Author Topic: Virustotal flags Security.JS in SRWareIron!  (Read 4772 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Virustotal flags Security.JS in SRWareIron!
« on: May 29, 2009, 09:46:14 PM »
Hi malware fighters,

While doing a scan with a-squared Free the following file was flagged as high risk malware:
C;\Program Files\SRWareIron\resources\content\Security.JS
I scanned this favascript file at virustotals with the following results:
http://www.virustotal.com/nl/analisis/e2fcbb2330182eaa72b3317e2375f9a5668216c950d5b1026596b201d0fb4fa9-1243625864
Is this a genuine find or a FP, avast does not flag it as malware, MBAM thinks the file is clean,

polonus
« Last Edit: May 29, 2009, 09:49:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89343
  • No support PMs thanks
Re: Virustotal flags Security.JS in SRWareIron!
« Reply #1 on: May 29, 2009, 09:59:47 PM »
I haven't a great deal of faith in a-squared and based on the file name alone security.js this file might well be packed and or encrypted and that may be what is detected (seeing some on the VT results).

You can open it in notepad or other text editor and you would see it is packed/encrypted (weird) text rather than plain javascript.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Virustotal flags Security.JS in SRWareIron!
« Reply #2 on: May 29, 2009, 10:54:44 PM »
Hi DavidR,

As you said packed and encrypted file. Other results:
Comodo Malware Scan results
• File Info
Name   Value
Size   44950
MD5   1e3261612f743a261a96a6df3e7cc2c1
SHA1   faa1c8c27380adcdab4a1545c4b81074711f5dd0
SHA256   e2fcbb2330182eaa72b3317e2375f9a5668216c950d5b1026596b201d0fb4fa9
Process   Failed
• Verdict
Auto Analysis Verdict
Not Rated as Suspicious

DrWeb online av sanner:
Checking: Security.JS
Engine version: 5.0.0.12182
Total virus-finding records: 557242
File size: 43.90 KB
File MD5: 1e3261612f743a261a96a6df3e7cc2c1

Security.JS - Ok

The code, some flag as JS.Wonka, contains a certain functionality for encrypting scripts that may have malicious intent. This does not necessarily mean that a virus has been found.  It merely means that HTML code was found which attempts to activate additional executable code without the user's express permission, but this code was not found in a temp file but in SRWare;s browser resources/content file,

polonus
« Last Edit: May 29, 2009, 11:10:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89343
  • No support PMs thanks
Re: Virustotal flags Security.JS in SRWareIron!
« Reply #3 on: May 30, 2009, 12:14:58 AM »
Yes, I thought that would be what caught them out into thinking the 'apparently obfuscated' content was malicious...
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Virustotal flags Security.JS in SRWareIron!
« Reply #4 on: May 30, 2009, 12:23:43 AM »
Hi DavidR,

I gave you an online link to the original code that was flagged by a-squared, Fortinet, McAfee and Sophos, I did not want to give it here on the forums for obvious reasons, but I am curious if you also now consider this Security.JS a FP,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89343
  • No support PMs thanks
Re: Virustotal flags Security.JS in SRWareIron!
« Reply #5 on: May 30, 2009, 12:51:47 AM »
Yes I saw it, but for us mere mortals, too difficult to contemplate it without the tools.

But given the file and application I too would lean towards an FP.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security