> I kid you not - this is their signature for an encrypted JS virus. I can't > seem to remove a single character from any of these tokens without turning it > from a dangerous virus to a harmless bit of JS. Order doesn't seem to be > important (although I haven't experimented with this that much). > > I think I'll be able to work around this by replacing any sequence of six > zeros separated by commas with the sequence 0,0,0,[space]0,0,0. > > Holy cow -- how do they think that is an acceptable measure? Surely they > could at least change the warning to say "potentially dangerous JS" or > something rather than declaring it a virus.
This is pretty unbelievable to me as well. I imagine that the process involved someone finding a mutating JS virus, found six strings that it always contained, put them in and figured that it was safe after surfing around for a bit without any false positives. After experimenting a bit further, I discovered that "nodeValue" is actually matching case insensitively for "eval" (which makes a little more sense). This means that the signature is something like "for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0" This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
