum post elsewhere that this may be a potential false positive. Does anyone have any information about this?

It *could* be a false positive, or it could be a valid malware alert.

You haven't posted the code, so there isn't any way for a code monkey (not me) to parse it for problems.

If you are concerned about posting code which could possibly be embarrassing (zomg - we b33n h4x0r3d!) you should contact Kaspersky directly.

[Rich Bellamy]

CODE

<attach event="ondocumentready" handler="parseStylesheets" />
<script>
/**
*    Whatever:hover - V1.42.060206 - hover & active
*    ------------------------------------------------------------
*    (c) 2005 - Peter Nederlof
*    Peterned - http://www.xs4all.nl/~peterned/
*    License  - http://creativecommons.org/licenses/LGPL/2.1/
*
*    Whatever:hover is free software; you can redistribute it and/or
*    modify it under the terms of the GNU Lesser General Public
*    License as published by the Free Software Foundation; either
*    version 2.1 of the License, or (at your option) any later version.
*
*    Whatever:hover is distributed in the hope that it will be useful,
*    but WITHOUT ANY WARRANTY; without even the implied warranty of
*    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
*    Lesser General Public License for more details.
*
*    Credits and thanks to:
*    Arnoud Berendsen, Martin Reurings, Robert Hanson
*
*    howto: body { behavior:url("csshover.htc"); }
*    ------------------------------------------------------------
*/

var csshoverReg = /(^|\s)(([^a]([^ ]+)?)|(a([^#.][^ ]+)+)):(hover|active)/i,
currentSheet, doc = window.document, hoverEvents = [], activators = {
    onhover:{on:'onmouseover', off:'onmouseout'},
    onactive:{on:'onmousedown', off:'onmouseup'}
}

function parseStylesheets() {
    if(!/MSIE (5|6)/.test(navigator.userAgent)) return;
    window.attachEvent('onunload', unhookHoverEvents);
    var sheets = doc.styleSheets, l = sheets.length;
    for(var i=0; i<l; i++)
        parseStylesheet(sheets[i]);
}
    function parseStylesheet(sheet) {
        if(sheet.imports) {
            try {
                var imports = sheet.imports, l = imports.length;
                for(var i=0; i<l; i++) parseStylesheet(sheet.imports[i]);
            } catch(securityException){}
        }

        try {
            var rules = (currentSheet = sheet).rules, l = rules.length;
            for(var j=0; j<l; j++) parseCSSRule(rules[j]);
        } catch(securityException){}
    }

    function parseCSSRule(rule) {
        var select = rule.selectorText, style = rule.style.cssText;
        if(!csshoverReg.test(select) || !style) return;

        var pseudo = select.replace(/[^:]+:([a-z-]+).*/i, 'on$1');
        var newSelect = select.replace(/(\.([a-z0-9_-]+):[a-z]+)|(:[a-z]+)/gi, '.$2' + pseudo);
        var className = (/\.([a-z0-9_-]*on(hover|active))/i).exec(newSelect)[1];
        var affected = select.replace(/:(hover|active).*$/, '');
        var elements = getElementsBySelect(affected);
        if(elements.length == 0) return;

        currentSheet.addRule(newSelect, style);
        for(var i=0; i<elements.length; i++)
            new HoverElement(elements[i], className, activators[pseudo]);
    }

function HoverElement(node, className, events) {
    if(!node.hovers) node.hovers = {};
    if(node.hovers[className]) return;
    node.hovers[className] = true;
    hookHoverEvent(node, events.on, function() { node.className += ' ' + className; });
    hookHoverEvent(node, events.off, function() { node.className = node.className.replace(new RegExp('\\s+'+className, 'g'),''); });
}
    function hookHoverEvent(node, type, handler) {
        node.attachEvent(type, handler);
        hoverEvents[hoverEvents.length] = {
            node:node, type:type, handler:handler
        };
    }

    function unhookHoverEvents() {
        for(var e,i=0; i<hoverEvents.length; i++) {
            e = hoverEvents[i];
            e.node.detachEvent(e.type, e.handler);
        }
    }

function getElementsBySelect(rule) {
    var parts, nodes = [doc];
    parts = rule.split(' ');
    for(var i=0; i<parts.length; i++) {
        nodes = getSelectedNodes(parts[i], nodes);
    }    return nodes;
}
    function getSelectedNodes(select, elements) {
        var result, node, nodes = [];
        var identify = (/\#([a-z0-9_-]+)/i).exec(select);
        if(identify) {
            var element = doc.getElementById(identify[1]);
            return element? [element]:nodes;
        }

        var classname = (/\.([a-z0-9_-]+)/i).exec(select);
        var tagName = select.replace(/(\.|\#|\:)[a-z0-9_-]+/i, '');
        var classReg = classname? new RegExp('\\b' + classname[1] + '\\b'):false;
        for(var i=0; i<elements.length; i++) {
            result = tagName? elements[i].all.tags(tagName):elements[i].all;
            for(var j=0; j<result.length; j++) {
                node = result[j];
                if(classReg && !classReg.test(node.className)) continue;
                nodes[nodes.length] = node;
            }
        }

        return nodes;
    }
</script>

This is the code from our server that is triggering the alert.

It's a stock whatever:hover script.

[Olesya Golubkova]

Immediately after an update this morning, Kaspersky began indicating that our website included a "malicious script" in a file called "csshover.htc".

Because this file is included on every page, Kaspersky reports the problem on each and every click.

I have seen in a forum post elsewhere that this may be a potential false positive. Does anyone have any information about this?

Hello!

It was false alarm
Trojan-Downloader.JS.Iframe.aqo - file path: csshover2.htc
date false: 09.04.2009, 09:43
date fix: 09.04.2009, 17:10

[Rich Bellamy]

Hello!

It was false alarm
Trojan-Downloader.JS.Iframe.aqo - file path: csshover2.htc
date false: 09.04.2009, 09:43
date fix: 09.04.2009, 17:10

When will users be receiving the update to their virus definitions so they are no longer warned on websites that use the hover script?

[frogger]

My Kaspersky detected this same 'threat' last Thursday when I was visiting www.squaw.com website, the ski area at Lake Tahoe. (Maybe happened when I was checking out their live webcams.)

Log report showed it came from www.squaw.com/files/hover.htc so that backs up what people have been saying.

It quarantined it alright but is this a real virus or just a bug with Kaspersky software? Thanks.

[Tybilly]

Hello,

It's a false alarm, which have been fixed with a new update of threats signature.
That's why it is no longer detected: www.squaw.com/files/hover.htc

[Bob S]

When has the update been released? I've tried manually updating the patches recently, and it has yet to solve the problem. At the company where I am employed, we noticed the problem when visiting www.landroverusa.com

EDIT: Never mind, realised it was because the machine wasnt rebooted.

This post has been edited by Bob S: 13.04.2009 18:22

[Tybilly]

It's not related to the release of a new module which requires a reboot of the computer, but just a standard update of database and no reboot are necessary in this case.