Jump to content

Trojan?


Recommended Posts

Not sure where to post this.... but I have a huge problem, when following the new link at the old website, I get notified that my anti-virus program has contained a Trojan. I am sure that no one on Morty's is responsible for this issue, but thought I should post about it just to be safe :) Notification states: Infection: JS:Agent-BY] [trj]

Thanks

Granny0214

Link to comment
Share on other sites

I have also addressed this, Granny - in News/Announcements.

I'm surprised at so little concern.

I always get the warning when going to the daily update page and sometimes when I start at the main Forums page. The trojan may be attached to one of the banner ads. The one on this page right now is for malware removal.

Link to comment
Share on other sites

As Katydidit mentioned in her posts on another thread, this may be a false positive.

However, if anyone else is having this problem, please post here and mention:

- the name of your anti-virus software

- which browser you are using (Internet Explorer, Firefox, Google Chrome, Opera, etc.)

- the error message / name of the trojan in question

That way, I can look into it.

(I couldn't find any info on the trojan using the exact name Granny provided.)

In the meantime, you can try updating your Java and checking for any recent updates to your anti-virus software and virus lists.

Link to comment
Share on other sites

I still get if every time I visit the main update page.

Here is what Avast (paid subscription) tells me:

Infection Details:

URL: http://www.mortystv.com/bb/

Process: C:\Program Files\Internet Explorer\iexpl...

Infection: JS:Agent-BYJ [Trj]

I believe it is harmless, but certainly could scare people away from that page.

Link to comment
Share on other sites

As far as I can tell, the javascript incorporated in the slideshow being used may be responsible for the false positive.

In all probability, some of the code is putting up a red flag in some anti-virus/malware software since it resembles parts of certain trojans.

After running an independant check over at Quttera, results came back as follows.

Normalized URL: http://www.tvfanforums.net:80 Submission date: Tue Jul 2 06:46:17 2013 Server IP address: 74.208.113.102 Country: United States Server: Unknown Malicious files: 0 Suspicious files: 0 Potentially Suspicious files: 0 Clean files: 103 External links detected: 1738 Iframes scanned: 2 Blacklisted: No

Normalized URL: http://www.mortystv.com:80 Submission date: Tue Jul 2 06:59:21 2013 Server IP address: 66.59.67.21 Country: United States Server: Unknown Malicious files: 0 Suspicious files: 0 Potentially Suspicious files: 2 Clean files: 134 External links detected: 1577 Iframes scanned: 10 Blacklisted: No

Detailed information on the 2 files is as follows:

mysite.verizon.net/vzewnsye/enlargeit.js
Severity:
Potentially Suspicious
Reason:
Detected potentially suspicious content.
Details:
Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar525647456 = eval; <code/>
Threat dump:
[[//mousecursorofenlargedimagevarenl_noflash='Noflashpluginfound!';//msgifnoflashpluginfoundvarenl_canceltext='Clicktocancel';//tooltiptocancelloading//don'tmodifynextlinevarenl_buttonurl=newArray(),enl_buttontxt=newArray(),enl_buttonoff=newArray();//defineyourbuttonshereeval(function(p,a,c,k,e,d){e=function©{return(c<a?'':e(parseInt(c/a)))+((c=c%a)ᡛ?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e©]=k[c]||e©}k=[function(e){returnd[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(newRegExp('\\b'+e©+'\\b','g'),k[c])}}returnp}('i1A=1z69(),S=1z69(),3r=0;i2W,4M,Q,1p=0,2R=0;i28=j.5G%26%26!j.8C;3q=u;iC,2D=0,1h=s.2z,3d=u;i16,18,2x,2s,1t=\'\';i2K=0,1P=0,1f=8A,35=0,3j=0;i1H=u,2C=u,2S=0,4O;b4F(){8(!2K){2K=1;8(q4C==\'y\')47=0;8(q2B==\'y\')38=0;8(q2P==\'y\')2a=0;8(q3o==\'y\')26=0;8(q3N==\'y\')48=0;8(q4X==\'y\')7o=0;8(q4S==\'y\')M=0;f8(1l.24)M=1;8(q4a==\'y\]]
File size[byte]:
22585
File type:
ASCII
MD5:
92C4B19474495993B46D957C886C7DC7
Scan duration[sec]:
0.43600
/javamedia/enlargeit.js Severity:
Potentially Suspicious
Reason:
Detected potentially suspicious content.
Details:
Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar122755164 = eval; <code/>
Threat dump:
[[//mousecursorofenlargedimagevarenl_noflash='Noflashpluginfound!';//msgifnoflashpluginfoundvarenl_canceltext='Clicktocancel';//tooltiptocancelloading//don'tmodifynextlinevarenl_buttonurl=newArray(),enl_buttontxt=newArray(),enl_buttonoff=newArray();//defineyourbuttonshereeval(function(p,a,c,k,e,d){e=function©{return(c<a?'':e(parseInt(c/a)))+((c=c%a)ᡛ?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e©]=k[c]||e©}k=[function(e){returnd[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(newRegExp('\\b'+e©+'\\b','g'),k[c])}}returnp}('i1A=1z69(),S=1z69(),3r=0;i2W,4M,Q,1p=0,2R=0;i28=j.5G%26%26!j.8C;3q=u;iC,2D=0,1h=s.2z,3d=u;i16,18,2x,2s,1t=\'\';i2K=0,1P=0,1f=8A,35=0,3j=0;i1H=u,2C=u,2S=0,4O;b4F(){8(!2K){2K=1;8(q4C==\'y\')47=0;8(q2B==\'y\')38=0;8(q2P==\'y\')2a=0;8(q3o==\'y\')26=0;8(q3N==\'y\')48=0;8(q4X==\'y\')7o=0;8(q4S==\'y\')M=0;f8(1l.24)M=1;8(q4a==\'y\]]
File size[byte]:
22585
File type:
ASCII
MD5:
92C4B19474495993B46D957C886C7DC7
Scan duration[sec]:
0.484000

In both cases, it had to do with a script called "Enlarge it".

Either Avast has to modify their virus tables, or the software Morty uses to produce his slideshows needs to modify their code.

In the meantime, don't worry about the messages is my advice.

Link to comment
Share on other sites

Well, Jedi, you must have done something in there since I don't get the Trojan warning any more.

I do, however, get that very common "do you want to continue running this script?" message - only on the update page. Just FYI.

Thanks for all your help.

Link to comment
Share on other sites






Lobby

Lobby

Please enter your display name

×
×
  • Create New...