Antivirus alert for html file

The following html (not really valid html) file was detected and alerted by CIS’ AV

2011-12-30 20:40:41

Potentially malicious code removed by moderator (kept for reference). Please report as described in Submit Malware Here To Be Blacklisted - 2011 (NO LIVE MALWARE!).

The file needs to be saved with UNIX (0A) Line endings and the two blank lines at the end need to be present for detection.
Filesize: 393 bytes

Is this a false alert or are any of the sites malicious? Why is the virus scanner putting up an alert? Was it the Heuristics? Because I have those set to OFF.

This is just a question out of curiosity.

PLEASE DO NOT VISIT those URLs with your browser unless you are using a Sandbox or know what you are doing. Just because I couldn’t find malicious behavior doesn’t mean it is clean.

EDIT: added formatting notes

I don’t see how html in a code tag can be considered live malware. But I don’t want to question or debate your rules.

Here you go:

If there is any background information about the maliciousness of the code I would be happy to hear about it. I like to stay up-to-date on web security.

The site where I encountered this in an IFRAME does no longer seem to have it online.

You posted a link and said please don’t go there. If someone can just click a link and possibly get infected, it’s considered ‘live’…


Thank you for reporting this.
We’ll check it and get back to you soon.

Best regards

Hi JoeCool,

This is to inform you that false-positive has been fixed.
You can update to AV database Version <11151> of Comodo Internet Security Version<5.9.219863.2196> and confirm it.


Confirmed, the file is no longer detected. Question is, was it malicious in the first place?

Also in my opinion the detection of the file in the browser cache will not prevent display of the web page in most browsers, so this is more an “after-infection/execution-cleanup” operation. Or am I wrong?

Thank you for your quick response, that is why Comodo rocks.

@HeffeD: I see your point, although the link was not clickable it was potentially dangerous.