JavaScript false positives

Discussion in 'ESET NOD32 Antivirus' started by ProTON, Dec 31, 2009.

Thread Status:
Not open for further replies.
  1. ProTON

    ProTON Registered Member

    Joined:
    May 18, 2006
    Posts:
    62
    Seems like NOD32 Antivirus 2.x and 4.x are reporting a lot of false positives for the last couple of days. Mainly complaining about such scripts as jquery.min.js or prototype.js. These are completely good open source libraries used by many developer worldwide.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Please submit a couple of such files per the instructions here. We'll see if they are actually clean or a bad code is included in them. I've downloaded jQuery JavaScript Library v1.3.2 and Prototype JS framework v. 1.6.1 and both were reported clean.
     
    Last edited: Dec 31, 2009
  3. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    I am curious, what is the name of the detection?
     
  4. ProTON

    ProTON Registered Member

    Joined:
    May 18, 2006
    Posts:
    62
    The name reported is TrojanDownloader.Agent.NRL. I have checked Remote Administrator log, mainly this happens on 2.x series but I have one affected 4.x computer also.

    Unfortunatelly I cannot upload any samples, because I'm receiving those messages by email from AMON module, so I don't know exact URL. The last time I saw it was with 1.3.1 jquery.min.js file.

    RA Log:

    Threat Id Client Name Primary Server Date Received Date Occurred Level Scanner Object Name Threat Action User Information
    Threat 3213 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\JVGNS6MP\jquery.form[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3212 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\JVGNS6MP\loadactions[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3211 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\VBVGC0YY\ui.core[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3210 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\3OAHG6D9\config[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3209 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\VBVGC0YY\thickbox[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3208 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\VBVGC0YY\jquery.cookie[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3207 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\7PIPKZBM\swfobject[2].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3206 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\7PIPKZBM\jquery.highlightFade[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3205 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\7PIPKZBM\inputfields[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3204 Lauciskyte Laisvas 40 minutes ago 41 minutes ago Critical Warning NOD32 AMON file C:\Documents and Settings\lauciskyte.LNK.LT\Local Settings\Temporary Internet Files\Content.IE5\XQX2KRR4\jquery-1.3.2.min[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3203 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\2J1RYIV4\favicon[1].htm JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file has been deleted.
    Threat 3202 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\EU3E1KEO\lightview[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3201 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\ISVI35LW\scriptaculous[1].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3200 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\P3SGJR4U\prototype[4].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3199 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\P3SGJR4U\prototype[4].js JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3198 Alytaite Laisvas 19 hours ago 19 hours ago Critical Warning NOD32 AMON file C:\Documents and Settings\alytaite\Local Settings\Temporary Internet Files\Content.IE5\0KPOTGH9\boruna_lt[1].htm JS/TrojanDownloader.Agent.NRL trojan error while Cleaning - operation unavailable for this type of object Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3197 Praktika Laisvas 20 hours ago 21 hours ago Warning Real-time file system protection file C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\9YMAFMMF\jquery-1.3.1.min[1].js JS/TrojanDownloader.Agent.NRL trojan cleaned by deleting (after the next restart) - quarantined PRAKTIKA\LNK Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Threat 3196 Praktika Laisvas 20 hours ago 21 hours ago Warning Real-time file system protection file C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\9YMAFMMF\common[1].js JS/TrojanDownloader.Agent.NRL trojan cleaned by deleting (after the next restart) - quarantined PRAKTIKA\LNK Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
     
    Last edited: Dec 31, 2009
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    jQuery JavaScript Library v1.3.1, too, is reported clean. It sounds like your js libraries got infected, hence we'd need you to submit them to the ESET lab for analysis.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Version 2 used to report "operation unavailable for this type of object" if automatic cleaning of infected files was enabled and the detected threat was uncleanable (ie. other malware than file infecting viruses, such as trojans, backdoors, etc.). Please send a couple of those js files to the ESET lab as suggested above.
     
  7. ProTON

    ProTON Registered Member

    Joined:
    May 18, 2006
    Posts:
    62
    OK, finally had time to aquire couple of samples from -galvosukiai.lt- and sent it to ESET.

    EDIT: Sorry, seems my mail server doesn't allow compressed archives with a password. I have uploaded it to... Snipped: a link to infected files removed
     
    Last edited by a moderator: Jan 3, 2010
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The files are indeed infected. Check the obfuscated javascript on the last line commencing with "/*GNU GPL*/". This was most likely added by malware.
     
  9. ProTON

    ProTON Registered Member

    Joined:
    May 18, 2006
    Posts:
    62
    Thank you for investigating.
     
Thread Status:
Not open for further replies.