Page 1 of 1

Any more information on this: HTML/Rce.Gen ?

Posted: Wed Jan 05, 2011 3:45 am
by welly
Hi
I thought you might want to know about this. Not sure if it's actually significant though:
I went on this site (it's Greek, I think) and as soon as I got there my Avira av (free edition) popped up saying:

Virus or unwanted program
'HTML/Rce.Gen [virus]'
detected in file 'C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86g331pp.default\tidy\tidy_last_validated.html.
I wasn't sure if it's the fault of that site so I visited it again and a similar responce from Avira was given:
The file 'C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\86g331pp.default\Cache\3ED1C03Fd01'
contained a virus or unwanted program 'HTML/Rce.Gen' [virus]

The "dangerous" (maybe) site is:
BE CAREFUL BEFORE VISITING!:http://farol.snn.gr/provera/eunet-provera-vremena.htmlBE CAREFUL BEFORE VISITING!

The reason I thought it might interest you is that the info about it I could find from Avira is this:
One major goal of malware authors is to execute code on the victims computer. This Remote Code Execution can be achieved by using security holes in the web browser. The AHeAD HTML Heuristics detects the attempt to execute code and alerts it as HTML/Rce.Gen.
I was using as always Firefox (3.6.13) with NoScript installed and NOT on "Globally Allow Scripts".

Well maybe you will have fun to look into it, or maybe it was just a false positive.

BTW you can delete the URL address if I shouldn't be posting it publicly.

Re: Any more information on this: HTML/Rce.Gen ?

Posted: Wed Jan 05, 2011 4:45 am
by welly
Also if someone figures out what kind of "virus" this is, can you say what I should do? I already deleted it, how sure can I be that it's gone? Is it dangerous?
Will it spread if I send email to friends?

Re: Any more information on this: HTML/Rce.Gen ?

Posted: Wed Jan 05, 2011 7:06 am
by Alan Baxter
welly wrote:Virus or unwanted program
'HTML/Rce.Gen [virus]'
detected in file 'C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\86g331pp.default\tidy\tidy_last_validated.html.
Sounds like it could have been another false positive from Avira. Send it in to Avira and VirusTotal.
http://forum.avira.com/wbb/index.php?pa ... dID=111915
welly wrote:Also if someone figures out what kind of "virus" this is, can you say what I should do? I already deleted it, how sure can I be that it's gone? Is it dangerous?
Will it spread if I send email to friends?
Scan your computer with Avira and Malwarebytes. You may not be infected.

Re: Any more information on this: HTML/Rce.Gen ?

Posted: Thu Jan 13, 2011 2:48 pm
by therube
At the very top of the page (source) there is some escaped script.
Would assume that Avira is flagging that - right or wrong. (Could very well lead to malware?)
(I believe any of these "page scanners" would do similar, or if they saw something with a "hidden" attribute.)

HTML/text/JavaSript Escaping/Encoding Script

Somebody needs to be watched ;-).

Re: Any more information on this: HTML/Rce.Gen ?

Posted: Mon Jan 24, 2011 8:38 pm
by welly
Thanks. I hope it is just escaped script whatever that is.
I scanned with Malwarebytes and Avira and everything seems fine.