Granny0214 Posted June 29, 2013 Posted June 29, 2013 Not sure where to post this.... but I have a huge problem, when following the new link at the old website, I get notified that my anti-virus program has contained a Trojan. I am sure that no one on Morty's is responsible for this issue, but thought I should post about it just to be safe Notification states: Infection: JS:Agent-BY] [trj]ThanksGranny0214
Katydidit Posted June 29, 2013 Posted June 29, 2013 I have also addressed this, Granny - in News/Announcements.I'm surprised at so little concern.I always get the warning when going to the daily update page and sometimes when I start at the main Forums page. The trojan may be attached to one of the banner ads. The one on this page right now is for malware removal.
JEDI Posted June 30, 2013 Posted June 30, 2013 As Katydidit mentioned in her posts on another thread, this may be a false positive.However, if anyone else is having this problem, please post here and mention:- the name of your anti-virus software- which browser you are using (Internet Explorer, Firefox, Google Chrome, Opera, etc.)- the error message / name of the trojan in questionThat way, I can look into it.(I couldn't find any info on the trojan using the exact name Granny provided.)In the meantime, you can try updating your Java and checking for any recent updates to your anti-virus software and virus lists.
Katydidit Posted July 1, 2013 Posted July 1, 2013 I still get if every time I visit the main update page. Here is what Avast (paid subscription) tells me: Infection Details: URL: http://www.mortystv.com/bb/ Process: C:\Program Files\Internet Explorer\iexpl... Infection: JS:Agent-BYJ [Trj] I believe it is harmless, but certainly could scare people away from that page.
JEDI Posted July 2, 2013 Posted July 2, 2013 As far as I can tell, the javascript incorporated in the slideshow being used may be responsible for the false positive.In all probability, some of the code is putting up a red flag in some anti-virus/malware software since it resembles parts of certain trojans.After running an independant check over at Quttera, results came back as follows.Normalized URL: http://www.tvfanforums.net:80 Submission date: Tue Jul 2 06:46:17 2013 Server IP address: 74.208.113.102 Country: United States Server: Unknown Malicious files: 0 Suspicious files: 0 Potentially Suspicious files: 0 Clean files: 103 External links detected: 1738 Iframes scanned: 2 Blacklisted: NoNormalized URL: http://www.mortystv.com:80 Submission date: Tue Jul 2 06:59:21 2013 Server IP address: 66.59.67.21 Country: United States Server: Unknown Malicious files: 0 Suspicious files: 0 Potentially Suspicious files: 2 Clean files: 134 External links detected: 1577 Iframes scanned: 10 Blacklisted: No Detailed information on the 2 files is as follows:mysite.verizon.net/vzewnsye/enlargeit.js Severity: Potentially Suspicious Reason: Detected potentially suspicious content. Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar525647456 = eval; <code/> Threat dump: [[//mousecursorofenlargedimagevarenl_noflash='Noflashpluginfound!';//msgifnoflashpluginfoundvarenl_canceltext='Clicktocancel';//tooltiptocancelloading//don'tmodifynextlinevarenl_buttonurl=newArray(),enl_buttontxt=newArray(),enl_buttonoff=newArray();//defineyourbuttonshereeval(function(p,a,c,k,e,d){e=function©{return(c<a?'':e(parseInt(c/a)))+((c=c%a)ᡛ?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e©]=k[c]||e©}k=[function(e){returnd[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(newRegExp('\\b'+e©+'\\b','g'),k[c])}}returnp}('i1A=1z69(),S=1z69(),3r=0;i2W,4M,Q,1p=0,2R=0;i28=j.5G%26%26!j.8C;3q=u;iC,2D=0,1h=s.2z,3d=u;i16,18,2x,2s,1t=\'\';i2K=0,1P=0,1f=8A,35=0,3j=0;i1H=u,2C=u,2S=0,4O;b4F(){8(!2K){2K=1;8(q4C==\'y\')47=0;8(q2B==\'y\')38=0;8(q2P==\'y\')2a=0;8(q3o==\'y\')26=0;8(q3N==\'y\')48=0;8(q4X==\'y\')7o=0;8(q4S==\'y\')M=0;f8(1l.24)M=1;8(q4a==\'y\]] File size[byte]: 22585 File type: ASCII MD5: 92C4B19474495993B46D957C886C7DC7 Scan duration[sec]: 0.43600 /javamedia/enlargeit.js Severity: Potentially Suspicious Reason: Detected potentially suspicious content. Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval <code> __tmpvar122755164 = eval; <code/> Threat dump: [[//mousecursorofenlargedimagevarenl_noflash='Noflashpluginfound!';//msgifnoflashpluginfoundvarenl_canceltext='Clicktocancel';//tooltiptocancelloading//don'tmodifynextlinevarenl_buttonurl=newArray(),enl_buttontxt=newArray(),enl_buttonoff=newArray();//defineyourbuttonshereeval(function(p,a,c,k,e,d){e=function©{return(c<a?'':e(parseInt(c/a)))+((c=c%a)ᡛ?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e©]=k[c]||e©}k=[function(e){returnd[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(newRegExp('\\b'+e©+'\\b','g'),k[c])}}returnp}('i1A=1z69(),S=1z69(),3r=0;i2W,4M,Q,1p=0,2R=0;i28=j.5G%26%26!j.8C;3q=u;iC,2D=0,1h=s.2z,3d=u;i16,18,2x,2s,1t=\'\';i2K=0,1P=0,1f=8A,35=0,3j=0;i1H=u,2C=u,2S=0,4O;b4F(){8(!2K){2K=1;8(q4C==\'y\')47=0;8(q2B==\'y\')38=0;8(q2P==\'y\')2a=0;8(q3o==\'y\')26=0;8(q3N==\'y\')48=0;8(q4X==\'y\')7o=0;8(q4S==\'y\')M=0;f8(1l.24)M=1;8(q4a==\'y\]] File size[byte]: 22585 File type: ASCII MD5: 92C4B19474495993B46D957C886C7DC7 Scan duration[sec]: 0.484000 In both cases, it had to do with a script called "Enlarge it".Either Avast has to modify their virus tables, or the software Morty uses to produce his slideshows needs to modify their code.In the meantime, don't worry about the messages is my advice.
Katydidit Posted July 5, 2013 Posted July 5, 2013 Well, Jedi, you must have done something in there since I don't get the Trojan warning any more. I do, however, get that very common "do you want to continue running this script?" message - only on the update page. Just FYI. Thanks for all your help.
Recommended Posts