Likely Avast false positive in Script:SNH-gen [Trj] in Kubuntu.org javascript

Hi,

I have a problem here where accessing the url kubuntu[.]org[/]download results in a Script:SNH-gen [Trj] detection, in which the screenshot has been put as attachment.

Since this concerns a well-known Ubuntu OS maker, I went around and found that others have reported similar experience in here:

Attempting to access Kubuntu.org with Avast Antivirus active results in a warning that Script:SNH-gen [Trj] has been detected on https://kubuntu.org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0. This prevents the page from loading as intended. I have attempted to report this as a false-positive, but Avast states that this is a legitimate detection.

Furthermore this is the source code of the javascript which triggered the detection:

var $j = jQuery.noConflict();
/* ---------------------------------------------------- */
/*	PARALLAX											*/
/* ---------------------------------------------------- */
jQuery.fn.parallax = function(xpos, speedFactor) {

	'use strict';

	var firstTop, methods = {};

	return this.each(function(idx, value) {

		var $this = jQuery(value), firstTop = $this.offset().top;

		if (arguments.length < 1 || xpos === null)

			xpos = "50%";

		if (arguments.length < 2 || speedFactor === null)

			speedFactor = 0.1;

		methods = {

			update: function() {

				var pos = jQuery(window).scrollTop();

				$this.each(function() {

					$this.css('backgroundPosition', xpos + " " + Math.round((firstTop - pos) * speedFactor) + "px");

				});

			},

			init: function() {

				this.update();

				jQuery(window).on('scroll', methods.update);

			}

		}

		return methods.init();

	});

};

//MOBILE MENU -----------------------------------------
//-----------------------------------------------------
jQuery(document).ready(function(){
'use strict';
jQuery('#menu-main').superfish();
jQuery('#menu-main li:has(ul)').each(function(){
jQuery(this).addClass('has_child').prepend('<span class="this_child"></span>');
});
jQuery('#menu-main.skt-mob-menu li.has_child > a').click(function(){
if(jQuery(this).hasClass('active')){
jQuery(this).removeClass('active');
jQuery(this).next('ul:first').stop(true,true).slideUp();
}
else{
jQuery(this).addClass('active');
jQuery(this).next('ul:first').stop(true,true).slideDown();
}
});
});
(function( $ ) {
'use strict';
$.fn.sktmobilemenu = function( options ) { 
var defaults = {
'fwidth': 1025
};
//call in the default otions
var options = $.extend(defaults, options);
var obj = $(this);
return this.each(function() {
if($(window).width() < options.fwidth) {
sktMobileRes();
}
$(window).resize(function() {
if($(window).width() < options.fwidth) {
sktMobileRes();
}else{
sktDeskRes();
}
});
function sktMobileRes() {
jQuery('#menu-main').superfish('destroy');
obj.addClass('skt-mob-menu').hide();
obj.parent().css('position','relative');
if(obj.prev('.sktmenu-toggle').length === 0) {
obj.before('<div class="sktmenu-toggle" id="responsive-nav-button"></div>');
}
obj.parent().find('.sktmenu-toggle').removeClass('active');
}
function sktDeskRes() {
jQuery('#menu-main').superfish('init');
obj.removeClass('skt-mob-menu').show();
if(obj.prev('.sktmenu-toggle').length) {
obj.prev('.sktmenu-toggle').remove();
}
}
obj.parent().on('click','.sktmenu-toggle',function() {
if(!$(this).hasClass('active')){
$(this).addClass('active');
$(this).next('ul').stop(true,true).slideDown();
}
else{
$(this).removeClass('active');
$(this).next('ul').stop(true,true).slideUp();
}
});
});
};
})( jQuery );

jQuery(window).load(function(){
	'use strict';
	jQuery('#full-division-box').parallax("center", 0.2);
});


jQuery(document).ready(function ($) {
'use strict';
document.getElementById('s') && document.getElementById('s').focus();
});
jQuery(document).ready(function(){
	'use strict';
	jQuery('#menu-main').sktmobilemenu();
});

//BACK TO TOP -----------------------------------------
//-----------------------------------------------------
jQuery(document).ready( function() {
'use strict';
jQuery('#back-to-top,#backtop').hide();
jQuery(window).scroll(function() {
if (jQuery(this).scrollTop() > 100) {
jQuery('#back-to-top,#backtop').fadeIn();
} else {
jQuery('#back-to-top,#backtop').fadeOut();
}
});
jQuery('#back-to-top,#backtop').click(function(){
jQuery('html, body').animate({scrollTop:0}, 'slow');
});
});

//WAYPOINTS MAGIC -----------------------------------------
//---------------------------------------------------------
if ( typeof window['vc_waypoints'] !== 'function' ) {
function vc_waypoints() {
if (typeof jQuery.fn.waypoint !== 'undefined') {
$j('.fade_in_hide').waypoint(function() {
$j(this).addClass('skt_start_animation');
}, { offset: '90%' });
$j('.skt_animate_when_almost_visible').waypoint(function() {
$j(this).addClass('skt_start_animation');
}, { offset: '90%' });
}
}
}
jQuery(document).ready(function($) {
'use strict';
vc_waypoints();
}); 

//------------------------------------------------------------

I have a hunch that this might be one of the countless cases of false-positive, but according to the person who reported about the incident months ago, Avast allegedly said that it’s a legitimate detection. I will see if I can ask my friends and others to post this one on other antivirus forums such as Malwarebytes to get a second opinion on the matter because ultimately I’ll be forced to waste a lot of time and productivity to run deep scans of my computers with multiple antivirus softwares.

upload the javascript to www.virustotal.com and scan it

post link to scan result here

I will see if I can ask my friends and others to post this one on other antivirus forums such as Malwarebytes ......
Malwarebytes scanner does not target script/doc or media files

Only Avast and AVG (controlled by the one same as Avast) said that it’s a virus.

https://www.virustotal.com/gui/file/1e3316ea75bd55f8be6a09d3f5528a81e536157495e7141ca95de68226bea67e/detection

report it again https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Thanks. It appears that I got the page url (the location where I initially got the detection alert) wrong, which should be kubuntu[.]org/getkubuntu/ instead of kubuntu[.]org/download/

It has now been reported to Avast as a potential false positive.

For reference, I was on Windows 10 64 bit Brave Browser when the virus detection first occured. Furthermore, the file that triggered the detection is at kubuntu[.]org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0

Source code of the file if it was missed beforehand:

var $j = jQuery.noConflict();
/* ---------------------------------------------------- */
/*	PARALLAX											*/
/* ---------------------------------------------------- */
jQuery.fn.parallax = function(xpos, speedFactor) {

	'use strict';

	var firstTop, methods = {};

	return this.each(function(idx, value) {

		var $this = jQuery(value), firstTop = $this.offset().top;

		if (arguments.length < 1 || xpos === null)

			xpos = "50%";

		if (arguments.length < 2 || speedFactor === null)

			speedFactor = 0.1;

		methods = {

			update: function() {

				var pos = jQuery(window).scrollTop();

				$this.each(function() {

					$this.css('backgroundPosition', xpos + " " + Math.round((firstTop - pos) * speedFactor) + "px");

				});

			},

			init: function() {

				this.update();

				jQuery(window).on('scroll', methods.update);

			}

		}

		return methods.init();

	});

};

//MOBILE MENU -----------------------------------------
//-----------------------------------------------------
jQuery(document).ready(function(){
'use strict';
jQuery('#menu-main').superfish();
jQuery('#menu-main li:has(ul)').each(function(){
jQuery(this).addClass('has_child').prepend('<span class="this_child"></span>');
});
jQuery('#menu-main.skt-mob-menu li.has_child > a').click(function(){
if(jQuery(this).hasClass('active')){
jQuery(this).removeClass('active');
jQuery(this).next('ul:first').stop(true,true).slideUp();
}
else{
jQuery(this).addClass('active');
jQuery(this).next('ul:first').stop(true,true).slideDown();
}
});
});
(function( $ ) {
'use strict';
$.fn.sktmobilemenu = function( options ) { 
var defaults = {
'fwidth': 1025
};
//call in the default otions
var options = $.extend(defaults, options);
var obj = $(this);
return this.each(function() {
if($(window).width() < options.fwidth) {
sktMobileRes();
}
$(window).resize(function() {
if($(window).width() < options.fwidth) {
sktMobileRes();
}else{
sktDeskRes();
}
});
function sktMobileRes() {
jQuery('#menu-main').superfish('destroy');
obj.addClass('skt-mob-menu').hide();
obj.parent().css('position','relative');
if(obj.prev('.sktmenu-toggle').length === 0) {
obj.before('<div class="sktmenu-toggle" id="responsive-nav-button"></div>');
}
obj.parent().find('.sktmenu-toggle').removeClass('active');
}
function sktDeskRes() {
jQuery('#menu-main').superfish('init');
obj.removeClass('skt-mob-menu').show();
if(obj.prev('.sktmenu-toggle').length) {
obj.prev('.sktmenu-toggle').remove();
}
}
obj.parent().on('click','.sktmenu-toggle',function() {
if(!$(this).hasClass('active')){
$(this).addClass('active');
$(this).next('ul').stop(true,true).slideDown();
}
else{
$(this).removeClass('active');
$(this).next('ul').stop(true,true).slideUp();
}
});
});
};
})( jQuery );

jQuery(window).load(function(){
	'use strict';
	jQuery('#full-division-box').parallax("center", 0.2);
});


jQuery(document).ready(function ($) {
'use strict';
document.getElementById('s') && document.getElementById('s').focus();
});
jQuery(document).ready(function(){
	'use strict';
	jQuery('#menu-main').sktmobilemenu();
});

//BACK TO TOP -----------------------------------------
//-----------------------------------------------------
jQuery(document).ready( function() {
'use strict';
jQuery('#back-to-top,#backtop').hide();
jQuery(window).scroll(function() {
if (jQuery(this).scrollTop() > 100) {
jQuery('#back-to-top,#backtop').fadeIn();
} else {
jQuery('#back-to-top,#backtop').fadeOut();
}
});
jQuery('#back-to-top,#backtop').click(function(){
jQuery('html, body').animate({scrollTop:0}, 'slow');
});
});

//WAYPOINTS MAGIC -----------------------------------------
//---------------------------------------------------------
if ( typeof window['vc_waypoints'] !== 'function' ) {
function vc_waypoints() {
if (typeof jQuery.fn.waypoint !== 'undefined') {
$j('.fade_in_hide').waypoint(function() {
$j(this).addClass('skt_start_animation');
}, { offset: '90%' });
$j('.skt_animate_when_almost_visible').waypoint(function() {
$j(this).addClass('skt_start_animation');
}, { offset: '90%' });
}
}
}
jQuery(document).ready(function($) {
'use strict';
vc_waypoints();
}); 

//------------------------------------------------------------

From logs, all detections so far in this case are only centered on one file.

3/2/2024 2:58:50 AM	https://kubuntu.org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0 [L] Script:SNH-gen [Trj] (0)
3/2/2024 3:13:00 AM	https://kubuntu.org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0 [L] Script:SNH-gen [Trj] (0)
3/2/2024 3:24:04 AM	https://kubuntu.org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0 [L] Script:SNH-gen [Trj] (0)

*
* Shield stopped: Saturday, 3 February, 2024 4:19:13 AM
* Run-time was 1 day(s), 7 hour(s), 35 minute(s), 35 second(s)
*

*
* Avast Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, 3 February, 2024 4:23:23 AM
*

3/2/2024 5:54:29 AM	https://kubuntu.org/wp-content/themes/advertica-lite/js/custom.js?ver=1.0 [L] Script:SNH-gen [Trj] (0)

*
* Shield stopped: Saturday, February 3, 2024 7:31:06 AM
* Run-time was 3 hour(s), 7 minute(s), 43 second(s)
*

*
* Avast Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, February 3, 2024 7:59:54 AM

Wait for a final verdict by avast’s, as this generic detection might well be a FP.

See also: https://www.ip-lookup.org/score/185.125.190.18 This IP taken from see below: (https://www.virustotal.com/gui/url/04c7c0cd7dfb00d100cc8377bfd3586ba6bfb92ef0d8283077681bb125f78ee7/details).

Are we at it again? → https://support.avg.com/answers?id=9065p000000Q3arAAC

polonus

Confirmed false positive.

Hello,

Thank you for contacting Avast and reporting a false positive file detection. I’m happy to help.

The reported JS file was checked by Avast technicians and based on the findings the detection was removed. The file is now marked as clean in the Avast virus database. This change may take up to 24 hours to take full effect. Please accept my apology for the inconvenience caused.

If the detection persists after 24 hours, please update the Avast virus database and reply to this email with attached files:

Take a screenshot of the Avast detection dialog (Threat Secured pop-up with See details - displayed at the bottom).
A screenshot of the Avast virus database (open Avast Antivirus and go to Menu > About).
For instructions on taking a screenshot, refer to this article: Creating a screenshot.

I hope you have a nice day and stay safe online.