Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on July 16, 2018, 09:24:22 PM

Title: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: REDACTED on July 16, 2018, 09:24:22 PM

Hey guys,
today avast blocked a website because of a file infected with JS:Downloader-FY[Trj].
After that, I did a smart scan which didn't detect anything. After the smart scan, I did a complete scan.
That complete scan did detect several infected files as ELF:Agent-Ra [Trj], but I wouldn't call most of them dangerous (e.g. part of my Minecraft installation).
Some of those files were from my Linux subsytem for windows.

Does the blocked website have something to do with the detection of ELF:Agent-Ra [Trj]?
Are the detected files false positives?

Thanks for your help in advance.

Title: Re: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: polonus on July 16, 2018, 09:56:06 PM

Ha der Drachenfrucht1,

Can you give the infested (or redirecting) url as a broken link, so we can have a look if it may be still infested.
Sometimes some malware is very short-lived and then no longer active.

Break links like -http or hxtp or with spaces like http www dot badsite dot com, so it becomes non-clickable.

This malicious file downloader, hence that name, has been around for some time now, see a detection at VT's:
https://www.virustotal.com/en/file/7ea2f52578ab9dddc0e56ce46b3f7eed7e07288a7efc4f49d24c62928fa73d4a/analysis/1460937666/

S.Gr.

polonus

Title: Re: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: Pondus on July 16, 2018, 09:57:23 PM

Quote

That complete scan did detect several infected files as ELF:Agent-Ra [Trj]

Quote

Some of those files were from my Linux subsytem for windows.

False positives  >>  https://forum.avast.com/index.php?topic=220504.0


@Polonus ... VT link posted is over 2 years old   ???

Title: Re: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: polonus on July 16, 2018, 10:14:44 PM

Pondus, always there with essential feedback.

Thank you, Pondus, the older link was just there for the terminology and to show it is a longer existing threat,
nothing further related  ;) Sigh of relief for some, when these files are FP detections.  8)

pol

Title: Re: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: REDACTED on July 16, 2018, 10:22:27 PM

The infested url is https snigelweb-com [dot] videoplayerhub [dot] com [slash] videoloader [dot] js

Title: Re: Avast detecting files as ELF:Agnet-RA [Trj] after blocking website
Post by: polonus on July 17, 2018, 12:01:18 AM

Well, Drachenfrucht1, that link is from a "parked domain", and on parked domains often malcreants do or can do their bidding.
Re: https://www.virustotal.com/en/url/3163f14bca9744b94381d69c2bc6dd3fa8168bc038b75f0571c87333669addb4/analysis/1531777452/

See: https://aw-snap.info/file-viewer/?protocol=secure&tgt=snigelweb-com.videoplayerhub.com%2Fvideoloader.js&ref_sel=GSP2&ua_sel=ff&fs=1
NOTICE
AmazonS3
Via proxy: 1.1 Given as clean here: https://quttera.com/detailed_report/snigelweb-com.videoplayerhub.com

A ZoomEye Cyberspace Search Query delivered: https://www.zoomeye.org/searchResult?q=videoloader.js
or log in https://sso.telnet404.com/cas/login?service=https%3A%2F%2Fwww.zoomeye.org%2Flogin

It is also not known as a tracker: https://whotracks.me/trackers/snigelweb.html ( around 0,1 percent).

polonus