Avast WEBforum

Other => Viruses and worms => Topic started by: solidsnake44 on July 03, 2011, 07:35:29 AM

Title: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 03, 2011, 07:35:29 AM
Hello.

I use Avast 6 on my new PC (Yesterday was the first use). I install Avast 6. I wanted to update all my drivers and I went on XXX.pilotespc.com for my DVD recorder. But Avast showed an alert message which said: Avast has blocked ... . It was a Trojan.

The complete URL is hXXp://www.pilotespc.com/cstrack.js.

The threat is classified in HIGH and the threat is called JS:Kryptik-B [Trj].

Is it a false positive ?

If it's a virus, are you sure that my PC is clean and safe ?
Title: Re: JS:Kryptik-B [Trj]
Post by: nmb on July 03, 2011, 07:45:44 AM
Quote
If it's a virus, are you sure that my PC is clean and safe ?

Avast's WebShield has blocked the threat even before it entered your PC. Your PC is safe.

Quote
Is it a false positive ?

Generally avast is precise in catching such scripts on website. But, we may have to wait for someone to chime in if its a false positive.

But if you think its a false positive, you can report it here: http://www.avast.com/contact-form.php?loadStyles by selecting the appropriate subject and also putting a link to this topic in the message part.
Title: Re: JS:Kryptik-B [Trj]
Post by: com155 on July 03, 2011, 07:47:26 AM
only if u want to check ur pc

download malwarebytes from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

do a update and perform full scan and remove wht it finds.

try norton power eraser download link:
http://us.norton.com/support/DIY/index.jsp

also try this:

ownload AVPTool from Here to your desktop
  
Run the programme you have just downloaded to your desktop (it will be randomly named )
 
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan  
Once it has finished select report and post that.
 
(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront-1.jpg)
 
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
 
now remove whatever it finds.
[/quote]
 (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/)
Title: Re: JS:Kryptik-B [Trj]
Post by: nmb on July 03, 2011, 07:50:28 AM
I don't see any reason for a scan with the all the scanners out there since it is a webscript that has been detected and blocked.
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 03, 2011, 08:09:35 AM
Thank you. I'm delighted.

I check up with antivir and malwarebytes. No anomaly. I check with active scan today.

I wait for a reply from a member who has the same problem to know if it is a false positive.

Thank you again and sorry for my english (I'm french :) )
Title: Re: JS:Kryptik-B [Trj]
Post by: spg SCOTT on July 03, 2011, 12:09:11 PM
Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks. Just a matter of course...

This looks like it may be a genuine detection, the js file has a script in it which uses an array to generate an image. At least that is what results from analysis from malzilla

avast isn't the only one either:
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

by the way, your english is fine :)
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 03, 2011, 03:13:06 PM
It's Ok, I changed the link.

So for you it's an image which is loading and avast blocked it for security ?

I don't know the term Genuine. What is it ? And "JS" is for Javascript ?

And thank you for  your help and for my english :)
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 04, 2011, 05:55:18 PM
Hello,

spg SCOTT can you help me again please, to know if I have understood. Because I'm not sure of my translation.
Title: Re: JS:Kryptik-B [Trj]
Post by: Jeepava on July 06, 2011, 03:15:33 PM
Bonjour solidsnake44

Vous prouver poser votre question dans la zone français de avst international

http://forum.avast.com/index.php?board=23.0

Autrement vous prouvez essayer un autre site de Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0

Translation English

Hello solidsnake44

You to prove to put your question in the French zone of avst international

http://forum.avast.com/index.php?board=23.0

Otherwise you prove to test another site of Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0
Title: Re: JS:Kryptik-B [Trj]
Post by: spg SCOTT on July 06, 2011, 07:55:58 PM
Apologies, I missed this topic.

As far as I can tell, that javascript file doesn't seem to exist anymore. I get a 404 (not found) error on it. Do you still get alerts?

It's Ok, I changed the link.
Thanks, but there is still an active one though ;)

Quote
So for you it's an image which is loading and avast blocked it for security ?
Well, not quite. It is an image link, but it seems to point to an actual page...

Quote
I don't know the term Genuine. What is it ?
In this case, by genuine detection, I meant correct. So the detection is correct.
Genuine, generally means real/authentic :)
Quote
And "JS" is for Javascript ?
Yes.

Quote
And thank you for  your help and for my english :)
No Problem, welcome to the forum :)

Scott
Title: Re: JS:Kryptik-B [Trj]
Post by: polonus on July 06, 2011, 10:03:23 PM
Hi solidsnake44,

spg SCOTT did a thorough script analysis there. I have to add that the site also has vulnerabilities because of the Web apllications used are not fully up to date and exploitable.
Wordpress version: Wordpress
Wordpress version from source: 3.0.1
Wordpress Version > 2.9 for: -http://www.pilotespc.com/wp-includes/js/wp-ajax-response.js
Wordpress Version == 3.0.x for: -http://www.pilotespc.com/wp-includes/js/autosave.js
Wordpress directory: -http://www.pilotespc.com/wp-content
Wordpress theme: -http://www.pilotespc.com/wp-content/themes/universum/
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/universum/index.php *
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/default/index.php *
* vulnerable
This must have created the road in for the malcode. Well for the script links "cufon-yui.js" is exploitable as well and could also lead to malcode in the form of trojan backdoors,

polonus
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 07, 2011, 09:32:20 AM
Thank you all for you help.

Bonjour Jeepava. Merci du conseil. Je pensais que c'était ce site là http://forum.avast.com/fr/index.php le forum français de Avast.

Merci pour les drivers. Je connais mais je ne trouvais pas le driver pour lecteur DVD, du coup je suis allé voir ailleurs, mais malheureusement le site était à priori infecté.


Hello and Thank you spg SCOTT. I try again and I have the same message from Avast which he blocks the site but the page loads.

Sorry I forgot the other link. I changed it.

Ok But it's strange that only Avast finds the Trj and no paying security like Nod32,Kaspersky,Bitdefender...
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

Gdata, I think, has the same data base that avast.

Hello polonus. Thank you for the explanation.
Title: Re: JS:Kryptik-B [Trj]
Post by: Jeepava on July 07, 2011, 02:10:53 PM
Bonjour solidsnake44

Il y a deux forums

Le forum français de Avast international
http://forum.avast.com/index.php?board=23.0

Le forum crée par un québécois français
http://forum.avast.com/fr/index.php

Driver de lecteur DVD
Pouvez vous mettre :
la marque de l'ordinateur et la référence
la marque du DVD et la référence

Je ferais une recherche

Translation English

Hello solidsnake44

There are two forums

The French forum of international
Avast http://forum.avast.com/index.php?board=23.0

The forum creates by a French inhabitant of Quebec
http://forum.avast.com/fr/index.php

Driver of reader DVD
Can you put:
the mark of the computer and the reference
the mark of the DVD and the reference

I would make a research
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 07, 2011, 03:12:34 PM
D'accord, merci pour l'info.

J'ai trouvé le driver mais après avoir "visité" le site infecté hélas. Merci de votre proposition en tout cas, c'est très gentil.

C'est un SAMSUNG Sh-S223C pour information.

Translation:

Thank you for the information.

I have found the driver after visited the infected web site. Thank's for you help.
Title: Re: JS:Kryptik-B [Trj]
Post by: Jeepava on July 07, 2011, 08:30:36 PM
Voila se que j'ai trouver

SAMSUNG Sh-S223C

Ces pas pilote ni driver mais Firmware
      
WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT                       MODEL   OEM       
DVD-Writer Half Height SH-S223C SB
Code FirmWare       Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

téléchargement
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Sa pourra servir en qu'a de mise à jour

Translation English

Here are that I have to find

SAMSUNG Sh-S223C

These steps control nor driver but Firmware
      
WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT                       MODEL   OEM       
DVD-Writer Half Height SH-S223C SB
Code FirmWare       Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

download
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Its could be useful in that has of update
Title: Re: JS:Kryptik-B [Trj]
Post by: solidsnake44 on July 08, 2011, 10:10:55 AM
Merci beaucoup.

Que penses-tu du fait que les anti virus payants ne détectent pas le problème d'après virustotal ?