We started getting reports of the "HTML/Crypted.Gen" being detected in our Chrome extension again. I've managed to reproduce it - the signature seems to be the exact set of strings they use:
==== .fromCharCode .charCodeAt nodeValue for 0,0,0,0,0,0 Math.min ==== I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much). I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
