Author Topic: I'm confused about "JS:Downloader-FT [Trj]"...  (Read 9294 times)

0 Members and 1 Guest are viewing this topic.

silas_p

  • Guest
I'm confused about "JS:Downloader-FT [Trj]"...
« on: December 11, 2009, 06:25:35 AM »
Hi. Avast displayed the following warning: "JS:Downloader-FT [Trj]" has been found in "http://statagreat.com/news/go.php?sign=00140d9e42b3b22a41f5a21b2a5100d&s=571". It presented me the option to disconnect which, of course, I chose.

My question is: What in the world is "statagreat.com"? I did multiple searches (Google, Yahoo!, Bing) and nothing turned up. Does this indicate someone was trying to break into my system and deposit a Trojan? Or was there something hidden on a site I visited?

I haven't a clue. I would appreciate some enlightenment.

Thanks.

silas

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #1 on: December 11, 2009, 08:08:48 AM »
Hi Silas,

Don't need to doubt about avast warning, just want you to know inside of this site i reveal some hidden spam link.

http://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

http://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=statagreat.com

Sometimes some website infected by various of malware families which we doesn't realize when or where it is exactly happened?

Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

silas_p

  • Guest
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #2 on: December 12, 2009, 04:19:18 AM »
Yanto, thanks for your reply. I think you miss the point of my post, though. How can I be exposed to a Trojan from a website (statagreat.com) which, according to numerous search engines, does not even exist? I don't understand.

silas

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #3 on: December 12, 2009, 05:17:05 AM »
Hi Silas,

Sorry if i post which not related with your question

My question is: What in the world is "statagreat.com"? I did multiple searches (Google, Yahoo!, Bing) and nothing turned up. Does this indicate someone was trying to break into my system and deposit a Trojan? Or was there something hidden on a site I visited?


1. statagreat.com is like hosted domain which everyone could hosting their existing web domain with DNS Server
2. Yes you are rite, hacker or cracker could put a trojan at some website which have a vulnerability either put a spyware or referenced site to link to harmful website

So far avast could detect and prevent from harmful website.
But in terms of to avoid unwanted attacks you need to implement Desktop Firewall to block each unwanted attacks thru vulnerability port.
Hopefully my reply could cover your question.
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33748
  • malware fighter
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #4 on: December 12, 2009, 11:30:31 PM »
Hi Yanto.Chiang,

To have a clue go here: http://www.robtex.com/r/x?q=statagreat.com
From there we get here: random
date20091212 rtsakmarka rtsakmark2
And where you land from that dns exploit is to be seen. You could land with this nameserver on  turisport.com.uy
Summary
turisport.com.uy is delegated to two nameservers, however both delegated nameservers are missing in the zone and two other nameservers are listed instead. Two of them are on the same IP network. Incoming mail for turisport.com.uy is handled by one mailserver at netgate.com.uy. turisport.com.uy has one IP number. pcr.org.uy, ilacon.org, enia.org.uy, lusol.com.uy, cnftenis.com and at least 27 other hosts point to the same IP and also shares nameservers. incre.edu.uy, wclatino.net, wlogic.com.uy, nortia.com.uy, vivipiria.com and at least 33 other hosts point to the same IP. incre.edu.uy, wclatino.net, wlogic.com.uy, nortia.com.uy, vivipiria.com and at least 28 other hosts share nameservers with this domain. vanacity.com, cajadeoro.com, ttlturismo.com and beauty-development.com share mailservers with this domain. com.uy is a domain controlled by three nameservers. All of them are on different IP networks. turisport.com.uy is hosted on a server in United States even though the hostname implies Uruguay.

robtex is great to see what is going on here, someone is randomizing here to evade detection, I quess,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Milanator

  • Guest
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #5 on: December 22, 2009, 01:41:23 AM »
Just to inform you, I just received a similar alert about JS:Downloader-FT.  My internet connection was aborted and everything is okay, but I feel that I should post the site with the warning message here for your reference.

This is the entry in my log viewer:

12/21/2009 5:58:32 PM    SYSTEM   1172   Sign of "JS Downloader-FT[Trj]" has been found in "hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578" file.

Should I be concerned?  One question I have is: what does SYSTEM mean?
« Last Edit: December 22, 2009, 03:31:51 AM by Milanator »

Offline Chim

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1151
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #6 on: December 22, 2009, 02:07:45 AM »
Just to inform you, I just received a similar alert about JS:Downloader-FT.  My internet connection was aborted and everything is okay, but I feel that I should post the site with the warning message here for your reference.

This is the entry in my log viewer:

12/21/2009 5:58:32 PM    SYSTEM   1172   Sign of "JS Downloader-FT[Trj]" has been found in "hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578" file.

Should I be concerned?  One question I have is: what does SYSTEM mean?
Hmmm?  Interesting.  I posted yesterday about a very similar Alert.
On my Alert yesterday, the "JS Downloader-FT[Trj]" and the "hxxp://statcstat.com/news/" were exactly the same.  Only the long alpha-numberic designator after that was different.

I wonder if this isn't connected to that Virus Database Update yesterday?  My Alert came dead smack in the middle of a Virus Database Update on Sunday.  The Alert went down officially as being detected under the OLD VPS.  But, I was curious even then with the fact that it happened as the NEW Virus Database Update was being downloaded / installed.

My Alert happened during me accessing -- theholidayspot.com a Wallpapers site.
« Last Edit: December 22, 2009, 02:09:48 AM by Chim »
Dell Optiplex 780 / Core 2 Duo E8400 3.00 GHz / 4 Gig RAM / Windows XP Pro 32-Bit SP3 / Panda Dome  Free 18.07.00 / MBAM / SAS / NetZero Dial Up / Maxthon MX5 5.2.5.4000

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88137
  • No support PMs thanks
Re: I'm confused about "JS:Downloader-FT [Trj]"...
« Reply #7 on: December 22, 2009, 02:41:54 AM »
Some sites use this site for stats gathering by all accounts, however, it in itself is considered malicious and it is this that I believe avast is alerting on, see http://google.com/safebrowsing/diagnostic?tpl=safari&site=statcstat.com&hl=en.

So it has had malware on the site in the past and avast isn't the only one to consider it malicious, see image, which is from firefox blocking sites on its safe browsing function.

@ Milanator
Please 'modify' your post change the URL from http to hXXp or www to wXw (as in my example below), to break the link and avoid accidental exposure to suspect sites, thanks.

hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578

The System refers to the User associated with the detection. You shouldn't have anything to worry about as avast blocked it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.9.6082 (build 23.9.8494.792) UI 1.0.781/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security