JavaScript from RAE (Royal Spanish Academy) site reported as trojan [Closed]

[AndrewL]

While looking for word meanings in this official Spanish site (ps://dle.rae.es), Kaspersky reported a trojan in this file: ps:// dle.rae.es/ js/init. js Not loading this apparently breaks the whole site styling. Kaspersky reports this as "HEUR:Trojan.Script.Miner.gen". However, if I download this file and scan it, nothing is found. I then uploaded it to Virus Total and only 2 out of 57 engines detected a virus. Kaspersky did not either. I just tried increasing the heuristic level to the maximum, and only then Kaspersky detected again this supposed trojan in this downloaded file. Is this a false positive?

[Igor Kurzin]

Hi AndrewL, I submitted this URL for analysis at https://virusdesk.kaspersky.com/. Let's see what our VirusLab folks come up with.

[harlan4096]

I can confirm the issue here with KTS2020RC, but KLVD flags it as clean...

[Igor Kurzin]

We got a confirmation this is a true detect. Not a false positive.

[harlan4096]

Yes! I also got final verdict from KLVirusDesk, anyway I answered asking them if not a false positive:

Hello, The specified URL was added to our blacklist. Thank you for your help. Best regards,

[AndrewL]

Wow, thank you! I was going to send an email to that web site, as maybe they have been hacked, or some employee added this mining script, but I noticed that the file has been changed. Now it is no longer detected by Kaspersky. In Virus Total only one engine (Antiy-AVL) detects it. Could you confirm the new version is safe, and not simply a more obscure script?

[harlan4096]

Yes, now it is not detected, don't know if script has changed... will wait a bit and check if still detected after Kaspersky added signatures... Update: I've sent the current script site file and KLVirusDesk automatic scan is already detecting it:

Thank you for contacting Kaspersky Lab The files have been scanned in automatic mode. Malicious code detected by Kaspersky Lab products (which include the Mail Anti-Virus component) has been found in files: init.js - HEUR:Trojan.Script.Miner.gen We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email. This is an automatically generated message. Please do not reply to it. Anti-Virus Lab, Kaspersky Lab HQ

[harlan4096]

Update: I got during last night some extra info from Kaspersky VirusDesk analysts:

Hello, This file is already detected by Mail AV component of our product:HEUR:Trojan.Script.Miner.gen However additional signature detection was added:Trojan.Script.Miner.d Its detection will be included in the next update. Thank you for your help. Best regards,

[harlan4096]

Well, this is the last message I've just gotten from KLVirusDesk, it seems RAE server is clean now, so the URL will be removed from detections:

Hello, All malicious content were deleted from dle.rae[.]es. URL was removed from blacklist. It will be fixed in the next update. Thank you for your help. Best regards,

[AndrewL]

Thanks a lot for all your follow-ups, harlan. I've checked the web site and indeed the init.js file is now just 5k instead of 669kb (as the second version we have seen); all its obscured JavaScript code is gone. Is this blacklisting they mention simply url-based? Because I have downloaded the previous malicious .js file and my updated KIS still does not detect it, even with the deep heuristics settings. It's not that it matters much now, but I was just wondering why it doesn't. Also KSN and Kaspersky Application Advisor say nothing about it. Again, this exact file will probably be never seen again, but the obfuscated code may appear somewhere else in the future.

[harlan4096]

Hum... that's weird, still had a copy of the malicious script I sent, and my KTS2020RC still detecting it, even KSN, but not URL Advisor... https://whitelisting.kaspersky.com/advisor?lang=en-US#search/0x5EE5531EAC53A7FDD0F2EB62346875D2

[AndrewL]

It seems you are talking about the first version, which was 407.13 KB and was detected with deep heuristics. I'm referring to the second version, the 669 KB one that we discussed since this reply I made, where I wondered if it was a "more obscure script", which it seems it was in the end.

[harlan4096]

Hum I guess I don't have that second version :thinking:

[AndrewL]

Oh, I thought the following messages from KLVirusDesk after that message of mine were for the second version. I've uploaded the file to Dropbox. https://www.dropbox.com/s/h4rxfil4zcha5i7/initjs-virus.zip?dl=0 If you don't have an account, you have to click on the "no" at the bottom of the popup, and then on Download / Direct download, on the top right corner.

[harlan4096]

Thanks! sent to KLVD!

[harlan4096]

Update: That second version of the script is also now detected :)

[Tiffany Miles]

Thanks for this post. I have been faced with this problem when I've been worked with my project on https://scamfighter.net/review/essaybot.com