Java script virus?

system · November 4, 2011, 5:41pm

Hello guys,

A person that works at the same enterprise than me, was visiting a site and our AV (Trend Micro) detected a java script virus in it…

I sent to Virus Total and realized that many other AVs were also detecting a javascript malware (Something about redirection)… Including Avast (as JS:Illredir-AQ [Trj])…

However, visiting the site doesnt redirected to anywhere…

So me and some of my T.I. ( I am also from TI) friends that work here, checked the page code but didnt found anything suspicious… No redirection, nor even the js was encoded…

So, if someone here like to investigate possible false positives, and have a free time to do that, may check if its a real detection or some false positive?

The Site is:

hxxp://www.grupoumbria.com.br/

Virus Total Urls:

http://www.virustotal.com/url-scan/report.html?id=f6539ca47a0910e0de3872c515901424-1320423588

http://www.virustotal.com/file-scan/report.html?id=8e41572b38819798c5bad3f281f5b68f3d837c43dce3a3c0fefbb544b2afd3fa-1320427193

I am not sure if its a false positive because a lot of avs detected it… However I cant say that is a real malware because I didnt found any “obvius” trace of malware activity in its code. Anyway,

Thanks for your time!

Asyn · November 4, 2011, 5:48pm

Known javascript malware.
Details: http://sucuri.net/malware/entry/MW:JS:150

system · November 4, 2011, 5:50pm

The script is there…at the end of the page.

Quite obvious, one long line of obfuscated code.

Asyn, sucuri…that’s cheating

Asyn · November 4, 2011, 5:55pm

;D 8)

system · November 4, 2011, 5:57pm

Hello!

Thanks for the answers!

I feel so dumb! hehehe I forgot to check the bottom of the page… Thats why I didnt found any obfuscation… =-P

Thanks for your time!

BrBrasil

Asyn · November 4, 2011, 6:00pm

You’re welcome…!

system · November 4, 2011, 6:03pm

Oops, Actually I think our AV removed this js part, because it not appearing to me… It says that has cleaned the malware code when we load the page… Maybe that why I cant find the code…

Thanks All!
BrBrasil

polonus · November 5, 2011, 1:39pm

The avast webshield still blocks it as infected by JS:Illredir-AQ[Trj]
Website is also at a missused server

-http://grupoumbria.com.br/ 658D62E32567EF40C25226A7B2989733 200.219.245.77 BR infected with W32Damaged_File.B.gen!Eldorado

Comodo’s SiteInspector gives it as clean now http://siteinspector.comodo.com/public/reports/580971
Here it is suspicious 2 instances: http://urlquery.net/report.php?id=7442

polonus

Java script virus?

Announcements