Author Topic: JS:Kryptik-B [Trj]  (Read 9954 times)

0 Members and 1 Guest are viewing this topic.

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
JS:Kryptik-B [Trj]
« on: July 03, 2011, 07:35:29 AM »
Hello.

I use Avast 6 on my new PC (Yesterday was the first use). I install Avast 6. I wanted to update all my drivers and I went on XXX.pilotespc.com for my DVD recorder. But Avast showed an alert message which said: Avast has blocked ... . It was a Trojan.

The complete URL is hXXp://www.pilotespc.com/cstrack.js.

The threat is classified in HIGH and the threat is called JS:Kryptik-B [Trj].

Is it a false positive ?

If it's a virus, are you sure that my PC is clean and safe ?
« Last Edit: July 07, 2011, 09:15:04 AM by solidsnake44 »

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: JS:Kryptik-B [Trj]
« Reply #1 on: July 03, 2011, 07:45:44 AM »
Quote
If it's a virus, are you sure that my PC is clean and safe ?

Avast's WebShield has blocked the threat even before it entered your PC. Your PC is safe.

Quote
Is it a false positive ?

Generally avast is precise in catching such scripts on website. But, we may have to wait for someone to chime in if its a false positive.

But if you think its a false positive, you can report it here: http://www.avast.com/contact-form.php?loadStyles by selecting the appropriate subject and also putting a link to this topic in the message part.


Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: JS:Kryptik-B [Trj]
« Reply #3 on: July 03, 2011, 07:50:28 AM »
I don't see any reason for a scan with the all the scanners out there since it is a webscript that has been detected and blocked.

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
Re: JS:Kryptik-B [Trj]
« Reply #4 on: July 03, 2011, 08:09:35 AM »
Thank you. I'm delighted.

I check up with antivir and malwarebytes. No anomaly. I check with active scan today.

I wait for a reply from a member who has the same problem to know if it is a false positive.

Thank you again and sorry for my english (I'm french :) )

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: JS:Kryptik-B [Trj]
« Reply #5 on: July 03, 2011, 12:09:11 PM »
Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks. Just a matter of course...

This looks like it may be a genuine detection, the js file has a script in it which uses an array to generate an image. At least that is what results from analysis from malzilla

avast isn't the only one either:
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

by the way, your english is fine :)
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
Re: JS:Kryptik-B [Trj]
« Reply #6 on: July 03, 2011, 03:13:06 PM »
It's Ok, I changed the link.

So for you it's an image which is loading and avast blocked it for security ?

I don't know the term Genuine. What is it ? And "JS" is for Javascript ?

And thank you for  your help and for my english :)
« Last Edit: July 04, 2011, 05:52:41 PM by solidsnake44 »

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
Re: JS:Kryptik-B [Trj]
« Reply #7 on: July 04, 2011, 05:55:18 PM »
Hello,

spg SCOTT can you help me again please, to know if I have understood. Because I'm not sure of my translation.

Offline Jeepava

  • Sr. Member
  • ****
  • Posts: 381
  • Support forums > Non-english zone > Francais
Re: JS:Kryptik-B [Trj]
« Reply #8 on: July 06, 2011, 03:15:33 PM »
Bonjour solidsnake44

Vous prouver poser votre question dans la zone français de avst international

http://forum.avast.com/index.php?board=23.0

Autrement vous prouvez essayer un autre site de Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0

Translation English

Hello solidsnake44

You to prove to put your question in the French zone of avst international

http://forum.avast.com/index.php?board=23.0

Otherwise you prove to test another site of Drivers

http://www.touslesdrivers.com/index.php?v_page=30&v_forum=0

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: JS:Kryptik-B [Trj]
« Reply #9 on: July 06, 2011, 07:55:58 PM »
Apologies, I missed this topic.

As far as I can tell, that javascript file doesn't seem to exist anymore. I get a 404 (not found) error on it. Do you still get alerts?

It's Ok, I changed the link.
Thanks, but there is still an active one though ;)

Quote
So for you it's an image which is loading and avast blocked it for security ?
Well, not quite. It is an image link, but it seems to point to an actual page...

Quote
I don't know the term Genuine. What is it ?
In this case, by genuine detection, I meant correct. So the detection is correct.
Genuine, generally means real/authentic :)
Quote
And "JS" is for Javascript ?
Yes.

Quote
And thank you for  your help and for my english :)
No Problem, welcome to the forum :)

Scott
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31550
  • malware fighter
Re: JS:Kryptik-B [Trj]
« Reply #10 on: July 06, 2011, 10:03:23 PM »
Hi solidsnake44,

spg SCOTT did a thorough script analysis there. I have to add that the site also has vulnerabilities because of the Web apllications used are not fully up to date and exploitable.
Wordpress version: Wordpress
Wordpress version from source: 3.0.1
Wordpress Version > 2.9 for: -http://www.pilotespc.com/wp-includes/js/wp-ajax-response.js
Wordpress Version == 3.0.x for: -http://www.pilotespc.com/wp-includes/js/autosave.js
Wordpress directory: -http://www.pilotespc.com/wp-content
Wordpress theme: -http://www.pilotespc.com/wp-content/themes/universum/
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/universum/index.php *
Wordpress internal path: -/home/pilotesp/public_html/wp-content/themes/default/index.php *
* vulnerable
This must have created the road in for the malcode. Well for the script links "cufon-yui.js" is exploitable as well and could also lead to malcode in the form of trojan backdoors,

polonus
« Last Edit: July 06, 2011, 10:26:40 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
Re: JS:Kryptik-B [Trj]
« Reply #11 on: July 07, 2011, 09:32:20 AM »
Thank you all for you help.

Bonjour Jeepava. Merci du conseil. Je pensais que c'était ce site là http://forum.avast.com/fr/index.php le forum français de Avast.

Merci pour les drivers. Je connais mais je ne trouvais pas le driver pour lecteur DVD, du coup je suis allé voir ailleurs, mais malheureusement le site était à priori infecté.


Hello and Thank you spg SCOTT. I try again and I have the same message from Avast which he blocks the site but the page loads.

Sorry I forgot the other link. I changed it.

Ok But it's strange that only Avast finds the Trj and no paying security like Nod32,Kaspersky,Bitdefender...
http://www.virustotal.com/file-scan/report.html?id=d79ad53a0a608daa27a1eb29ef798ee01f1a16743c2d15275a551e89ecd6f53e-1309686657

Gdata, I think, has the same data base that avast.

Hello polonus. Thank you for the explanation.
« Last Edit: July 07, 2011, 09:35:00 AM by solidsnake44 »

Offline Jeepava

  • Sr. Member
  • ****
  • Posts: 381
  • Support forums > Non-english zone > Francais
Re: JS:Kryptik-B [Trj]
« Reply #12 on: July 07, 2011, 02:10:53 PM »
Bonjour solidsnake44

Il y a deux forums

Le forum français de Avast international
http://forum.avast.com/index.php?board=23.0

Le forum crée par un québécois français
http://forum.avast.com/fr/index.php

Driver de lecteur DVD
Pouvez vous mettre :
la marque de l'ordinateur et la référence
la marque du DVD et la référence

Je ferais une recherche

Translation English

Hello solidsnake44

There are two forums

The French forum of international
Avast http://forum.avast.com/index.php?board=23.0

The forum creates by a French inhabitant of Quebec
http://forum.avast.com/fr/index.php

Driver of reader DVD
Can you put:
the mark of the computer and the reference
the mark of the DVD and the reference

I would make a research

Offline solidsnake44

  • Newbie
  • *
  • Posts: 14
Re: JS:Kryptik-B [Trj]
« Reply #13 on: July 07, 2011, 03:12:34 PM »
D'accord, merci pour l'info.

J'ai trouvé le driver mais après avoir "visité" le site infecté hélas. Merci de votre proposition en tout cas, c'est très gentil.

C'est un SAMSUNG Sh-S223C pour information.

Translation:

Thank you for the information.

I have found the driver after visited the infected web site. Thank's for you help.

Offline Jeepava

  • Sr. Member
  • ****
  • Posts: 381
  • Support forums > Non-english zone > Francais
Re: JS:Kryptik-B [Trj]
« Reply #14 on: July 07, 2011, 08:30:36 PM »
Voila se que j'ai trouver

SAMSUNG Sh-S223C

Ces pas pilote ni driver mais Firmware
      
WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT                       MODEL   OEM       
DVD-Writer Half Height SH-S223C SB
Code FirmWare       Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

téléchargement
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Sa pourra servir en qu'a de mise à jour

Translation English

Here are that I have to find

SAMSUNG Sh-S223C

These steps control nor driver but Firmware
      
WORLD WIDE
http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp

PRODUCT                       MODEL   OEM       
DVD-Writer Half Height SH-S223C SB
Code FirmWare       Ver.
Firmware Version SB07 Date 06 07 2011

http://www.samsungodd.com/eng/Firmware/FWDownload/FWDownload.asp?FunctionValue=view&no=733&SearchWord=&SearchMode=&PageNumber=1&product_code=&os_no=

download
http://www.samsungodd.com/korLib/popup/Download.asp?path=FWDownload&fname=SH-S223C_SB07.exe

Its could be useful in that has of update