Is this x/JSFile_1 really packed malware or just a FP?

Viruses and worms
1

See: htxp://zulu.zscaler.com/submission/show/7b9efc8264d520d23aba9520ce1e2997-1338471806
Flagged by 1 vendor as PUA.Script.Packed-2, might be a FP because of misinterpretation of the obfuscartion.
Online unpacking cannot find any issue, nor flagged here: htxp://urlquery.net/report.php?id=61722
Is this nl.ai p,a,c,k,e,d Malware or just flagged because of the obfuscation that is an sich benign?
This is supported by this Wepawet scan: htxp://wepawet.iseclab.org/view.php?hash=fef0bd9c2c1c329418501e7cec04a5a5&t=1338472241&type=js
Anyone?
reported to virus AT avast dot com,

polonus

2

Hi Polonus,

Doing a compare check, there is no difference between the main source given from the official site and this site.

The script given here is the packed jQuery 1.2.6 given here:
http://docs.jquery.com/Downloading_jQuery

Therefore, it is not malicious. :wink:

3

Hi !Donovan,

As the code is benign, I reported the FP to zulu Zscaler, referrring to the wepawet scan report I received.
zulu Zscaler is a nice scanner that also brings up appropriate VT results as it has any,
but script scanning in content checks is meagre and should be re-checked.
Well just like with Unmasked Parasites they give all obfuscated or packed code as suspicious.
For these purposes we have to check further through going to resources and perform de-obfuscation.
In this respect Sucuri is a much more apt script website malcode scanner.
But it is does not flag all, and I have seen it miss various issues.
As with every scanner as good as its input and reactive.
Additional scans with UrlQuery can add IDS rule issue alerts.
These alerts are often missen by the run of the mill url scanners.
Bitdefender has a lot of issues other url scanners miss.
Avast detections and DrWeb;s url scanner (there is where I found the clean JSFile-1)
are often found to be complementary.
Often DrWeb turns up issues that avast does not have and vice versa.
For redirections zulu Zscaler is reliable,
and also a run with the URL query in a sandboxed malzilla browser session will turn up redirection(s).
For malicious iFrames I use the cheating iFrame detector extension scanner in GoogleChrome,
to check if redirects are still responsive etc.
As always your verification is highly appreciated,

polonus