Trojan.JS.StartPage on a website

Hi

I checked a website on Virustotal and Ikarus gave: Trojan.JS.StartPage (No other AV software gave anything). I had Noscript and used Sandbox when surfing. How can I still check that site to see if it’s really infected? I could be false alarm. But I want to be sure I was not infected with anything. Avast said nothing when I went on the site.

Regards

Hi wompa,

Give the site as htxp://etc. or as wXw and we will have a look for you. You could look yourself at URLVoid and see what this metascanner has, feed up the URL to finjan’s URL checker, or at Wepawet, Google’s unmasked parasites, if you think it is a suspicious javascript there is jsunpack (for expert users in a sandbox and with NoScript active on that jsunpack site, this not to let eventual malcode spill over, or look at the site using the malzilla malcode browser (for expert users), you could look for various malware domain lists if the url is to be found there or not, or we give it a look: DavidR, Pondus or little old me, you could also attach a gif image of the script found there (images cannot infect, use a GIF format in the right size), and if you have some expertise here come and help us,

polonus

I will PM you the link so that nobody accidentally goes into it :slight_smile:

Thanks

EDIT: For some reason I can not PM.

You will have a problem there as you can’t use it until you have 20 posts:

  • The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can’t use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

So just modify the URL as suggested.

Ah, makes sense.

Well here is the link: WARNING VIRUS SCRIPT hXXp://allla.mihanblog.com/post/24 WARNING VIRUS SCRIPT
Thanks

Very grateful for some help on what was in there! I don’t think I was infected because I had NoScript, Firefox & Avast5 running all at the same time :slight_smile: I think NoScript would stop it though. I do not know if that JS.Startpage is Javascript or Java… if so would it help? Hmm.

Please check and help me out. Thanks

Any news on this? Regards

Report 2010-08-18 15:26:47 (GMT 1)
File Name 24
File Size 41449 bytes
File Type Unknown file
MD5 Hash 70f0db46f1e9fc78c41d6b4f893c5278
SHA1 Hash 28c3b82b9f0a74c1344631f79cb213f142c02f4a
Detections: 2 / 16 (13 %)
Status INFECTED

a-squared 18/08/2010 5.0.0.14 Trojan.JS.StartPage!..
Ikarus T3 18/08/2010 1001084 Trojan.JS.StartPage

I checked a website on Virustotal and Ikarus gave: Trojan.JS.StartPage (No other AV software gave anything)
now also detected by Emsioft ( hmmm ......jepp Emsisoft (a-squared) is using Ikarus virus scanner )

VirusTotal - 24 - 2/42
http://www.virustotal.com/file-scan/report.html?id=2e87d462deeddddf28fa087026cb41c2dfb6978da1ac634975db3b4b79626301-1282138168

Yes, that’s the same engine, similar as avast and g-data…!
asyn

Yeah. But does it use JS? It seems like it can be a false positive though as no other AV catches it.

It seems like it can be a false positive though as no other AV catches it.
when it comes to detecting infected websites avast is Nr.1 don`t know how they do it but this is an avast speciality
Yeah. But does it use JS?
Does what use JS?

JavaScript Malware
http://www.ajaxwith.com/JavaScript-Malware.html

JavaScript opens doors to browser-based attacks
http://news.cnet.com/JavaScript-opens-doors-to-browser-based-attacks/2100-7349_3-6099891.html

and more
http://www.google.no/search?hl=no&q=what+is+Java+script+malware&aq=f&aqi=&aql=&oq=&gs_rfai=

Hi Pondus,

You may check further because here we find a reported 8 suspicious scripts there: http://www.unmaskparasites.com/security-report/?page=allla.mihanblog.com/post/24
and there is a link with obfuscated script here: http://www.unmaskparasites.com/web-page-options/?url=htxp%3A//1.razishop.com/1389/02/26/%25D9%2581%25D9%2588%25D9%2584-%25D8%25A2%25D9%2584%25D8%25A8%25D9%2588%25D9%2585-%25D9%2588-%25D8%25A2%25D8%25B1%25D8%25B4%25DB%258C%25D9%2588-%25D8%25A7%25DB%258C%25D8%25B1%25D8%25A7%25D9%2586%25DB%258C/&susp=1

See: http://wepawet.iseclab.org/view.php?hash=b7105c76bdf779435484d3c4da2ea520&t=1282153643&type=js

polonus

@Polonus
They give same detection as in my reply #7 VT 2/42

I am too worried to go on those sites (I do not know why. That site made me scared). Can you explain what you found? Thanks!

I am too worried to go on those sites (I do not know why. That site made me scared). Can you explain what you found? Thanks!
click the links and see, they are not dangeorus: If they where Polonus would not post them clickable

Hi wompa,

Pondus is right, I only give click-through links here as they are safe and secure and cannot infect at all. These are sites where the malware as such is analyzed, and you cannot get infected through these (unmasked parasites and Wepawet). Another question with jsunpack online website where the javascript is being unpacked and analyzed and for instance http://www.greymagic.com/security/tools/decoder/ where urls and code are being decoded (there you need NoScript script blocker installed and active in a Mozilla browser together with RequestPolicy on and preferably have the browser sand boxed, so eventual malscript cannot spill over and (re-)infect). I will never give these links live, always with htxp or wxw so only the experts know what to do, all code (because even harmless code can be flagged by the avast browser shield, is given as an attached (minimized) gif image created from a screenshot of browser or apps with using Pcpick (because of maximum size of attached images), so no one can get infected. After thousands of these sort of online malcode analysis in victim’s threads, we sure know what we are supposed to do, and your countryman Pondus likewise keeps these strict policies.
“Do not harm” is also one of the foremost rules of the malware fighter,

polonus

Thanks for your help guys :slight_smile: