Avast WEBforum

Other => Viruses and worms => Topic started by: Biox on December 22, 2011, 10:51:01 PM

Title: False Positive ? qrjuice.com
Post by: Biox on December 22, 2011, 10:51:01 PM

A site that I receive RSS feeds from has started showing up as having a Trojan however the name seems to change. I have tried contacting the site in question  qrjuice.com  however no response.

I'm wondering if this is just a false positive. Appreciate any feedback and comments.

thanks

Title: Re: False Positive ? qrjuice.com
Post by: Pondus on December 22, 2011, 10:52:43 PM

what is the full avast message....can you attach a screenshot ?

Title: Re: False Positive ? qrjuice.com
Post by: Pondus on December 22, 2011, 10:55:03 PM

Jotti:  http://virusscan.jotti.org/en-gb/scanresult/3c962e89641522c22837dda1147f9df192d90ab0
metascan:  http://www.metascan-online.com/results.cgi?uid=rlxeh30b21fyoms20dzi9ihxf16g7w3m


Sucuri say - infected
see screen shot - click to enlarge


Malware info: http://sucuri.net/malware/malware-entry-mwjsdepack

Quote

Description:Encoded javascript using a packer by Dean Edwards. This packer can be used on legitimate applications, but is often deployed by attackers to hide their scripts.

Wepawet
-http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js

Title: Re: False Positive ? qrjuice.com
Post by: polonus on December 23, 2011, 12:01:22 AM

Hi Pondus,

You should put a - to -http://wepawet.iseclab.org/view.php?hash=3c8edf5696bb22b85178531bc6c75a54&t=1324591024&type=js
because our unaware users with the avast shields up get an alert on the malcode, namely for
JS:ScriptSH-inf[Trj]
suspicious =
-qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4 suspicious
[suspicious:2] (ipaddr:216.172.185.51) (script) -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/jquery.fancybox-1.3.4.pack.js?ver=1.3.4
     status: (referer=-qrjuice.com/)saved 15624 bytes caeb31e930068ce5820b239d44d8415f95957138
     info: [embed] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
     info: [iframe] -qrjuice.com/wp-content/themes/Polished/epanel/templates/js/fancybox/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable Image
     error: line:22: TypeError: Image is not a constructor
     suspicious incomplete....

polonus

Title: Re: False Positive ? qrjuice.com
Post by: Biox on December 29, 2011, 12:57:57 AM

Thank you for that swift reply.

Apologies for my late reply, I didn't see an alert that someone had responded already.

I'll upload a screen within the day.

thanks

Title: Re: False Positive ? qrjuice.com
Post by: JPMIddleton on January 14, 2012, 11:07:52 PM

The site in question is owned by me. QrJuice.com.

Whilst most of this conversation has gone completely over my head, I can tell you the malware has been removed.

Title: Re: False Positive ? qrjuice.com
Post by: polonus on January 14, 2012, 11:36:53 PM

Hi you siteowner,

Your site may be clean(sed) now, there is still an alert that your Wordpress version is outdated according to sucuri's: Wordpress internal path: /home/qrjuice/public_html/wp-content/themes/Polished/index.php
That means you could be re-infected again, other recommendations is for the website server. That server gives away a full version number of the server software. This should be avoided, so would-be-hackers would not know what exploits would work against it. It is a bit like in Little Red Ridinghood's fairytale - just pull the cord hanging out the door and you can come in...and then they could,

Stay safe and secure is the wish of,

polonus