Sign of "JS:Obfuscated-AM [Trj]"

[mkis]

If someone is around could they please check out the following. May be a false positive as it is home page of University of Auckland. Don't expect to run into malcode.

Here is readfing from Avast event viewer and Windows ever viewer:

Sign of "JS:Obfuscated-AM [Trj]" has been found in "http://www.auckland.ac.nz/jsp/jahia/templates/central/uoa_templates/global/js/menu.js\{gzip}" file. 


I secured the page and looked it over but I dont know enough myself.
The home page can be found at hxxp://www.auckland.ac.nz

[jsejtko]

This false positive is fixed internaly, so fix will be released in next vps update. The problem is the ducument obfuscation - its realy strange, but the content under it is clean.

[mkis]

Thanks jsejtko. I thought might be false positive.

[mkis]

I was sidetracked a bit by code at bottom of page between /div and <a name="bottom" /> . Code between is page tracker for analytics I guess.

[rbchimp]

Is this affecting other sites as well?

This is the main site, hxxp://www.capebretonpost.com/obituaries/

File "hxxp://www.inmemoriam.ca/scripts/effects.js\{gzip}" is infected by "JS:Obfuscated-AM [Trj]" virus.
"Resident protection (Web Shield)" task used

Version of current VPS file is 090526-0, 05/26/2009

[mkis]

Hi rbchimp

Could you click modify in the top right hand corner of you post reply and change your hypertext http to hxxp. In this way the link is de-activated, which means that the url can no longer click through to target page and trigger further alerts.

Likewise, suspect target urls on this page, if left active, may possibly trigger alerts in av or spyware for people who come to this page. Better to change http to hxxp.


As far affecting other sites as well, I'm not sure what the obfuscation involves, but if there is malware issue at stake then someone from the forum, more familiar with the issues, will attend to the matter.

[rbchimp]

Good point, I changed it to hxxp.

AFAIK, it's just the obituaries of the local newspaper, i see dead people..

[sitegrader]

I'm trying to get some type of assistance from Support with Avast but am not having any luck.  I too have run into the JS: Obfuscated-AM TRJ on a subscription website called isqFt.  I've contacted them and they've been slammed with Avast callers today telling them they have a virus, but they insist their site is sanitary, and they have taken other measures today to insure they have no viruses lurking anywhere in their system.  They claim to have spoke to someone at Avast about getting out an update ASAP to resolve this issue but I can't contact anyone at Avast to confirm this.  The subscription service I use is a project reporting service that supplies information to General Contractors and SubContractors about upcoming projects.  Any suggestions would be greatly appreciated.

[polonus]

Hi mkis,

This script is also suspicious, does not go where it should:
hxtp://www.capebretonpost.com/obituaries/java_script/ac_runactivecontent.js

polonus

[mkis]

Hi Polonus

I was about to post when I saw yours coming through.
I will post mine anyway and then I will leave things in your capable hands if that is okay.



JS:Obfuscated-AM [Trj] may be the reference generated by AV over obfuscated document types (not normal but then not infectious either) rather than a detection of some specific signature form. So far all indications have pointed to a false positive.

I dont know enough about this myself. But if you run any analytics on your pages - visitor counts, etc - then perhaps AV is picking the procedure up as potential intrusion. Just guessing here. I used to run visitor counts on some of my websites and I had all sorts of trouble, albeit with page view and not with AV readings as far as I know.

[jsejtko]

Hello,

Currently released vps update contains fix for this false postive, please update your avast and try to access the website again. Thank you for informing us.

Regards