Avast incorrect define file as trojan

I saved this file on rghost: [nobbc]http://rghost.ru/5050281/private/d3b24b6f9238f647a08cd7cf67a145b5[/nobbc]

This file make translate letters from latin to cyrillic. Please, fix virus databases.

Please, do not post live links to a possible malware. >:( Either change the link to hxxp or something or wrap it between [nobbc] tags.

translit.js - 4/40
http://www.virustotal.com/file-scan/report.html?id=ef7b09cb1b51265b6299e52fcdf2a11b0b6c25409930fe8f376dbe150cd77ad7-1301782617

Jsunpack say - Benign

you can submit a False Positive to avast from the chest

see here how to

http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

Report 2011-04-03 00:53:49 (GMT 1)
Website rghost.ru
Domain Hash fb9e89524fd6cb4769666bcc4a9cceb8
IP Address 217.199.218.103 [SCAN]
IP Hostname quadra103.mastak.net
IP Country RU (Russian Federation)
AS Number 34221
AS Name QL-AS JSC QUICKLINE
Detections 2 / 21 (10 %)
Status SUSPICIOUS

http://hosts-file.net/?s=rghost.ru
http://safeweb.norton.com/report/show?url=rghost.ru

He have uploaded the file to an online fileshare… the link he posted

That is what you have scanned Asyn…has nothing to do with his file :wink:

Yes, I sent 2 weeks ago. But no reaction.

This detection is actually more likely to be correct.

At the end of this js file is a function createCSS script that deobfuscates to an iframe - hence the JS:IFrame-AU [Trj]

This exploit is covered by the owner of unmaskparasites, in a blog post, but since it contains some of the script in plaintext it causes an alert within avast, so I wont post the link, but an image will do.

Scott

See my post further down,

pol

The mentioned script and blog post:

Remove that script, and check the website over for other modifications.

Actually, I scanned the domain, not the file. :wink:

isnt that what i said?

You said:

Hi Pondus,

This malware has been with us since 2009, examples: perm.aif.ru/i/js/translit.js & auto.sakh.com/js/translit.js and
i.li.ru/translit.js

Here avast flags: http:// jsunpack.jeek.org/dec/go?report=4163b2e64c8ac0da90d1ecdec63ba648c922c673 as JS:IFrame-AU[Trj]

polonus

and that means hxxp://rghost.ru

Yep. :slight_smile:

and as i said this has nothing to do with the translit.js file avast detect …so we are way off topic here ;D

I understand. I removed this unused function (createCSS) from javascript, translation of letters is working properly. Thank you!

We sure are, sorry. :wink:

No problem and Scott seems to have solved it :wink: