Author Topic: Avast reports Trojan on clean web site (Read 12962 times)

Peterl · « **on:** July 28, 2010, 11:21:12 PM »

Hi,

My friend has web site in development and he is preparing to launch it live. While I was previewing site I got warning from Avast: Trojan detected- JS:Redirector-CV.
We have tested other Anti virus sw (NOD, Norton, Kaspersky, Avira) and none of them detects virus.
Only scripts are jQuery scripts.

Any idea?

Peter

Asyn · « **Reply #1 on:** July 29, 2010, 12:02:53 AM »

Quote from: Peterl on July 28, 2010, 11:21:12 PM

Any idea?

Any code to look at..??

asyn

Peterl · « **Reply #2 on:** July 29, 2010, 12:04:06 AM »

XXX.gardencentar.rs

SafeSurf · « **Reply #3 on:** July 29, 2010, 07:51:37 AM »

Here's the following report:

Report    2010-07-29 00:22:39 (GMT 1)
Website    gardencentar.rs
Domain Hash    839df08a5ffcbac1cbe646669aa372ce
IP Address    212.102.130.51 [SCAN]
IP Hostname    web.b92.net
IP Country    RS (Serbia)
AS Number    9081
AS Name    AS9081 B92-NET Autonomous System
Detections    0 / 17 (0 %)
Status    CLEAN

Scanning site with:    AMaDa    CLEAN
Scanning site with:    BrowserDefender    CLEAN
Scanning site with:    Finjan    CLEAN
Scanning site with:    Google Diagnostic    CLEAN
Scanning site with:    hpHosts    UNRATED
Scanning site with:    Malware Patrol    CLEAN
Scanning site with:    MalwareDomainList    CLEAN
Scanning site with:    MyWOT    CLEAN
Scanning site with:    Norton SafeWeb    CLEAN
Scanning site with:    ParetoLogic URL Clearing House    CLEAN
Scanning site with:    PhishTank    CLEAN
Scanning site with:    SURBL    CLEAN
Scanning site with:    Threat Log    CLEAN
Scanning site with:    TrendMicro Web Reputation    CLEAN
Scanning site with:    URIBL    CLEAN
Scanning site with:    Web Security Guard    UNRATED
Scanning site with:    ZeuS Tracker    CLEAN

NoVirusThanks    Scan Website
SenderBase    View Reputation
Anubis    Analyze URL
Robtex    DNS Information
Alexa    Traffic Rank

Peterl · « **Reply #4 on:** July 29, 2010, 08:03:30 AM »

Here is print screen showing Avast alert. It blocks opening of the site.

SafeSurf · « **Reply #5 on:** July 29, 2010, 08:12:30 AM »

Are you still getting the notification now?

Peterl · « **Reply #6 on:** July 29, 2010, 08:42:43 AM »

Unfortunately yes.

Rednose · « **Reply #7 on:** July 29, 2010, 08:54:37 AM »

Peterl,

With every setting in the Webshield on the "highest" possible, I don't get any notification from Avast! on that website $:-\$ Have you updated to the latest program version/virus definitions

Greetz, Red.

SafeSurf · « **Reply #8 on:** July 29, 2010, 09:00:24 AM »

Report from Unmask Parasites:

General
Title:
Polazna - wXw.gardencentar.rs
URL:    hXXp://www.gardencentar.rs/beta/
Google:    not currently listed as suspicious* (details)
Generator:    gpEasy.com
Last checked:    0 minutes ago (results are cached for 1 hour)
This report:
External References
No external references found.

Asyn · « **Reply #9 on:** July 29, 2010, 02:25:46 PM »

Quote from: Peterl on July 29, 2010, 08:03:30 AM

Here is print screen showing Avast alert. It blocks opening of the site.

avast doesn't block it anymore..!
Can you confirm this..??
asyn

Peterl · « **Reply #10 on:** July 29, 2010, 05:25:22 PM »

As you can see from attached picture it still shows alert.
Does anyone has any idea why is this happening?
Why other anti virus software does not react?

DavidR · « **Reply #11 on:** July 29, 2010, 05:30:02 PM »

Well the site appears to have been hacked and avast went ballistic, see below.

wxw.gardencentar.rs/beta/themes/garden%20centar%20-%20naslovna/standard/images-zeleni/logo_banner.png [L] JS:Redirector-CV [Trj] (0)
wxw.gardencentar.rs/beta/themes/garden%20centar%20-%20naslovna/standard/images-zeleni/menidesno.gif [L] JS:Redirector-CV [Trj] (0)
wxw.gardencentar.rs/beta/themes/garden%20centar%20-%20naslovna/standard/images-zeleni/dno.png [L] JS:Redirector-CV [Trj] (0)
wxw.gardencentar.rs/beta/themes/garden%20centar%20-%20naslovna/standard/images-zeleni/menihover.gif [L] JS:Redirector-CV [Trj] (0)
wxw.gardencentar.rs/favicon.ico [L] JS:Redirector-CV [Trj] (0)

One of the alerts that I captured has some pretty weird obfuscated scripts in there one which appears to be setting a cookie, very strange for what is meant to be an image. The other appears to be running a keygen and crack at keygenguru.com and linking to supersoftwarestore.com, softsalesterritory.com and a bunch of other dubious sites. All of which again to me is highly suspect for what is meant to be an image file.

Edit, not to mention there is no image data inside the file.

Peterl · « **Reply #12 on:** July 29, 2010, 06:13:38 PM »

This is very useful info.
Can you share more details?

DavidR · « **Reply #13 on:** July 29, 2010, 07:19:54 PM »

No I can't because that is as far as I took it, e.g. confirming that it appears the site has been hacked.

Rednose · « **Reply #14 on:** July 30, 2010, 07:11:18 AM »

Wow, now I got that notification too

Greetz, Red.

Author Topic: Avast reports Trojan on clean web site (Read 12962 times)

Peterl

Avast reports Trojan on clean web site

Asyn

Re: Avast reports Trojan on clean web site

Peterl

Re: Avast reports Trojan on clean web site

SafeSurf

Re: Avast reports Trojan on clean web site

Peterl

Re: Avast reports Trojan on clean web site

SafeSurf

Re: Avast reports Trojan on clean web site

Peterl

Re: Avast reports Trojan on clean web site

Rednose

Re: Avast reports Trojan on clean web site

SafeSurf

Re: Avast reports Trojan on clean web site

Asyn

Re: Avast reports Trojan on clean web site

Peterl

Re: Avast reports Trojan on clean web site

DavidR

Re: Avast reports Trojan on clean web site

Peterl

Re: Avast reports Trojan on clean web site

DavidR

Re: Avast reports Trojan on clean web site

Rednose

Re: Avast reports Trojan on clean web site