Jump to content

JavaScript from RAE (Royal Spanish Academy) site reported as trojan [Closed]


Go to solution Solved by harlan4096,

Recommended Posts

Posted
While looking for word meanings in this official Spanish site (ps://dle.rae.es), Kaspersky reported a trojan in this file: ps:// dle.rae.es/ js/init. js Not loading this apparently breaks the whole site styling. Kaspersky reports this as "HEUR:Trojan.Script.Miner.gen". However, if I download this file and scan it, nothing is found. I then uploaded it to Virus Total and only 2 out of 57 engines detected a virus. Kaspersky did not either. I just tried increasing the heuristic level to the maximum, and only then Kaspersky detected again this supposed trojan in this downloaded file. Is this a false positive?
Posted
I can confirm the issue here with KTS2020RC, but KLVD flags it as clean...
Igor Kurzin
Posted
We got a confirmation this is a true detect. Not a false positive.
  • Solution
Posted
Yes! I also got final verdict from KLVirusDesk, anyway I answered asking them if not a false positive:
Hello, The specified URL was added to our blacklist. Thank you for your help. Best regards,
Posted
Wow, thank you! I was going to send an email to that web site, as maybe they have been hacked, or some employee added this mining script, but I noticed that the file has been changed. Now it is no longer detected by Kaspersky. In Virus Total only one engine (Antiy-AVL) detects it. Could you confirm the new version is safe, and not simply a more obscure script?
Posted
Yes, now it is not detected, don't know if script has changed... will wait a bit and check if still detected after Kaspersky added signatures... Update: I've sent the current script site file and KLVirusDesk automatic scan is already detecting it:
Thank you for contacting Kaspersky Lab The files have been scanned in automatic mode. Malicious code detected by Kaspersky Lab products (which include the Mail Anti-Virus component) has been found in files: init.js - HEUR:Trojan.Script.Miner.gen We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email. This is an automatically generated message. Please do not reply to it. Anti-Virus Lab, Kaspersky Lab HQ
Posted
Update: I got during last night some extra info from Kaspersky VirusDesk analysts:
Hello, This file is already detected by Mail AV component of our product:HEUR:Trojan.Script.Miner.gen However additional signature detection was added:Trojan.Script.Miner.d Its detection will be included in the next update. Thank you for your help. Best regards,
Posted
Well, this is the last message I've just gotten from KLVirusDesk, it seems RAE server is clean now, so the URL will be removed from detections:
Hello, All malicious content were deleted from dle.rae[.]es. URL was removed from blacklist. It will be fixed in the next update. Thank you for your help. Best regards,
Posted
Thanks a lot for all your follow-ups, harlan. I've checked the web site and indeed the init.js file is now just 5k instead of 669kb (as the second version we have seen); all its obscured JavaScript code is gone. Is this blacklisting they mention simply url-based? Because I have downloaded the previous malicious .js file and my updated KIS still does not detect it, even with the deep heuristics settings. It's not that it matters much now, but I was just wondering why it doesn't. Also KSN and Kaspersky Application Advisor say nothing about it. Again, this exact file will probably be never seen again, but the obfuscated code may appear somewhere else in the future.
Posted
It seems you are talking about the first version, which was 407.13 KB and was detected with deep heuristics. I'm referring to the second version, the 669 KB one that we discussed since this reply I made, where I wondered if it was a "more obscure script", which it seems it was in the end.
Posted
Hum I guess I don't have that second version :thinking:
Posted
Oh, I thought the following messages from KLVirusDesk after that message of mine were for the second version. I've uploaded the file to Dropbox. https://www.dropbox.com/s/h4rxfil4zcha5i7/initjs-virus.zip?dl=0 If you don't have an account, you have to click on the "no" at the bottom of the popup, and then on Download / Direct download, on the top right corner.
Posted
Thanks! sent to KLVD!
Posted
Update: That second version of the script is also now detected :)
  • 2 weeks later...
Guest
This topic is now closed to further replies.


×
×
  • Create New...