Author Topic: JS:Cruzer-B [Trj] in homepage?  (Read 18919 times)

0 Members and 1 Guest are viewing this topic.

Offline nilsA

  • Newbie
  • *
  • Posts: 1
JS:Cruzer-B [Trj] in homepage?
« on: March 23, 2009, 01:11:36 PM »
On my personal home page (www.nilsandreas.info) I get a warning for the "JS:Cruzer-B [trj]" from Avast, and then I cannot access my home page. I don't exactly know when this started - one or three months ago, possibly?

I have made no changes to my home page in that period of time, so I don't understand what this is?

From the log I have copied this:

Code: [Select]
01.06.2008 21:30:29 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
01.06.2008 21:30:32 SYSTEM 1812 An error has occured while attempting to update. Please check the logs. 
05.06.2008 13:12:22 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
05.06.2008 13:12:25 SYSTEM 1812 An error has occured while attempting to update. Please check the logs. 
03.09.2008 14:43:41 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001. 
13.09.2008 10:16:11 SYSTEM 1812 Function setifaceUpdatePackages() has failed. Return code is 0x00000001, dwRes is 00000001. 
29.11.2008 10:57:29 SYSTEM 1848 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142. 
01.12.2008 12:17:29 ˜ 1844 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142. 
29.01.2009 00:21:54 SYSTEM 1840 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142. 
27.02.2009 18:22:49 SYSTEM 1848 Sign of "JS:Cruzer-B [Trj]" has been found in "http://www.nilsandreas.info/" file. 

Anyone able to tell me what to do?

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #1 on: March 23, 2009, 01:25:46 PM »
Hello,

Your website was hacked! There is injected piece of javascript at the end of html code - after closing </html> tag and many tabs. You will find it by searching string ".charAt(" without qoutes.

Please check possible vulnerable software on your server, change your password (to stronger one) and check your own code for possible bugs.

Here is VT report: http://www.virustotal.com/cs/analisis/4700e0a3444feab9f370aa5a997069dd
« Last Edit: March 23, 2009, 01:32:01 PM by jsejtko »

Offline erivera

  • Newbie
  • *
  • Posts: 1
Re: JS:Cruzer-C [Trj] in homepage?
« Reply #2 on: May 24, 2009, 01:35:02 AM »
I had the same alert but JS:Cruzer-C [trj] instead of JS:Cruzer-B [trj] on one of my my pages (yv5huj.org)
I saw a strange code after closing </html> as you said, so I just replaced the public index.html file for the original one in my backup files and now everything is OK.

Thanks a lot for your support
« Last Edit: May 24, 2009, 01:44:10 AM by erivera »

Offline ivanhugo

  • Newbie
  • *
  • Posts: 8
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #3 on: May 24, 2009, 02:09:41 AM »
   
I do not know if it is, but ...
In line with my thoughts, such as anti-virus bitdefender says, is a Trojan.Downloader, avast and it says the file is called http://www.nilsandreas.info/, not index.html, the server may have a virus.
In bitdefender is a Trojan.Downloader!
But in the avast! I saw what was written JS, JS might be a script.
So this site puts a file that is Trojan.Downloader
I am from Portugal and had to use the google translator, so my text can not be very good.  :P

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #4 on: May 24, 2009, 03:24:57 PM »
Hi nilsA,

Make your links in the forum posting non-clickable for the curious of nature, like htxp:// or wXw
Check: No zeroiframes detected!
Check took 0.41 seconds

(Level: 0) Url checked:
htxp://www.nilsandreas.info/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (frame source)
htxp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/sscr.html
Blank page / could not connect
No ad codes identified

The Trojan uses obfuscated Javascript  to download other malware onto the users' computer.
It is part of a "drive-by exploit chain" which uses known security flaws to infect computers which are not updated,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #5 on: May 24, 2009, 10:28:35 PM »
Here is VT report: http://www.virustotal.com/cs/analisis/4700e0a3444feab9f370aa5a997069dd
Let's recognize - again - that avast is a step forward on detection of these kind of infection. GData uses avast engine and virus databases.
The best things in life are free.

Offline ivanhugo

  • Newbie
  • *
  • Posts: 8
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #6 on: May 25, 2009, 08:58:43 PM »
If you use the bitdefender and record the page, we see that the virus is not on the page, is the transmission of the page (I guess) is that the server may have virus.
I can not find anything of the virus in source code.
Here is the source-code:

Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--This file created 23:15  06.02.2006 by Claris Home Page version 2.0--><HTML><HEAD><TITLE>Sscr_fra_ImageReady</TITLE>
<META content="MSHTML 6.00.6000.16825" name=GENERATOR><X-SAS-WINDOW RIGHT="764"
LEFT="14" BOTTOM="601" TOP="46">
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"></HEAD>
<BODY bgColor=#82241c>
<P><!-- ImageReady Slices (Sscr_fra_ImageReady.psd) --><MAP
name=Sscr_fra_ImageReady_Map><AREA shape=RECT alt=Tsongkhapa
  coords=511,109,608,289
  href="http://www.nilsandreas.info/Buddhisme/Tsongkhapa.htm"><AREA shape=CIRCLE
  alt=erstad@nilsandreas.info coords=571,446,31
  href="mailto:erstad@nilsandreas.info"><AREA shape=RECT alt=""
  coords=18,423,127,443 href="http://www.nilsandreas.info/teknisk"><AREA
  shape=RECT alt="Pictures from movies where I was an extra"
  coords=511,321,608,407
  href="http://www.nilsandreas.info/statist/index.htm"><AREA shape=RECT
  alt="Sikkim - New Delhi - Goa" coords=378,317,489,402
  href="http://www.nilsandreas.info/gammel/index2.html"><AREA shape=RECT
  alt="Some of my cameras" coords=252,316,366,401
  href="http://www.nilsandreas.info/kamera"><AREA shape=RECT alt="Where I live"
  coords=138,315,237,406 href="http://www.nilsandreas.info/drammen"><AREA
  shape=RECT alt="My cars" coords=21,311,116,402
  href="http://www.nilsandreas.info/bil"><AREA shape=RECT
  alt="Buddhist texts and links" coords=400,167,536,195
  href="http://www.nilsandreas.info/Buddhisme/THE_STORY.doc"><AREA shape=RECT
  alt="Sceptical links and texts" coords=247,109,347,137
  href="http://www.nilsandreas.info/skepsis"><AREA shape=RECT target=NEW
  alt="Some texts and photos - noen tekster og bilder" coords=22,19,587,67
  href="http://www.nilsandreas.info/hjemmeside/homepage.htm"></MAP><IMG height=480
src="http://www.nilsandreas.info/Sscr.gif" width=640 align=bottom
useMap=#Sscr_fra_ImageReady_Map
border=0><!-- End ImageReady Slices --></P></BODY></HTML>

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #7 on: May 25, 2009, 10:30:16 PM »
Guys, initial post is more than 2 months old - nils webpage is clean now.
I think erivera has been hitted with new variant of JS:Cruzer that is higly spreding right now.


« Last Edit: May 25, 2009, 10:58:30 PM by jsejtko »

Offline ivanhugo

  • Newbie
  • *
  • Posts: 8
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #8 on: May 25, 2009, 10:40:29 PM »
It s not clean !
Contains Trojan.Downloader.JS.SMALL ( bitdefender found ! )

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32691
  • malware fighter
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #9 on: May 25, 2009, 10:50:31 PM »
Hi ivanhugo,

This could be suspicious: (Level: 1) Url checked: (frame source)
hxtp://www.nilsandreas.info/bi.html
Blank page / could not connect
No ad codes identified

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #10 on: May 25, 2009, 10:57:26 PM »
Ouch, sorry for that. I didnt looked there, just thought that two months after it will be cleaned :( my mistake

Avast still detects JS:Cruzer-B and I have to go sleep to get more power for tomorow fight with malware :)

Again, sory for my mistake.

Regards

Offline SekhemAkassha

  • Newbie
  • *
  • Posts: 9
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #11 on: May 30, 2009, 03:18:31 PM »
I have the same problem on my own site  :-[ It is a JS:Cruzer-C
My computer is scanned with Avast and Spybot Search & Destroy, and it is clean.
This weekend the host will move the site (with the others) to another server.

I following the instructions over here, but I can't find the trojan horse.

This is de link to my site (be carefull) www.oude egypte.nl 

What can I do!
« Last Edit: May 30, 2009, 03:36:48 PM by SekhemAkassha »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #12 on: May 30, 2009, 03:31:00 PM »
This is de link to my site (be carefull) www . oudeegypte . nl
Let the link NOT live. Broke it.

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #13 on: May 30, 2009, 03:35:19 PM »
I did not found anything obvious in the code.
I could open the site in Firefox with NoScript. Maybe some script is infected? ???
Are you running the latest avast version?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11764
    • AVAST Software
Re: JS:Cruzer-B [Trj] in homepage?
« Reply #14 on: May 30, 2009, 03:39:29 PM »
If you scroll down a few empty pages, you'll see the encrypted script.