Hi everyone!

Earlier today, I clicked on an adult website that was marked as safe by SiteAdvisor. As soon as the page opened, I got two popups from KIS that Trojans were attempting to load. Trojan-Downloader.JS.Small.dz and Trojan program Trojan-Downloader.JS.Agent.ex. Both Trojans were blocked and deleted successfully. After rebooting, I decided to experiment and went to the same website again. This time the page loaded with no popups at all!! I'm confused now about whether the first time was a false positive or what. I'm running XP fully patched, KIS 6.0.2.621, and A-squared AntiMalware realtime. SAS on demand. Has anyone else encountered something like this? BTW, there were no alerts from a-squared at all.


Kid Shamrock

There wouldn't be an alert from A2 because it never got a sniff of the bogies. Although these things are called 'Trojans' by KAV, and other AVs, they are most likely to be exploits embedded into the web page - if the exploit succeeds it will then D/L actual trojans (ie executable files) onto your system.

If you were running KAV's web-scanner it would have blocked the exploit code from being written to your HD, so there is no question of deleting the baddies since they never got in at all. If you were not running the web-scanner then they would have probably been written to your Temp Internet Files, whereupon your AV would have blocked them and, in that case, you would have needed to delete them via the file scanner. Personally I have my AV Guard configured to automatically delete such findings so that any pop-up I get is informational and requires no action.

In these cases though, I always like to run a cache cleaner to clear out all junk in temp locations.

I'm willing to bet that if you went to the same site with java script, vbs script, java applets and Active X etc all disabled in your browser, you would not get the pop-up from KAV. The reason being that since all dangerous code is being blocked by your system then KAV will have nothing coming its way in the first place. With all website mobile code blocked you are unlikely to be exploited succesfully (even though in theory it could happen, eg the .wmf exploit of a while back).

Hello,
If you use Firefox to visit such sites - or any site for that matter - you will never see a popup... or an attempted drive-by or anything...
Mrk

{QUOTE-> As soon as the page opened, I got two popups from KIS that Trojans were attempting to load. Trojan-Downloader.JS.Small.dz and Trojan program Trojan-Downloader.JS.Agent.ex. <-QUOTE}Can you post the link (as hxxp://) so we can look at the code?

-rich

{QUOTE-> Hi everyone!

Earlier today, I clicked on an adult website that was marked as safe by SiteAdvisor. As soon as the page opened, I got two popups from KIS that Trojans were attempting to load. Trojan-Downloader.JS.Small.dz and Trojan program Trojan-Downloader.JS.Agent.ex. Both Trojans were blocked and deleted successfully. After rebooting, I decided to experiment and went to the same website again. This time the page loaded with no popups at all!! I'm confused now about whether the first time was a false positive or what. I'm running XP fully patched, KIS 6.0.2.621, and A-squared AntiMalware realtime. SAS on demand. Has anyone else encountered something like this? BTW, there were no alerts from a-squared at all.


Kid Shamrock <-QUOTE}Maybe you should switch from SiteAdvisor. See this thread. http://www.wilderssecurity.com/showthread.php?p=994674#post994674