Author Topic: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]  (Read 5971 times)

0 Members and 1 Guest are viewing this topic.

Offline msaluste

  • Newbie
  • *
  • Posts: 5
Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« on: August 03, 2011, 10:23:10 PM »
Starting this evening with virus definitions 110803-1, Plugin Detect version 0.7.5 was suddenly labelled as JS:Downloader-AUX [Trj] on my web site (hxxp://help.artaro.eu).
Restored the file from a backup made in May, recompiled at the publisher's site (hxxp://www.pinlady.net/PluginDetect/), but the avast! Free Antivirus still blocks all variants of the file.
Nothing appears while scanning the file with freshly updated competitor's products (MSSE, Malwarebytes, Spybot S&D) and VirusTotal shows only avast! and GData detect the file as "Downloader-AUX".
Also, http://sitecheck.sucuri.net/scanner/ shows my site is clean.
I've attached the contents of the file in txt format.

Please, can you confirm it is a false positive and update your definitions?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33283
  • malware fighter
Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« Reply #1 on: August 03, 2011, 10:51:18 PM »
Hi msaluste.

Here the anubis report for the file attached: http://anubis.iseclab.org/?action=result&task_id=18bd5af96ab5f35e4bd2a97e9407e5468&format=html
Low risk file could be classified as risktool or a FP.
wait for avast's verdict
 
There are some characteristics the software shares with particular code on Zeus malware.

odm3o1u3 script[1];
\4X23OP2B\style[1].css in spoofs
unnamed file 0x00120028 for mail account creator

Non-system processes like wshtcpip.dll originate from software you installed on your system. As most applications store data in your system's registry, it is likely that your registry has suffered fragmentation and accumulated harmful errors.

Public Declare Function mciExecute& Lib "winmm.dll" (ByVal lpstrCommand As String)
Mutexes:
 _SHuassist.mtx. • IEXPLORE.EXE: CritOpMutex. Network Connections Attempts to download files

Shell.CMruPidlList mutex is also found for particular worms,

Also checked on this on your site, see attached (could this have been detected?)

polonus
« Last Edit: August 03, 2011, 10:59:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline msaluste

  • Newbie
  • *
  • Posts: 5
Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« Reply #2 on: August 04, 2011, 09:27:15 AM »
Thank you Polonus!
The PluginDetect script checks versions of installed plug-ins, such as Java, Flash Player, Adobe Reader, VLC Player, etc. For detection to work properly, it must open a file for some plug-ins, this might cause the Trojan-like behaviour. I use this script to warn visitors in case some plug-in is out of date and insecure.
The attached script you pointed out seems to be writing "mailto: " information for the script author; no anti-virus detected it as malicious.
When can I expect some verdict from avast?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85581
  • No support PMs thanks
Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« Reply #3 on: August 04, 2011, 12:05:10 PM »
There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.
- If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.691) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« Reply #4 on: August 04, 2011, 12:33:34 PM »
Hello,
JS:Downloader-AUX is a wrong detection. It will be fixed in today release. but unfortunately not in VPS-0 but in VPS-1.
Sorry for your inconvenience.

Offline msaluste

  • Newbie
  • *
  • Posts: 5
Re: Clean PluginDetect.js detected as JS:Downloader-AUX [Trj]
« Reply #5 on: August 04, 2011, 01:02:49 PM »
Thank you for the good information, Sirmer!
I had quite a sleepless night while trying to figure out how my site could have been hacked ;D
Apologies accepted :)