Site with Trojan Horse -- is it real problem?

Hello,

I have tried, over the course of several days, to access this website:
hxxp://www.theprosperityparadigm.com

Each time I do, avast! finds the Trojan Horse JS:ScriptSH-inf [trj]

My brother sent me this link, and he tells me he has no trouble accessing the site at all, and no problems with his computer.

Should I report this as a false positive? Or is there a serious virus on this site? If so, what is the best way to let them know?

Thank you!

FWIW, I just tried this site and also got a warning message.

Yes, right, it’s not false positive.

A virus or unwanted program has been detected
in the HTTP data on the requested page.

Requested URL: hxxp://www.theprosperityparadigm.com/
Information: Contains recognition pattern of the JS/Dldr.IFrame.BM Java script virus


Welcome to the forums, bwhughes. :slight_smile:

In your first post above, please change the link so that it is not an active link. An example would be :

hxxp://www.theprosperityparadigm.com (notice that http has been changed to hxxp to kill the link)


Hi folks,

Finjan scans this as: -Code Obfuscation (Home-Encoding) - malicious activity found,

polonus

Hi everybody,

Fixed the link, as requested.

Thank you for all the comments confirming that there is real malware on this site. But what do I do about it? I really want to look at the site! And as I said, my brother has experienced no problems with it. How do you alert the webmaster, or has one of you already done it?

And what would happen if I ignored the warning and went to the site anyway? Does anyone know what this particular “thing” would do to me (or to my computer)?

Need some answers, please!

Thank you very much,
bwhughes

It would download the virus exicuted from the JS:ScriptSH-inf [trj] code.

Um, yeah, of course! … But what would THAT do?

Ummm… Download a virus from the script. I don’t know witch virus, althogh…

OK, look, is there someone here who can actually help me with this? I have figured out a way to contact the owner of the website, which I hope to do soon. Should I just leave it at that? I want to know how SERIOUS this virus would be to my computer. I’m not stupid. These obvious “answers” are no answers at all.

How long is a piece of string, hidden in my pocket, answer you don’t know. It could be absolutely anything that is at the other end of the script, it is probably a redirect to a site. The payload (what is at that site) could be anything, from the innocuous to becoming infected with a very virulent virus like win32:Virut, which has resulted in the format and reinstall for many infected with this. Or even having your dydtem become part of a botnet, there is just no way to find out without letting yourself get infected and see what it does.

No one in their right mind is going to do that on other than a test system that they would be starting from square one after getting infected to see what happens. Not for the inexperienced, faint hearted or the over confident.

There is a large block of obfuscated javascript directly after the Body tag on the page, which is highly suspect and most certainly what is causing the alert. See image, I have edited the single line of code splitting it to make it easier to see.

However a capture of that page and sending it to virustotal a multi-engine virus scanner (40) finds 16 of the 40 consider it malware, fairly conclusive. http://www.virustotal.com/analisis/6399a63498cbdf0618b164d9d27ad177

Many of those consider it a downloader, which if it gets on your system could download more malware which could be much more serious.

Thank you, DavidR, for your thorough reply. I might have asked a question that was considered “stupid,” but that doesn’t make me stupid, and I didn’t appreciate the flippant answers I was getting from the other poster. Thank you for letting an inexperienced virus newbie have a chance to get some solid information, even if I don’t thoroughly understand every bit of it. I get the gist, and I appreciate your link and screen shot so that I can learn as much as possible. I really wish that there were more people in this world who didn’t treat “unknowledgeable” questions with flippant replies, or with the attitude that the person asking the question couldn’t possibly understand the answer. His answer was like me asking, “What are you watching on TV?” with him answering, “A show.” (No! Really? A show?!? Are you sure you’re not watching a book?) Sheesh. ::slight_smile:

Just solid information stated as clearly as possible, that’s what people need. How do techies expect people to learn about these things if you talk down to them or refuse to meet them half way? Now I can go to the site owner and show him what you’ve shown me. And he can take it from there. And now I know for certain that I shouldn’t chance going there myself.

Thank you again.

You’re welcome.

I don’t believe the majority of answers were intended to be flippant, just confirming that there are multiple sources that also consider this infected. Many of them, like you are unable to go into depth to analyse exactly what it is as there can be a risk in doing this (they are after all just avast users like you).

The problem is you have no idea of their experience level and the only thing you have to go on is their post count, so if someone suggests that you download the virus from the executed script, exercise the degree of common sense you have shown. Treat that suggestion with the lack of experience it shows and ignore it, don’t do it. Even if you knew how to possibly go about it; you would leave your system at risk of unknown damage that might result in having to format and reinstall everthing.

All you can do is contact then (as you say you have found a way), explain it as best you can, you could also give them the link to this topic so they can see for themselves.

Since this potential virus is coming up for a site that I really want to look at, I just thought I’d let you all know that there are other forums with posters who are claiming that this IS a false positive. Would those of you who are more experienced than I am with these things please take a look at this site and let me know your reactions:

hxxp://forums.3drealms.com/vb/showthread.php?t=34864

These people are referring to a Firefox plugin called CoolIris, and I don’t have that plugin installed, by the way.

In addition, my brother says that he uses Norton, that JS:ScriptSH-inf [trj] does not reside on the Norton search engine, that no mention of it is in their forums, and no mention of it is on the MS site, either. He says his computer has run issue free for 4 years, and he doesn’t believe this is a real Trojan Horse threat. He has accessed the site in question himself without a problem.

What is the chance that Avast could be overreacting to this javascript code, as the above forum seems to suggest?

Thank you for your help!

Well they should look at the above image and the virustotal results. I also don’t use CoolIris either and that doesn’t stop avast alerting. So given that avast along with 15 other scanners are over reacting then, I think not. avast has been very hot on these hacks and of all those I have checked on the forums, al have been good detections.

The only way to resolve it is by contacting the owners/webmaster and making them aware of the hack and for 'them to resolve it.

There is absolutely no way that I would ignore a valid alert by avast to disable any element of avast or exclude the site from scans to be able to visit it (that would be the only way), no matter how much you really want to look at it.

But as always, your system, your choice.

There is no point in checking for malware names in other AVs detections as there is no convention/standard in naming malware, you only have to look at the VT results to see the different names, etc.

Norton doesn’t even take part in the VirusTotal scanning, I wonder why.