trojan on finishline.com

system · October 13, 2011, 2:11pm

I am really ignorant on all this stuff, so please be kind!

I am trying to browse finishline.com but I keep getting the following trojan warning pop up

js:Downloader-BAV [Trj]

what else do I need to do???

system · October 13, 2011, 2:17pm

This is a hanging horse website.

system · October 13, 2011, 2:19pm

what does that mean and what should I do about it?

Pondus · October 13, 2011, 2:47pm

what does that mean and what should I do about it?

it means that the website is probably infected.....avast is usually right

can you attach a screenshot of the avast warning so we can see the full URL it is alarming on ?

DavidR · October 13, 2011, 3:01pm

The site appears to be loading two compressed {gzip} files that are obfuscated script files and one of them is what avast is getting excited about. Image 1, alert and 2 extract of obfuscated file.

This is the file avast is alerting on (see hXXp below), first the Web Shield, if bypassed, the script shield alerts on the file and if bypassed finally the file system shield alerts, so avast really doesn’t like this file.

hXXp://wXw.finishline.com/store/assets/scripts/min/54880de466571bc9f08eeb1a7e91669f.alpha.min.js|>{gzip} [L] JS:Downloader-BAV [Trj]

I can’t get any other hard evidence to confirm this detection though. Still looking.

Pondus · October 13, 2011, 3:06pm

Wepawet say benign…and that url is listed in the scan
http://wepawet.iseclab.org/view.php?hash=38dc504d084c27e12feacab8793f96b2&t=1318517964&type=js

Only avast detect
http://www.virustotal.com/file-scan/report.html?id=d9d85d6b27cf4ac1ea42db107ce38d6b3f8c7e22eb5b13f0d3c7d5eea17fe9e8-1318517909

DavidR · October 13, 2011, 3:11pm

Yes, jsunpack also finds it benign.

So it should be analysed by avast:
@ avtcjs
There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.

If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.

Pondus · October 14, 2011, 8:47am

Sophos and Norman lab say that file is clean

54880de466571bc9f08eeb1a7e91669f.alpha.min.js

Avira lab say clean

The file '54880de466571bc9f08eeb1a7e91669f.alpha.min.js' has been determined to be 'CLEAN'.Our analysts did not discover any malicious content.

trojan on finishline.com

Announcements