The current Vps version (091207-0) detects the above trojan when opening this URL: hXXp://www.andiamovespa.nl
I’m told by people who are more knowledgeable than me, that this is a false positive. Can somebody please confirm this?
Thanks … Fogie
The current Vps version (091207-0) detects the above trojan when opening this URL: hXXp://www.andiamovespa.nl
I’m told by people who are more knowledgeable than me, that this is a false positive. Can somebody please confirm this?
Thanks … Fogie
Hi Fogie, welcome to the forum
Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected.
This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:
Every 3.6 seconds a website is infected
It seems that the data.js may have been hacked.
12/7/2009 4:11:57 PM 1260202317 SYSTEM 1404 Sign of "HTML:IFrame-KT [Trj]" has been found in "hXXp://www.andiamovespa.nl/data.js" file.
I cannot see it as it is obfuscated, but I would suggest that they do check it out, as it can be a potential risk.
Maybe someone else will have a better description.
-Scott-
Scott
Thanks for the quick reply.
The link has been edited.
Thanks for your analysis; we’ll see if someone comes up with something more definitive.
Fogie
Well There is a whole page of obfuscated scripts trying to be loaded (hXXp://wXw.andiamovespa.nl/data.js)and that is what avast is alerting on, see image1.
Since it is obfuscated, I don’t understand its intentions, but avast has in the past been very accurate on these type of alerts.
See image2 to get an idea of the obfuscated scripts inside the data.js file which tries to load on opening the andiamovespa.nl home page.
So someone at the site needs to check out that data.js file, if it is in fact meant to be there.
David
Thanks for your input. I’ll see if I can get somebody to contact them (I don’t speak Dutch).
Fogie
The normal webmaster @ website name, etc. if that got through should be fine in English I would have thought as HTML/Javascript are English scripting languages. Not to mention the Dutch seem to have a good multi lingual skills.
A message to webmaster @ andiamovespa.nl bounced. I’ll see if I can find somebody who can read the home page.
Edited to disable the e-mail address
If you can edit your post removing the email, whilst it bounced, it could still be harvested by a spambot trawling for email addresses. That is why I broke mine up.
Hi Fogie,
Probably they are cleaning: (Level: 1) Url checked: (script source)
hXtp://www.andiamovespa.nl/data.js
Blank page / could not connect
No ad codes identified
Not Found
The requested URL /data.js was not found on this server.
Apache/2.2 Server at wXw.andiamovespa.nl Port 80
polonus
Thanks for everybody’s interest, but I think this topic has been beaten to death. Somebody has said they’ll contact the site owner; so, let’s let this thread die.
Thanks again to all.
Edit: BTW, avast (with the same signature file) no longer detects the trojan.
Yes, because there is no call to the data.js file on the page and the data.js file is no longer on the server at that address.
I am getting this same supposed trojan from space.com :-\
Yes, it seems one of the php files has been hacked…
12/10/2009 11:37:07 PM 1260488227 SYSTEM 1492 Sign of "HTML:IFrame-KT [Trj]" has been found in "hXXp://www.space.com/common/js/community.php" file.
So this really isn’t a false positive? :o
Yes, it is most likely a genuine detection
cool, seems the webmasters have fixed it ;D