My website downloading, HEUR:Trojan.Script.Balada.gen

[kariyamvinod]

When I am trying to visit my site, HEUR:Trojan.Script.Balada.gen is downloading. I Contacted my Website Hosting provider and they completed full Virus Scan and inform that, there is no malware existing in my Account.  But even after complete scan, kaspersky is detecting HEUR:Trojan.Script.Balada.gen. This problem is almost there for all my websites under this hosting account. 

My website is www.yashasviworld.com, rangsav.com, amiyproperties.com etc..

[harlan4096]

Welcome to Kaspersky Community.

 

Currently, I have just reported to K. analysts, waiting final verdict.

[harlan4096]

In site:

 

yashasviworld . com/products?id=7&data_from=brand&page=1

 

Quote

Hello,

This is not a false alarm. This site is infected.

Here is the malicious code:

<script>var st=document.createElement('script'); ...

 

If you are a webmaster, please remove the above code from the page. Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.
 

Best regards, Malware Analyst
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

 

Similar to site:  amiyproperties.com

 

Quote

Hello,

This is not a false alarm. This site is infected.

Here is the malicious code:

<script>var st=document.createElement('script'); ...

 

If you are a webmaster, please remove the above code from the page. Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.
 

Best regards, Malware Analyst
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

 

[kariyamvinod]

Dear Sir,

Thank you very much for your quick respose. I couldn't find this particular page - yashasviworld . com/products?id=7&data_from=brand&page=1 as mentioned in your reply. Can you please confirm whether this script is in database or in Webpage.

[harlan4096]

I personally can't, that was a direct reply from K. analyst., but the detection is easily to reproduct and clear:

 

Quote

Event: Malicious object detected
User type: Initiator
Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Web Threat Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan.Script.Balada.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: next.png
Object path: https://yashasviworld.com/public/images
SHA256 of an object: F0B0D90BD942E2A45966AAF3D0B2A50008BF9090B27DA5DF210D1DB6CEC17403
MD5 of an object: E779B61765F581236759A14060B4D192
Reason: Expert analysis
Databases release date: Today, 31/05/2024 7:45:00

[Flood and Flood's wife]

1 hour ago, kariyamvinod said:

I couldn't find this particular page - yashasviworld . com/products?id=7&data_from=brand&page=1 as mentioned in your reply.

Hello @kariyamvinod, 

Thank you🙏
Flood🐳+🐋

[Berny]

Hi @kariyamvinod

2 hours ago, kariyamvinod said:

script is in database or in Webpage.

I could find some malicious scripts in the Webpage but for security reasons i can't post the HTML- source code  here 🤔, please see below  a truncated example
 

Spoiler

EDIT

↓ When i open the malicious scripts locally Kaspersky is blocking ↓

Spoiler

 

[kariyamvinod]

Dear Sir,

The Kaspersky report mentioned the infection file is under https://yashasviworld.com/public/images/

But There is no folder name images under public folder in my web server. Can you please expain how to find exact page of infection. I tried to search the code var st=document.createElement... But failed..

[harlan4096]

We can't access, of course, to the Web site code nor to Your server files, but the truth is that when accessing that site with a browser the files are there and are detected.

 

So, where are stored all the .png, gif, etc. that are detected by K.? 🤔

[Berny]

@kariyamvinod

In addition to above comment from @harlan4096 , please see  below a truncated  screenshot displaying the beginning  from some script contents, when testing a script locally Kaspersky is blocking the access.

Spoiler

 

[kariyamvinod]

Dear Sir,

I failed to find the script. Wehter this script contains in HTML File or JS Script File ? Please support.

[Berny]

@kariyamvinod

With all respect, please contact your Webmaster.

[kariyamvinod]

@Berny

 

I contacted website Providers, and they informed that they  have scanned my account, and they can see that scan has confirmed there is no malware infection in the account

[Berny]

@kariyamvinod

Please see comments above , you may contact Kaspersky Tech Support.