Author Topic: JS:Packed T [trj]  (Read 8569 times)

0 Members and 1 Guest are viewing this topic.

street_lethal

  • Guest
JS:Packed T [trj]
« on: December 03, 2008, 04:29:32 AM »
 Went to a coupon site for my GF on her laptop using Firefox and Avast blocked it. Reloaded the site and Avast didn't pop up with anything the second time, I left the site. Any info on this?
« Last Edit: December 03, 2008, 05:07:04 AM by street_lethal »

Offline Justin_22

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 445
  • Free your soul and let it fly
Re: JS:Packed T [trj]
« Reply #1 on: December 03, 2008, 05:31:07 AM »
Could you give us the link to the site please? but de-activate it by replacing "http" with "hxxp"
thank you

-Justin
Avast!  2014 beta - Sandboxie - K9 Web Protection

street_lethal

  • Guest
Re: JS:Packed T [trj]
« Reply #2 on: December 03, 2008, 05:49:30 AM »
Don't remember what site it was. I'll have to check the logs this week if she brings her laptop back over. I did run a few scans before she left with different scanners and picked up nothing.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: JS:Packed T [trj]
« Reply #3 on: December 03, 2008, 07:05:59 AM »
It's possible that detection was related to banner rotation on that site. Happened first time with specific loaded banner, but did not happen second time because something else was loaded as banner second time.
Visit my webpage Angry Sheep Blog

street_lethal

  • Guest
Re: JS:Packed T [trj]
« Reply #4 on: December 03, 2008, 02:14:53 PM »


It's similar what this guy posted on this forum he got the same complaint from Avast. I did a search for Avast JS:Packed T [trj] on Google and found this.

http://www.curse.com/forums/t/69161.aspx




This is what he posted:

   

"I was looking at GridManaBars when Avast popped up a virus, 3 times.  Twice on the addon's page, and once on the download page.  I just viewed the page again, but nothing there.

Here's Avast's log.

12/2/2008 7:11:31 PM    SYSTEM    1132    Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file.
12/2/2008 7:11:31 PM    SYSTEM    1132    Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702" file.
12/2/2008 7:11:50 PM    SYSTEM    1132    Sign of "JS:Packed-T [trj]" has been found in "hxxp://76.74.154.110/zv00108/pdf.php?id=9702&vis=1" file.  "



Url looks similar from what I recall, it's traced back to valuepromo.net. Ad banners I assume?

« Last Edit: December 03, 2008, 02:23:17 PM by street_lethal »

street_lethal

  • Guest
Re: JS:Packed T [trj]
« Reply #5 on: December 03, 2008, 02:15:36 PM »
nm

kubecj

  • Guest
Re: JS:Packed T [trj]
« Reply #6 on: December 03, 2008, 03:40:27 PM »
Getting 404. JS:Packed-T are hidden inside PDF files and hide scripts which exploit Acrobat. It's really loose detection, so we did expect some falses, but right now, we don't have any samples.