I'm confused about "JS:Downloader-FT [Trj]"...

[silas_p]

Hi. Avast displayed the following warning: "JS:Downloader-FT [Trj]" has been found in "http://statagreat.com/news/go.php?sign=00140d9e42b3b22a41f5a21b2a5100d&s=571". It presented me the option to disconnect which, of course, I chose.

My question is: What in the world is "statagreat.com"? I did multiple searches (Google, Yahoo!, Bing) and nothing turned up. Does this indicate someone was trying to break into my system and deposit a Trojan? Or was there something hidden on a site I visited?

I haven't a clue. I would appreciate some enlightenment.

Thanks.

silas

[Yanto.Chiang]

Hi Silas,

Don't need to doubt about avast warning, just want you to know inside of this site i reveal some hidden spam link.

http://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

http://www.unmaskparasites.com/security-tools/find-hidden-links/site/?siteUrl=statagreat.com

Sometimes some website infected by various of malware families which we doesn't realize when or where it is exactly happened?

[silas_p]

Yanto, thanks for your reply. I think you miss the point of my post, though. How can I be exposed to a Trojan from a website (statagreat.com) which, according to numerous search engines, does not even exist? I don't understand.

silas

[Yanto.Chiang]

Hi Silas,

Sorry if i post which not related with your question

My question is: What in the world is "statagreat.com"? I did multiple searches (Google, Yahoo!, Bing) and nothing turned up. Does this indicate someone was trying to break into my system and deposit a Trojan? Or was there something hidden on a site I visited?


1. statagreat.com is like hosted domain which everyone could hosting their existing web domain with DNS Server
2. Yes you are rite, hacker or cracker could put a trojan at some website which have a vulnerability either put a spyware or referenced site to link to harmful website

So far avast could detect and prevent from harmful website.
But in terms of to avoid unwanted attacks you need to implement Desktop Firewall to block each unwanted attacks thru vulnerability port.
Hopefully my reply could cover your question.

[polonus]

Hi Yanto.Chiang,

To have a clue go here: http://www.robtex.com/r/x?q=statagreat.com
From there we get here: random
date20091212 rtsakmarka rtsakmark2
And where you land from that dns exploit is to be seen. You could land with this nameserver on  turisport.com.uy
Summary
turisport.com.uy is delegated to two nameservers, however both delegated nameservers are missing in the zone and two other nameservers are listed instead. Two of them are on the same IP network. Incoming mail for turisport.com.uy is handled by one mailserver at netgate.com.uy. turisport.com.uy has one IP number. pcr.org.uy, ilacon.org, enia.org.uy, lusol.com.uy, cnftenis.com and at least 27 other hosts point to the same IP and also shares nameservers. incre.edu.uy, wclatino.net, wlogic.com.uy, nortia.com.uy, vivipiria.com and at least 33 other hosts point to the same IP. incre.edu.uy, wclatino.net, wlogic.com.uy, nortia.com.uy, vivipiria.com and at least 28 other hosts share nameservers with this domain. vanacity.com, cajadeoro.com, ttlturismo.com and beauty-development.com share mailservers with this domain. com.uy is a domain controlled by three nameservers. All of them are on different IP networks. turisport.com.uy is hosted on a server in United States even though the hostname implies Uruguay.

robtex is great to see what is going on here, someone is randomizing here to evade detection, I quess,

polonus

[Milanator]

Just to inform you, I just received a similar alert about JS:Downloader-FT.  My internet connection was aborted and everything is okay, but I feel that I should post the site with the warning message here for your reference.

This is the entry in my log viewer:

12/21/2009 5:58:32 PM    SYSTEM   1172   Sign of "JS Downloader-FT[Trj]" has been found in "hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578" file.

Should I be concerned?  One question I have is: what does SYSTEM mean?

[Chim]

Just to inform you, I just received a similar alert about JS:Downloader-FT.  My internet connection was aborted and everything is okay, but I feel that I should post the site with the warning message here for your reference.

This is the entry in my log viewer:

12/21/2009 5:58:32 PM    SYSTEM   1172   Sign of "JS Downloader-FT[Trj]" has been found in "hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578" file.

Should I be concerned?  One question I have is: what does SYSTEM mean?

Hmmm?  Interesting.  I posted yesterday about a very similar Alert.
On my Alert yesterday, the "JS Downloader-FT[Trj]" and the "hxxp://statcstat.com/news/" were exactly the same.  Only the long alpha-numberic designator after that was different.

I wonder if this isn't connected to that Virus Database Update yesterday?  My Alert came dead smack in the middle of a Virus Database Update on Sunday.  The Alert went down officially as being detected under the OLD VPS.  But, I was curious even then with the fact that it happened as the NEW Virus Database Update was being downloaded / installed.

My Alert happened during me accessing -- theholidayspot.com a Wallpapers site.

[DavidR]

Some sites use this site for stats gathering by all accounts, however, it in itself is considered malicious and it is this that I believe avast is alerting on, see http://google.com/safebrowsing/diagnostic?tpl=safari&site=statcstat.com&hl=en.

So it has had malware on the site in the past and avast isn't the only one to consider it malicious, see image, which is from firefox blocking sites on its safe browsing function.

@ Milanator
Please 'modify' your post change the URL from http to hXXp or www to wXw (as in my example below), to break the link and avoid accidental exposure to suspect sites, thanks.

hxxp://statcstat.com/news/go.php?sign=adf2c997e23f1c124aac589ed49c637e&s=578

The System refers to the User associated with the detection. You shouldn't have anything to worry about as avast blocked it.