Avast WEBforum

Other => Viruses and worms => Topic started by: 1010101010101010101010101 on December 05, 2010, 01:51:50 AM

Title: Exploit Blocked - JS:Pdfka-ARC [Expl]
Post by: 1010101010101010101010101 on December 05, 2010, 01:51:50 AM

While visiting a web site I frequent everyday I got this warning from avast.
My Java software is completely up to date as is adobe reader/flash and also firefox, many people have been getting this warning on this web site and it seems to be associated with ( JAVA ) AND when it happened my java icon appeared in my system tray.

Any thoughts on whats going on with this condition.

**********************************************************************
EXPLOIT BLOCKED

Avast! Web shield has has blocked a harmful web page or file.

Object: http  ://giantosh.com/201009301256/lib/7092-023755628394

Infection: JS:Pdfka-ARC [Expl]

Action: Connection aborted

Process: C:\Program Files\Mozilla Firefox\firefox.exe
**********************************************************************

Title: Re: Exploit Blocked - JS:Pdfka-ARC [Expl]
Post by: Hawk on December 05, 2010, 02:04:27 AM

Quote from: 1010101010101010101010101 on December 05, 2010, 01:51:50 AM

EXPLOIT BLOCKED

Avast! Web shield has has blocked a harmful web page or file.

Object: http  ://giantosh.com/201009301256/lib/7092-023755628394

Infection: JS:Pdfka-ARC [Expl]

Action: Connection aborted

Process: C:\Program Files\Mozilla Firefox\firefox.exe
**********************************************************************

That means avast blocked some bad(infected) javascript file before you opened it.There is no harm done to your computer.

Title: Re: Exploit Blocked - JS:Pdfka-ARC [Expl]
Post by: Asyn on December 05, 2010, 08:05:23 AM

Seems to be gone...
I get this: Domain does not exist or is unaccessible.
asyn

Title: Re: Exploit Blocked - JS:Pdfka-ARC [Expl]
Post by: mbrechet on March 02, 2011, 05:55:54 PM

Hi, I have the same problem on video-a-la-demande.orange.fr website, the exploit is JS:Pdfka-AYC. But the website is sure and the file is dojo.js that is an official file created with dojotoolkit framework.

I think it's a false positive case, will you correct this point ?

Have you got some explanation ?

Thanks for your responses

Title: Re: Exploit Blocked - JS:Pdfka-ARC [Expl]
Post by: polonus on March 04, 2011, 10:46:52 PM

Hi mbrechet,

Sucuri gives the site an all clean and also these links are found clean:
htxp://video-a-la-demande.orange.fr 
htxp://c.orange.fr/Js/o_oep.js 
htxp://c.orange.fr/Js/common_oep.js 
I get this maintanance report when trying to connect there:

Quote

Les sites Vidéo à la demande et Web TV évoluent...
Le service est interrompu le temps de mettre en mettre en oeuvre les évolutions.
Vous pouvez visionner sans aucun problème à partir de votre player Orange les vidéos que vous avez déjà téléchargées.
Le service sera de nouveau accessible dès 00h00.
Nous vous prions de bien vouloir nous excuser pour le désagrément.
L'équipe Vidéo Party

here it is also found clean: http://www.urlvoid.com/scan/video-a-la-demande.orange.fr
status code: 403. Forbidden.
But some interesting discussion links can be found here for this link to oep.js:
http://www.unmaskparasites.com/web-page-options/?url=http://c.orange.fr/Js/common_oep.js
Read on this e.g.: http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/
various jsunpack links, this was the only recent one found:
htxp://jsunpack.jeek.org/dec/go?report=693e36cb8272f41daba319f279b4239b0edc8f68
but the site has had previous issues, certainly had,

polonus