Antivirus alert for html file

[Guest]

[_JoeCool_]

The following html (not really valid html) file was detected and alerted by CIS' AV

...AppData\Local\Opera\Opera\cache\g_0022\opr0F70E.tmp
2011-12-30 20:40:41
Malware[at]#2v4pv80o5t21u
Detect
Success

Potentially malicious code removed by moderator (kept for reference). Please report as described in Submit Malware Here To Be Blacklisted - 2011 (NO LIVE MALWARE!).


The file needs to be saved with UNIX (0A) Line endings and the two blank lines at the end need to be present for detection.
Filesize: 393 bytes

Is this a false alert or are any of the sites malicious? Why is the virus scanner putting up an alert? Was it the Heuristics? Because I have those set to OFF.

This is just a question out of curiosity.

PLEASE DO NOT VISIT those URLs with your browser unless you are using a Sandbox or know what you are doing. Just because I couldn't find malicious behavior doesn't mean it is clean.


EDIT: added formatting notes

[_JoeCool_]

I don't see how html in a code tag can be considered _live_ malware. But I don't want to question or debate your rules.

Here you go: http://www.virustotal.com/file-scan/report.html?id=2d217a11798af5b113c5536db727149600246bba50fab55f061e0253321d2e81-1325297693

If there is any background information about the maliciousness of the code I would be happy to hear about it. I like to stay up-to-date on web security.

The site where I encountered this in an IFRAME does no longer seem to have it online.

[HeffeD]

I don't see how html in a code tag can be considered _live_ malware. But I don't want to question or debate your rules.

You posted a link and said please don't go there. If someone can just click a link and possibly get infected, it's considered 'live'...

[Chunli]

Hi,JoeCool_

Thank you for reporting this.
We'll check it and get back to you soon.

Best regards
Chunli.chen

[Ponmalar]

Hi _JoeCool_,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <11151> of  Comodo Internet Security Version<5.9.219863.2196> and confirm it.

Regards,
Ponmalar.S

[_JoeCool_]

Confirmed, the file is no longer detected. Question is, was it malicious in the first place?

Also in my opinion the detection of the file in the browser cache will not prevent display of the web page in most browsers, so this is more an "after-infection/execution-cleanup" operation. Or am I wrong?

Thank you for your quick response, that is why Comodo rocks.

[at]HeffeD: I see your point, although the link was not clickable it was potentially dangerous.

[Tags:]