[Search wiki] HEUR/HTML.Malware [Was: virus ? and some questions]
Rainer Blome
rainer.blome at gmx.de
Mon Oct 20 20:16:21 UTC 2008
bartek at wikia.com wrote:
> Sounds like a false positive.
>
> See:
> http://groups.google.com/group/sites-help-howtoend/browse_thread/thread/bda64e910b62e1b5
> (people have problems with it)
Is that post talking about the same software (WikiWyg)? Doesn't look
like that to me.
> http://www.avira.com/en/threats/section/fulldetails/id_vir/4142/heur_html.malware.html
> ...
> You clearly are more informed than me, since I don't know the names of
> both scanners you did use :)
Both? I just use one virus scanner. :-)
> I don't even know from what location it was accessed. You didn't write
> that...
"Location"? If you mean the parent URL that leads to the file, look at
Simone's first line, she wrote "..wiki/special:createpage".
I guess that Simone is talking about
http://search.wikia.com/wiki/Special:Createpage . That page loads
http://search.wikia.com//extensions/wikiwyg/share/MediaWiki/MediaWikiWyg.js?2662
, which is the file in question.
Stupid question: What is http://search.wikia.com/wiki/Special:Createpage
supposed to do? On that page, I never do see a WYSIWYG editor, no
matter which browser I use (and yes, I temporarily disabled the scanner
before trying this).
Could that be due to the JavaScript errors that I get when I open
http://search.wikia.com/wiki/Special:Createpage ?
In file
http://search.wikia.com//extensions/wikiwyg/share/MediaWiki/MediaWikiWyg.js?2662
on line 48:
/* Yahoo stuff - Bartek Łapiński */
YAHOO.namespace('Wikia');
"YAHOO" is not defined (it is used several times further on).
In file http://search.wikia.com/extensions/wikia/CreatePage/js/createpage.js
on line 197:
proto = new Subclass('Wikiwyg.Test', 'Wikiwyg');
"Subclass" is not defined.
There is also an XML error in file
http://search.wikia.com/wiki/Special:Createpage on line 167, the
textarea is "closed" twice.
>> What can we compare it with to verify that it is benign?
> What do you mean? Code analysis or the origin?
I would just like to compare the file with another copy from a different
site, if possible (maybe you mean that by "origin").
Since the file is a sequence of files, we may have to get those
individual files and concatenate them before comparing.
>> How is the file constructed?
> Concatenated from smaller, lib files (not on the fly), but for the time
> being it's just loaded, since the file is already pre-generated.
What is the code that does that?
Rainer
More information about the SearchWiki
mailing list