Js/snz.a - likely false positive in eTrust / Vet Anti-Virus

It appears that CA's eTrust Anti-Virus product (also known as Vet Anti-Virus, often bundled with other security applications such as ZoneAlarm) is coming up with a false positive for js/snz.a for several complex javascript applications.

As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.

The signature that has the problem is 31.3.5417 dated 31/12/07

Some of the Javascript files that seem to trigger an alert are named:

• jquery.js
• mootools.js
• ifx.js
• show_ads.js
• relevancead.js
• submodal.js
• iutil.js
• ifxslide.js

There may be other javascript apps that show the same problem - of course, filenames are arbitary and can be absolutely anything at all.

If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx

Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.

You can submit suspect files to CA here for analysis, that may well help them to fix the problem.

Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!