I saved this file on rghost: [nobbc]http://rghost.ru/5050281/private/d3b24b6f9238f647a08cd7cf67a145b5[/nobbc]
This file make translate letters from latin to cyrillic. Please, fix virus databases.
I saved this file on rghost: [nobbc]http://rghost.ru/5050281/private/d3b24b6f9238f647a08cd7cf67a145b5[/nobbc]
This file make translate letters from latin to cyrillic. Please, fix virus databases.
Please, do not post live links to a possible malware. >:( Either change the link to hxxp or something or wrap it between [nobbc] tags.
translit.js - 4/40
http://www.virustotal.com/file-scan/report.html?id=ef7b09cb1b51265b6299e52fcdf2a11b0b6c25409930fe8f376dbe150cd77ad7-1301782617
Jsunpack say - Benign
you can submit a False Positive to avast from the chest
see here how to
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07
Report 2011-04-03 00:53:49 (GMT 1)
Website rghost.ru
Domain Hash fb9e89524fd6cb4769666bcc4a9cceb8
IP Address 217.199.218.103 [SCAN]
IP Hostname quadra103.mastak.net
IP Country RU (Russian Federation)
AS Number 34221
AS Name QL-AS JSC QUICKLINE
Detections 2 / 21 (10 %)
Status SUSPICIOUS
http://hosts-file.net/?s=rghost.ru
http://safeweb.norton.com/report/show?url=rghost.ru
He have uploaded the file to an online fileshare… the link he posted
That is what you have scanned Asyn…has nothing to do with his file
Yes, I sent 2 weeks ago. But no reaction.
This detection is actually more likely to be correct.
At the end of this js file is a function createCSS script that deobfuscates to an iframe - hence the JS:IFrame-AU [Trj]
This exploit is covered by the owner of unmaskparasites, in a blog post, but since it contains some of the script in plaintext it causes an alert within avast, so I wont post the link, but an image will do.
Scott
See my post further down,
pol
The mentioned script and blog post:
Remove that script, and check the website over for other modifications.
Actually, I scanned the domain, not the file.
isnt that what i said?
isnt that what i said?
You said:
He have uploaded the file to an online fileshare… the link he posted
That is what you have scanned Asyn…has nothing to do with his file
Hi Pondus,
This malware has been with us since 2009, examples: perm.aif.ru/i/js/translit.js & auto.sakh.com/js/translit.js and
i.li.ru/translit.js
Here avast flags: http:// jsunpack.jeek.org/dec/go?report=4163b2e64c8ac0da90d1ecdec63ba648c922c673 as JS:IFrame-AU[Trj]
polonus
Pondus post:12:isnt that what i said?
You said:
Pondus post:6:He have uploaded the file to an online fileshare… the link he posted
That is what you have scanned Asyn…has nothing to do with his file
and that means hxxp://rghost.ru
and that means hxxp://rghost.ru
Yep.
Pondus post:15:and that means hxxp://rghost.ru
Yep.
and as i said this has nothing to do with the translit.js file avast detect …so we are way off topic here ;D
This detection is actually more likely to be correct.
At the end of this js file is a function createCSS script that deobfuscates to an iframe - hence the JS:IFrame-AU [Trj]
This exploit is covered by the owner of unmaskparasites, in a blog post, but since it contains some of the script in plaintext it causes an alert within avast, so I wont post the link, but an image will do.
Scott
I understand. I removed this unused function (createCSS) from javascript, translation of letters is working properly. Thank you!
…so we are way off topic here ;D
We sure are, sorry.
No problem and Scott seems to have solved it