NOD32 Blocking of Malicious Javascript

Discussion in 'NOD32 version 2 Forum' started by TheKid7, Aug 5, 2006.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Jul 22, 2006
    When I initially purchased a license for NOD32 (Preconfigured with BlackSpears Recommended Settings) I tested it at EICAR. Sometimes I would get a splash page from NOD32 and sometimes I would only get something like "Page Not Found", etc. Basically I would not be allowed access to any file at EICAR.

    I frequently look at discount/deals type websites. Almost all of the time there are no files to download. However, yesterday they had WinRAR 3.51 with free license. I filled out the form. They sent an E-Mail with the download link. When I clicked on the E-Mail link my BlueCoat Web Protection Filter denied access. I was stubborn and temporarily bypassed the Filter. There was tab for a link to the free license. When I move the mouse over the tab it was labeled as Java script. I repeatedly clicked on the link and there was not response. Is this link not working be what NOD32 does in that case to prevent infection?

    I looked at forum posts for that website. Only one person reported that the actual download file had a Trojan in it. The following is what one person out of 100+ posted:


    I followed the instructions and links from the email I received.

    As soon as I installed the program, Symantec Anti-virus found Trojan.Dropper in the file: Default.sfx in the WinRar folder.

    Here's Symantec's page re: this trojan:

    It's a low-level threat, but the fact that I've downloaded any kind of threat really bugs me.

    Anyone else run into this?
  2. Blackspear

    Blackspear Global Moderator

    Dec 2, 2002
    Gold Coast, Queensland, Australia
    It sounds more like you have a Javascript issue than anything else. When you click on the "Smilies" in this forum, do they work?

    Cheers :D
    Last edited: Aug 7, 2006
  3. nameless

    nameless Registered Member

    Feb 23, 2003
    I've often wondered, sometimes out loud, how people get infected all the time.

    I no longer wonder.
  4. Brian N

    Brian N Registered Member

    Jul 7, 2005
    Default.sfx is not a trojan, never was never will be.
    In previous versions of WinRAR the file was packed using UPX (archives too) but they removed it since most AV-vendors didn't bother fixing their False/Positive. The new version (3.51) only TheHacker is detecting it as: Aplicacion/NetCat.

    And if you do not want to have Javascript enabled all the time, I suggest you download Firefox + NoScript extension.
  5. alglove

    alglove Registered Member

    Jan 17, 2005
    Houston, Texas, USA

    Try submitting the suspicious file to or . These are two online services that will run the suspicious file through several different virus scanners. It could be that the 100+ posters were correct, and the 1 poster had found a false positive.
Thread Status:
Not open for further replies.