Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: drake145 on May 31, 2020, 03:14:03 PM

Title: J:S AnarchyGrabber-A [TRJ] - False Positive?
Post by: drake145 on May 31, 2020, 03:14:03 PM

Good day All,

I ran a full deep scan today, and it detected a Trojan in the"index.js" file on the below path:

/Users/Home/Library/Application Support/discord/0.0.254/modules/discord_desktop_core

I ran a full malwarebytes scan (with the file restored), but it found nothing. I've also submitted the file to the virus lab.

Below are the virustotal results:

https://www.virustotal.com/gui/file/7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9/detection

Avast version: 14.4
Definitions: 20053100

Is this a false positive?

Title: Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
Post by: Pondus on May 31, 2020, 07:08:03 PM

Quote

I ran a full malwarebytes scan (with the file restored), but it found nothing.

JS:AnarchyGrabber-A [TRJ] = a java script (JS) Malwarebytes does not target script, doc or media files



COMMUNITY
Basic Properties
MD5   a0297bfafe6f99ddbc563d9f0e5a9f75
SHA-1   5fc5801cdb0fbf4aad69bb9e6f7b8957f664e872
SHA-256   7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9
SSDEEP   3:3BBBbJmAj+Pe:xBBMXm
File type   Text
Magic   ASCII text, with no line terminators
File size   40.00 B (40 bytes)

History
First Submission 2018-01-13 15:53:10
Last Submission   2019-10-28 00:49:31
Last Analysis   2020-05-31 17:00:01


It is old, so seems like a False Positive

Title: Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
Post by: drake145 on June 01, 2020, 02:25:33 AM

I found two articles from a few days ago regarding this file, and it would appear that Discord does have a vulnerability:

https://www.tripwire.com/state-of-security/security-data-protection/updated-anarchygrabber-steals-passwords-spreads-to-discord-friends/

https://www.informationsecuritybuzz.com/expert-comments/expert-on-anarchygrabber-trojan-update-stealing-discord-clients-passwords/

Since I am fairly certain that it is a false positive on my machine (based on the virsutotal results and that I haven't opened Discord in a long time), I restored the file and opened it to look at the code. It opened my web browser and showed one line of code, exactly as indicated on the tripwire website.

Title: Re: J:S AnarchyGrabber-A [TRJ] - False Positive?
Post by: drake145 on June 01, 2020, 01:06:35 PM

After updating to the latest virus definition, Avast no longer detects the file, so everything is OK now.