Trojan.Webkit!html and others not detected

jeffersonsant · 2015-06-28T01:19:53.000Z

Hello.

in fact, the forum did not have time to stay, I know I can return very soon.

There was a change in the transmission of samples services, now supports only receives URL or other issues and no longer files.In day 10/06/15 were sent 9 files, only 1 was added detect as Win32: FakeDownload-G [PUP] .

http://i.imgur.com/sP1UEZu.png

A week ago I sent over 11 files that have not yet been detected.
Today lost a link in a where I got a script,my system is not infected.

CSIDL_PROFILE\appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P9DVZCHH\style[1].js

But I have saved ,this is a new, not part of detections of avast.

https://www.virustotal.com/en/file/8366a7c7e3e3229509497a0f96edfe9a522164078314d601b9d6bce6d96a9f0a/analysis/1435451594/

polonus · 2015-06-28T11:31:39.000Z

VirScan has it here, only one example: http://v.virscan.org/Trojan.Script.633135.html
This is a good detection survey: http://www.scumware.org/report/217.76.132.207.html
Read: http://forum.bitdefender.com/index.php?showtopic=42754
My Malware Script Detector v. 2.0 blocks the javascript attack, code: http://ddecode.com/hexdecoder/?results=a8a4824d39d4f7e585b05210b11316b6
See: htxp://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.sierracharra.com%2Fleidsegfre%2Fcl.js%09&useragentheader=&acceptheader=
decoded results manipulation of search results via my start incredibar browser hijacker etc.
Removal of this is not that easy and should be performed under guidance of a qualified removal expert.
Avast should at least detect the encoded javascript for what it is,e.g.: “crap-adware”.

polonus (volunteer website security analyst and website error-hunter)

jeffersonsant · 2015-06-28T20:45:39.000Z

files is in a sandbox
this script was captured elsewhere, it is not detected

http://www.symantec.com/security_response/writeup.jsp?docid=2007-100915-0239-99&vid=4324&product=Norton%20AntiVirus&version=21.7.0.11&plang=sym:BR&layouttype=TrialWare&buildname=Retail&heartbeatID=E829A7FF-B0C4-4E90-9F8B-E24BC43BC61B&env=prod&vendorid=1002080&plid=1&plgid=1&skup=21323278&skum=21323278&skuf=21291069&endpointid={E829A7FF-B0C4-4E90-9F8B-E24BC43BC61B}&partnerid=1002080&lic_type=512&lic_attr=21155857&psn=VDCJ94VRXD9T&osvers=6.1&oslocale=iso:BRA&oslang=iso:POR&os=windows

rescan analysis

threats are medium and high risk

Adware.ELEX
https://www.virustotal.com/en/file/174dd119c3fb87e2793f0059701c4bad7af474ed907b6cb873a08afeb2679b76/analysis/1435522842/

Win32:Adware Esprot
https://www.virustotal.com/en/file/8f895c19d04b411edcb51ebe86f60d44676ac0f411bd072a0a46da9e40e289a3/analysis/1435523247/

SearchProtect
https://www.virustotal.com/en/file/d8de6dd9b3f330889a8ac4cd821e5dd635a03c7a9a1affaa8a98210e3b247913/analysis/1435523246/

Win32:AdwareSubTab
https://www.virustotal.com/en/file/c97801f42d16ac69318562281b67904d716262ff6fd098dddce2d7af56dd7342/analysis/1435523244/

Win32:SoftPulse
https://www.virustotal.com/pt/file/be1ad7aa07fd805528b6759936cac70861bc43f66c45abfb4c6c41efc1c8304b/analysis/1435523256/

Adware Miuitab

https://www.virustotal.com/en/file/075bbb7d95caa26123332a6697ab40ff0e8c0bade1b02dad398e2eb9f938c1e2/analysis/1435523828/

polonus · 2015-06-28T21:06:01.000Z

Hi jefferson sant,

As all are riskware/adware detections, the question is how Avast performs in PUP-mode (not as per default)?
How is MBAM, AdwCleaner and JRT performing on mentioned detections?

polonus

jeffersonsant · 2015-06-28T21:32:39.000Z

some of it is done through the statistics sending it take to process certain files , avast because the heuristic is weak requires new signatures created to detect PUP.

malwarebytes use generic detections and other technologies in aggressively

http://news.softpedia.com/news/malwarebytes-anti-malware-to-integrate-junkware-removal-tool-485031.shtml

jeffersonsant · 2015-07-13T22:11:24.000Z

On the last Thursday 09.07.15 was added to Ikarus database as Trojan.Script.Avast already detected style[1].js as JS:ScriptXE-inf [Trj]

https://www.virustotal.com/en/file/8366a7c7e3e3229509497a0f96edfe9a522164078314d601b9d6bce6d96a9f0a/analysis/1436825157/

Thank you very much.

Announcements