Author Topic: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?  (Read 2940 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Search engine: baidu.com
Search key: "家居装修风格"

Result:
1. On copy and paste the word in the search tab, trojan popup (test by me)
2. On click search, after the search page shown, trojan popup (test by Chinese user as discussed in http://tieba.baidu.com/p/3172730216) I don't know how they do it but avast prevented the search when I click search.

URL: hxxp://www.baidu.com/s?ie=utf-8&mod=1&isid=d87ce2680010a8aa&pstg=2&wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC&tn=SE_hldp00980_x3znwgz5&ie=utf-8&f=3&rsv_sid=undefined&csor=6&_ck=77851.0.-1.-1.-1.-1.-1&_cr1=13811|{gzip}
Threat name: JS:ScriptPE-inf [Trj]

What malware can be in "Home Decoration Style" (The search key in English)?

Edit: Different search key here: http://tieba.baidu.com/p/3049966022
« Last Edit: July 26, 2014, 07:40:11 AM by rickyyeung »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?
« Reply #1 on: July 26, 2014, 07:59:58 AM »
Just tested it and avast does not prevent the search as you said yourself.
The results are shown.

REDACTED

  • Guest
Re: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?
« Reply #2 on: July 26, 2014, 08:11:57 AM »
 ??? I don't know if there is a different, but I pasted the search key from this search http://www.baidu.com/s?cl=3&wd=avast and then click search, the result stay avast and the page go white like when IE crashed on that page but it does not crash. The page go to hxxp://www.baidu.com/s?cl=3&wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC&tn=baidu&ie=utf-8&bs=avast&f=3&rsv_bp=1&rsv_sug3=2&rsv_sug4=356&rsv_sug1=2&rsp=0
Which is blocked.
By looking at the wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC the search key does change, only the result does not.

edit: It is also prevented from the main page, look at the attached picture

edit2: I successed in bypassing the prevent search problem, but avast blocked a different url as trojan
hxxp://www.baidu.com/s?wd=%E5%AE%B6%E5%B1%85%E8%A3%85%E4%BF%AE%E9%A3%8E%E6%A0%BC&rsv_bp=0&tn=baidu&rsv_spt=3&ie=utf-8&rsv_sug3=2&rsv_sug4=262&rsv_sug1=1&f=3&rsp=0|{gzip}
JS:ScriptPE-inf [Trj]
« Last Edit: July 26, 2014, 08:28:46 AM by rickyyeung »

REDACTED

  • Guest
Re: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?
« Reply #3 on: August 19, 2014, 11:19:19 AM »
This is still happening (same search key: 家居装修风格).

Plus the following search key: 加勒比海盗
hXXp://www.baidu.com/s?ie=utf-8&mod=1&isid=8be4b48900005339&pstg=2&cl=3&wd=%E5%8A%A0%E5%8B%92%E6%AF%94%E6%B5%B7%E7%9B%97&rsv_sid=undefined&csor=5&_ck=1291.0.-1.-1.-1.-1.-1&_cr1=10312|{gzip}

This is just the movie "pirate of the Caribbean", so I don't know why there is trojan horse in it.
The file "s.htm" come with the website. Avast also give it an alert "JS:ScriptPE-inf [trj]".
Most of the time avast alert and then the search is prevented (no result is being displayed)

Edit:
Virustotal
https://www.virustotal.com/zh-tw/file/04e4b8b61f7fc837058335fe538335f3472ad1fc13bab7f8da769112a4906b96/analysis/1408440075/
https://www.virustotal.com/zh-tw/file/963b1789a15f95d441746ad042270f0531940d133a869684c822f232209e6f14/analysis/1408440143/
https://www.virustotal.com/zh-tw/file/c39c2e74f0ea1f39a0cf13bc166396c66c812d16994cb097c773d8c254da0704/analysis/1408440199/
« Last Edit: August 19, 2014, 11:24:48 AM by rickyyeung »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37587
  • Not a avast user
« Last Edit: August 19, 2014, 11:42:24 AM by Pondus »

REDACTED

  • Guest
Re: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?
« Reply #5 on: August 19, 2014, 12:13:54 PM »
Pondus
Avast is blocking the same file (s.htm) as quttera detected as suspicious, but if it really malware, avast should have detected the trojan on all search keys instead of a few.
Only a slight change in the search key can make avast not alert. For example, avast alert when using the search key "加勒比海盗" but not for "加勒比海盗1".

REDACTED

  • Guest
Re: "Search engine" + specific search key = JS:ScriptPE-inf [Trj] ?
« Reply #6 on: September 22, 2014, 02:41:49 PM »
1.
A few day ago, the problem is back for the following search key "狗hank".
Another s.htm file were moved to virus chest.From there I scan all the s.htm file and see how selective avast block the search page :o
The old problem was solved. But this one is a new block. Upon checking the user comment in the avast forum in baidu, avast is actually blocking the redirection script used in the well known Chinese search engine.

hxxp://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&ch=&tn=baidu&bar=&wd=%E7%8B%97hank&rsv_enter=0
Only the red colored part is changed for different search key.

2.
The problem is back with another search key "哑银不干胶"
The url format is changed this time, but the blocked file is same (s.htm)
hxxp://www.baidu.com/s?cl=3&wd=哑银不干胶