Avast WEBforum

Other => Viruses and worms => Topic started by: msaluste on August 03, 2011, 10:23:10 PM

Title: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: msaluste on August 03, 2011, 10:23:10 PM

Starting this evening with virus definitions 110803-1, Plugin Detect version 0.7.5 was suddenly labelled as JS:Downloader-AUX [Trj] on my web site (hxxp://help.artaro.eu).
Restored the file from a backup made in May, recompiled at the publisher's site (hxxp://www.pinlady.net/PluginDetect/), but the avast! Free Antivirus still blocks all variants of the file.
Nothing appears while scanning the file with freshly updated competitor's products (MSSE, Malwarebytes, Spybot S&D) and VirusTotal shows only avast! and GData detect the file as "Downloader-AUX".
Also, http://sitecheck.sucuri.net/scanner/ shows my site is clean.
I've attached the contents of the file in txt format.

Please, can you confirm it is a false positive and update your definitions?

Title: Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: polonus on August 03, 2011, 10:51:18 PM

Hi msaluste.

Here the anubis report for the file attached: http://anubis.iseclab.org/?action=result&task_id=18bd5af96ab5f35e4bd2a97e9407e5468&format=html
Low risk file could be classified as risktool or a FP.
wait for avast's verdict
 
There are some characteristics the software shares with particular code on Zeus malware.

odm3o1u3 script[1];
\4X23OP2B\style[1].css in spoofs
unnamed file 0x00120028 for mail account creator

Non-system processes like wshtcpip.dll originate from software you installed on your system. As most applications store data in your system's registry, it is likely that your registry has suffered fragmentation and accumulated harmful errors.

Public Declare Function mciExecute& Lib "winmm.dll" (ByVal lpstrCommand As String)
Mutexes:
 _SHuassist.mtx. • IEXPLORE.EXE: CritOpMutex. Network Connections Attempts to download files

Shell.CMruPidlList mutex is also found for particular worms,

Also checked on this on your site, see attached (could this have been detected?)

polonus

Title: Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: msaluste on August 04, 2011, 09:27:15 AM

Thank you Polonus!
The PluginDetect script checks versions of installed plug-ins, such as Java, Flash Player, Adobe Reader, VLC Player, etc. For detection to work properly, it must open a file for some plug-ins, this might cause the Trojan-like behaviour. I use this script to warn visitors in case some plug-in is out of date and insecure.
The attached script you pointed out seems to be writing "mailto: " information for the script author; no anti-virus detected it as malicious.
When can I expect some verdict from avast?

Title: Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: DavidR on August 04, 2011, 12:05:10 PM

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles (http://www.avast.com/contact-form.php?loadStyles) for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.
- If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc.

Title: Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: Sirmer on August 04, 2011, 12:33:34 PM

Hello,
JS:Downloader-AUX is a wrong detection. It will be fixed in today release. but unfortunately not in VPS-0 but in VPS-1.
Sorry for your inconvenience.

Title: Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
Post by: msaluste on August 04, 2011, 01:02:49 PM

Thank you for the good information, Sirmer!
I had quite a sleepless night while trying to figure out how my site could have been hacked ;D
Apologies accepted :)