Is my company's website truly infected? HEUR:Trojan.Script.Balada.gen

[ian mendes]

Hello!
My organisation is getting the following warning while trying to acces our domain:
object is infected HEUR: TROJAN.Script.Balada.gen
I've submitted the address on the web address analysis and it came out clean.
Is it a false detection?
The domain is linked https : //cremern.org.br/

Edited February 2 by Berny
Suspicous link disabled !

[Guilhermesene4096]

@ian mendes Welcome

 

I have sent your URL to Kaspersky Virus Lab and will provide the verdict when available.

 

The analysis may take a few hours or days (normally it doesn't take long), so I ask that you please wait.

 

If it is considered a false positive, it will be removed from detection in the next update of your Kaspersky product.

[Gabriel Ferreira]

Hello,

 

I have the same issue with my site with the very same alert (HEUR:Trojan.Script.Balada.gen). However, I've run several anti-malware tools and checked on online scans and everything is clean.

@Guilhermesene4096 Could you please verify mine too?

https :// www.otorrinojoinvile.com.br

 

Thanks

Edited February 4 by Berny

[Guilhermesene4096]

@Gabriel FerreiraWelcome

At first glance the site looks clean, however, let's wait for a final verdict.

I have sent your URL to Kaspersky Virus Lab and will provide the verdict when available.

 

The analysis may take a few hours or days (normally it doesn't take long), so I ask that you please wait.

 

If it is considered a false positive, it will be removed from detection in the next update of your Kaspersky product.

[Guilhermesene4096]

@Gabriel Ferreirae @ian mendes

Just some feedback:

Unfortunately, Kaspersky Virus Lab is taking longer than usual to respond.

I'll get back to you as soon as I have an answer 👍

[Gabriel Ferreira]

23 horas atrás, Guilhermesene4096 disse:

@Gabriel Ferreirae @ian mendes

Just some feedback:

Unfortunately, Kaspersky Virus Lab is taking longer than usual to respond.

I'll get back to you as soon as I have an answer 👍

Hello @Guilhermesene4096. Any news?

 

Thank you!

[Guilhermesene4096]

@Gabriel Ferreira

Unfortunately, still no return from KVL 😌

This time they are taking a while to respond

I'll try reporting your URL to them again and get back to you as soon as I hear back 👍

[Guilhermesene4096]

@ian mendes

⚠️ Final verdict from Kaspersky Virus Lab ↓

Quote

"Hello,

Thank you for waiting.

As previously reported, the website in question 'cremern.org.br' is not listed as a threat to Kaspersky, so the message may have occurred because the client is on an outdated version of Kaspersky.

Ask the user to update their version of Kaspersky and the database."

 

[harlan4096]

Quote

https :// www.otorrinojoinvile.com.br

 

I can't access to that site, it seems currently down...

[Gabriel Ferreira]

30 minutes ago, harlan4096 disse:

 

I can't access to that site, it seems currently down...

I was restoring an old backup hoping to fix issue, but with no luck. It's currently online now.

[harlan4096]

Still offline here...

[ian mendes]

8 horas atrás, Guilhermesene4096 disse:

@ian mendes

⚠️ Final verdict from Kaspersky Virus Lab ↓

 

Thank you, Guilherme !

[Gabriel Ferreira]

15 hours ago, harlan4096 said:

Still offline here...

Oh I'm sorry, there was a typo in the address. The correct one is:

Https:// www . otorrinojoinville . com . br

Thanks!

[harlan4096]

Weird, still being infected:

 

 

But:

 

 

[Flood and Flood's wife]

Hi @harlan4096, 

Confirmed:

 

Thank you🙏
Flood🐳+🐋

Edited February 7 by Flood and Flood's wife
pn

[Gabriel Ferreira]

1 hora atrás, harlan4096 disse:

Weird, still being infected:

 

 

But:

 

 

I can't figure out what is going on. Already run several anti-malware WordPress' plug-ins and all came clean. Asked one of then to do a manual check-up and they assured that was clean. Also the online websites scans can't find anything. 

However, Kaspersky keeps telling that it's infected and I don't know how to fix it 😥

[Berny]

@Gabriel Ferreira

I checked some WP Java Scripts that came out clean 🤔,  did you check JS codes  on your side ?
Only Kaspersky Virus Lab can handle this issue.

[Gabriel Ferreira]

1 hour ago, Berny disse:

@Gabriel Ferreira

I checked some WP Java Scripts that came out clean 🤔,  did you check JS codes  on your side ?
Only Kaspersky Virus Lab can handle this issue.

I've checked everything that I could on my side.
Let's wait for the Kaspersky Virus Lab answer. Thank you!

[harlan4096]

Ok, it seems here is it not detected anymore:

 

[Gabriel Ferreira]

Hello. I would like to give you guys some feedback.

It seems that i've figured out what is going on.

The website is actually infected by the Trojan.Script.Balada.gen. Today the Kaspersky allowed to access the website once, but prevented a redirection to a malicious website (soft . specialcraftbox . com). After that I was able to find this article reporting a flaw in a Plug-In that I use for Pop-up - Thousands of Sites with Popup Builder Compromised by Balada Injector (sucuri.net)

 

Thanks for all the assistance.

[Guilhermesene4096]

@Gabriel Ferreira

Similar topics may appear here in the community about this

Thanks for your feedback 👍

[AndrewL]

Hello! I just saw this "HEUR:Trojan.Script.Balada.gen" message as well with this site:

https:// padreguillermo . com

Virustotal detects nothing.

Thanks!!

 

 

[Guilhermesene4096]

@AndrewLWelcome back

 

I have sent your URL to Kaspersky Virus Lab and will provide the verdict when and if available.

 

The analysis may take a few hours or days (normally it doesn't take long), so I ask that you please wait.

 

If it is considered a false positive, it will be removed from detection in the next update of your Kaspersky product.

[AndrewL]

On 2/23/2024 at 4:48 PM, Guilhermesene4096 said:

@AndrewLWelcome back

 

I have sent your URL to Kaspersky Virus Lab and will provide the verdict when and if available.

 

The analysis may take a few hours or days (normally it doesn't take long), so I ask that you please wait.

 

Thanks, Guilherme. Should I still wait? The site is still being detected.

[Guilhermesene4096]

@AndrewL

Unfortunately, yes, I have not yet received a response from KVL.

I am forwarding the request to the Kaspersky Virus Lab analysis team and will get back to you as soon as I have feedback.