On Tue, Mar 16, 2010 at 2:07 PM, Matt Mastracci <[email protected]>wrote:
> We started getting reports of the "HTML/Crypted.Gen" being detected in our > Chrome extension again. I've managed to reproduce it - the signature seems > to be the exact set of strings they use: > > ==== > .fromCharCode > .charCodeAt > nodeValue > for > 0,0,0,0,0,0 > Math.min > ==== > > I kid you not - this is their signature for an encrypted JS virus. I can't > seem to remove a single character from any of these tokens without turning > it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be > important (although I haven't experimented with this that much). > > I think I'll be able to work around this by replacing any sequence of six > zeros separated by commas with the sequence 0,0,0,[space]0,0,0. > Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus. -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
