Think I found something that avast! is not catching

hxxp://www.seancollection.com/winadress.asp

When I save the file and send to virustotal 3 vendors show it as various things:
Mal/ObfJS-X
Trojan:JS/Aseljo.K
JS.Suspicious.gen (suspicious)

Looking at the code it is very clear that there is a lot of bad stuff going on in packed/obfuscated javascript. Also some suspicious links in the tag.

Zip and password protect the file and send it to “virus-at-avast-dot-com” with the subject “possible Virus” . Also put the password in the body of the e-mail.

The avast web shield has been very hot on detecting malicious obfuscated scripts so I’m surprised it missed this. As you mention the Title having not one but three script tags within it is highly suspect (to Russian domains), so it looks like this site has been hacked.

http://google.com/safebrowsing/diagnostic?site=cgt4.ru/
http://google.com/safebrowsing/diagnostic?site=uhwc.ru/

Also see this link for the stuff outside the title tag, only cached for 2 hours, http://www.UnmaskParasites.com/security-report/?page=www.seancollection.com/winadress.asp.

Hi mercillius,

At the moment the site may be cleansed, because one cannot contact it.
Thanks for bringing this to our attention in the first place, by all means keep reporting these things so the shields detection of avast may be improved even further. Web page security report alerts this as:
External References for Malcode

  • www dot cgt4 dot ru suspicious - displaying 1 of 1
link - htxp://www.cgt4.ru/ngg.js - www dot uhwc dot ru suspicious - displaying 1 of 1 link - htxp://www.uhwc.ru/js.js Suspicious Inline Scripts Script outside of HTML ``` var nav4 = window.Event ? true : false;^^ function msg(){alert('All images on this site are protected...^^ ``` Script outside of HTML ``` eval(function(p,a,c,k,e,d)^{e=function(c){return c.toString(36)};if(!''.replace(/^/,String))^{while(c... ``` Script outside of HTML ``` eval(function(p,a,c,k,e,d){while(c--)^^{if(k[c]){p=p.replace(new ^^RegExp('\\b'+c.toString(a)+'\\b','g'... ``` polonus P.S. analysis of one of these SQL injections: ngg.js (seems there is quite a wave of this malcode recently): http://s3cwatch.wordpress.com/2008/07/26/analysis-of-wwwh23frunggjs/

Thanks for the feedback everyone. I submitted the file to Avast!

Merc

I have also sent a report, so hopefully soon it will not be missed.

Hi malware fighters and webmasters with sites hosting ngg.js,

The solution for the website owner - webmaster:
The first step to take is restore your site from backups. If you can, erase everything off of the server (after backing it up).

The second step is to find out what scripts you’re running.

It’s apparently an SQL injection attack - http://msmvps.com/blogs/spywaresucks/archive/2008/07/03/1639205.aspx

It was probably performed via your CartGenie shopping cart system - have you updated it lately?

Actually, looking through this more, you probably can’t fix it just by reloading the site. It’s probably now IN your SQL database (be it Microsoft SQL or MySQL - without knowing that, it’s hard to give you more information about how to remove it from the database)

Bluntly, I’d suggest you call whoever provided you with CartGenie, let them know that your site has been compromised, and have them clean it. Unless you loaded the software yourself, they should be maintaining it, and keeping it free of vulnerabilities and fully patched,

polonus