Jump to content

JavaScript from RAE (Royal Spanish Academy) site reported as trojan [Closed]


AndrewL
Go to solution Solved by harlan4096,

Recommended Posts

While looking for word meanings in this official Spanish site (ps://dle.rae.es), Kaspersky reported a trojan in this file: ps:// dle.rae.es/ js/init. js Not loading this apparently breaks the whole site styling. Kaspersky reports this as "HEUR:Trojan.Script.Miner.gen". However, if I download this file and scan it, nothing is found. I then uploaded it to Virus Total and only 2 out of 57 engines detected a virus. Kaspersky did not either. I just tried increasing the heuristic level to the maximum, and only then Kaspersky detected again this supposed trojan in this downloaded file. Is this a false positive?
Link to comment
Share on other sites

  • Solution
Yes! I also got final verdict from KLVirusDesk, anyway I answered asking them if not a false positive:
Hello, The specified URL was added to our blacklist. Thank you for your help. Best regards,
Link to comment
Share on other sites

Wow, thank you! I was going to send an email to that web site, as maybe they have been hacked, or some employee added this mining script, but I noticed that the file has been changed. Now it is no longer detected by Kaspersky. In Virus Total only one engine (Antiy-AVL) detects it. Could you confirm the new version is safe, and not simply a more obscure script?
Link to comment
Share on other sites

Yes, now it is not detected, don't know if script has changed... will wait a bit and check if still detected after Kaspersky added signatures... Update: I've sent the current script site file and KLVirusDesk automatic scan is already detecting it:
Thank you for contacting Kaspersky Lab The files have been scanned in automatic mode. Malicious code detected by Kaspersky Lab products (which include the Mail Anti-Virus component) has been found in files: init.js - HEUR:Trojan.Script.Miner.gen We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email. This is an automatically generated message. Please do not reply to it. Anti-Virus Lab, Kaspersky Lab HQ
Link to comment
Share on other sites

Update: I got during last night some extra info from Kaspersky VirusDesk analysts:
Hello, This file is already detected by Mail AV component of our product:HEUR:Trojan.Script.Miner.gen However additional signature detection was added:Trojan.Script.Miner.d Its detection will be included in the next update. Thank you for your help. Best regards,
Link to comment
Share on other sites

Well, this is the last message I've just gotten from KLVirusDesk, it seems RAE server is clean now, so the URL will be removed from detections:
Hello, All malicious content were deleted from dle.rae[.]es. URL was removed from blacklist. It will be fixed in the next update. Thank you for your help. Best regards,
Link to comment
Share on other sites

Thanks a lot for all your follow-ups, harlan. I've checked the web site and indeed the init.js file is now just 5k instead of 669kb (as the second version we have seen); all its obscured JavaScript code is gone. Is this blacklisting they mention simply url-based? Because I have downloaded the previous malicious .js file and my updated KIS still does not detect it, even with the deep heuristics settings. It's not that it matters much now, but I was just wondering why it doesn't. Also KSN and Kaspersky Application Advisor say nothing about it. Again, this exact file will probably be never seen again, but the obfuscated code may appear somewhere else in the future.
Link to comment
Share on other sites

It seems you are talking about the first version, which was 407.13 KB and was detected with deep heuristics. I'm referring to the second version, the 669 KB one that we discussed since this reply I made, where I wondered if it was a "more obscure script", which it seems it was in the end.
Link to comment
Share on other sites

Oh, I thought the following messages from KLVirusDesk after that message of mine were for the second version. I've uploaded the file to Dropbox. https://www.dropbox.com/s/h4rxfil4zcha5i7/initjs-virus.zip?dl=0 If you don't have an account, you have to click on the "no" at the bottom of the popup, and then on Download / Direct download, on the top right corner.
Link to comment
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.


×
×
  • Create New...