Author Topic: Java script virus?  (Read 5251 times)

0 Members and 1 Guest are viewing this topic.

BrBrasil

  • Guest
Java script virus?
« on: November 04, 2011, 06:41:48 PM »
Hello guys,

A person that works at the same enterprise than me, was visiting a site and our AV (Trend Micro) detected a java script virus in it...

I sent to Virus Total and realized that many other AVs were also detecting a javascript malware (Something about redirection)... Including Avast (as JS:Illredir-AQ [Trj])..

However, visiting the site doesnt redirected to anywhere...

So me and some of my T.I. ( I am also from TI) friends that work here, checked the page code but didnt found anything suspicious... No redirection, nor even the js was encoded...

So, if someone here like to investigate possible false positives, and have a free time to do that, may check if its a real detection or some false positive?


The Site is:

hxxp://www.grupoumbria.com.br/

Virus Total Urls:

http://www.virustotal.com/url-scan/report.html?id=f6539ca47a0910e0de3872c515901424-1320423588

http://www.virustotal.com/file-scan/report.html?id=8e41572b38819798c5bad3f281f5b68f3d837c43dce3a3c0fefbb544b2afd3fa-1320427193


I am not sure if its a false positive because a lot of avs detected it... However I cant say that is a real malware because I didnt found any "obvius" trace of malware activity in its code. Anyway,

Thanks for your time!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76034
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Java script virus?
« Reply #1 on: November 04, 2011, 06:48:05 PM »
Known javascript malware.
Details: http://sucuri.net/malware/entry/MW:JS:150
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

spg SCOTT

  • Guest
Re: Java script virus?
« Reply #2 on: November 04, 2011, 06:50:53 PM »
The script is there...at the end of the page.

Quite obvious, one long line of obfuscated code.

Asyn, sucuri...that's cheating :P

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76034
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Java script virus?
« Reply #3 on: November 04, 2011, 06:55:17 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

BrBrasil

  • Guest
Re: Java script virus?
« Reply #4 on: November 04, 2011, 06:57:20 PM »
Hello!

Thanks for the answers!

I feel so dumb! hehehe I forgot to check the bottom of the page... Thats why I didnt found any obfuscation.. =-P

Thanks for your time!

BrBrasil

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76034
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Java script virus?
« Reply #5 on: November 04, 2011, 07:00:22 PM »
You're welcome..!
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

BrBrasil

  • Guest
Re: Java script virus?
« Reply #6 on: November 04, 2011, 07:03:15 PM »
Oops, Actually I think our AV removed this js part, because it not appearing to me... It says that has cleaned the malware code when we load the page... Maybe that why I cant find the code...

Thanks All!
BrBrasil

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Java script virus?
« Reply #7 on: November 05, 2011, 02:39:30 PM »
The avast webshield still blocks it as infected by JS:Illredir-AQ[Trj]
Website is also at a missused server

-http://grupoumbria.com.br/   658D62E32567EF40C25226A7B2989733   200.219.245.77   BR   infected with W32Damaged_File.B.gen!Eldorado   

Comodo's SiteInspector gives it as clean now http://siteinspector.comodo.com/public/reports/580971
Here it is suspicious 2 instances: http://urlquery.net/report.php?id=7442

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!