Infected Javascript?

system · January 6, 2011, 11:57am

One of my family member visited this site; hxxp://www.buddhistreadingroom.com/ and Kaspersky detect it as
HEUR:Trojanscript.Iframer

I submit the website to Kaspersky viruslab and they reply back

Hello,
This is not false alarm. This following code is malicious:
REMOVED

If you want to use this website, please contact the webmaster.

So of course I submit the file to site to avast but until now, there is no detection from avast. That was in 21/9/2010 I am using avast free 5.1 at the moment.

Virustotal said is clean. So is the site still infected?

system · January 6, 2011, 12:24pm

I can’t see where this code is on the site, where did kaspersky say it was?
Is that the exact page the alert was on?

I don’t get an alert on the site you mentioned.

This code reforms to an iframe, but doesn’t seem to be detected by avast!

Although in it’s different forms is detected by others:

VT results for code posted

VT results for unobfuscated iframe

I’m a little confused as to what is going on here…

Scott

EDIT: the fact that the link contains “tds” is slightly worrying…
EDIT: the site in the iframe loads a popup, which then tries to get you to pay for some business thing…

jsejtko · January 6, 2011, 12:57pm

Thank you for submission, the malicious script will be detected in the next vps update.

Regards.

system · January 6, 2011, 1:13pm

Hi jsejtko,

Thanks for the info:)

Can you tell whether the site that LunarWolf mentioned (buddhistreadingroom) is infected? I couldn’t find any code that looked like that.

@LunarWolf or a mod if they get there first

Also, I presume that avast! may alert on this page once it is added to the virus defs, so I would say it is a good idea to remove it.

Scott

EDIT: This is an image of the site that is involved in the popup at the site that it is redirected to: http://www.pctools.com/security-news/wp-content/uploads/2010/12/Blog-3-Pic-5.jpg

I wont post the whole blog post link as it contains code in text form that causes an alert from avast!

system · January 6, 2011, 1:27pm

Ok Thanks. That was cool. 8) Still don’t know is infected or not. Told my family member don’t go there already.

system · January 6, 2011, 1:33pm

Wepawetis good place to check for infected JavaScript/PDF.

Regards,
Tenko

DavidR · January 6, 2011, 4:06pm

That might be the case, but you may also find that avast alerts on the results. I have to exclude a number of the analysis sites that I use.

system · January 7, 2011, 12:29am

« Last Edit: Today at 12:21:26 AM by igor »

Thanks igor for removing the code in the initial post, and preventing many threads being created in the panic ;D

EDIT: just for fun, this page caused a detection on the evernote database (I had “clipped” the page so I would remember) that was what reminded me to get it removed ;D ;D

Infected Javascript?

Announcements