NOD32 Blocking of Malicious Javascript

Discussion in 'NOD32 version 2 Forum' started by TheKid7, Aug 5, 2006.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    When I initially purchased a license for NOD32 (Preconfigured with BlackSpears Recommended Settings) I tested it at EICAR. Sometimes I would get a splash page from NOD32 and sometimes I would only get something like "Page Not Found", etc. Basically I would not be allowed access to any file at EICAR.

    I frequently look at discount/deals type websites. Almost all of the time there are no files to download. However, yesterday they had WinRAR 3.51 with free license. I filled out the form. They sent an E-Mail with the download link. When I clicked on the E-Mail link my BlueCoat Web Protection Filter denied access. I was stubborn and temporarily bypassed the Filter. There was tab for a link to the free license. When I move the mouse over the tab it was labeled as Java script. I repeatedly clicked on the link and there was not response. Is this link not working be what NOD32 does in that case to prevent infection?

    I looked at forum posts for that website. Only one person reported that the actual download file had a Trojan in it. The following is what one person out of 100+ posted:

    --------------------------------------------------------------------------

    I followed the instructions and links from the email I received.

    As soon as I installed the program, Symantec Anti-virus found Trojan.Dropper in the file: Default.sfx in the WinRar folder.

    Here's Symantec's page re: this trojan:
    http://www.symantec.com/security_res...082718-3007-99

    It's a low-level threat, but the fact that I've downloaded any kind of threat really bugs me.

    Anyone else run into this?
    -------------------------------------------------------------------------
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It sounds more like you have a Javascript issue than anything else. When you click on the "Smilies" in this forum, do they work?

    Cheers :D
     
    Last edited: Aug 7, 2006
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I've often wondered, sometimes out loud, how people get infected all the time.

    I no longer wonder.
     
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Default.sfx is not a trojan, never was never will be.
    In previous versions of WinRAR the file was packed using UPX (archives too) but they removed it since most AV-vendors didn't bother fixing their False/Positive. The new version (3.51) only TheHacker is detecting it as: Aplicacion/NetCat.

    And if you do not want to have Javascript enabled all the time, I suggest you download Firefox + NoScript extension.
     
  5. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    TheKid7,

    Try submitting the suspicious file to http://www.virustotal.com or http://virusscan.jotti.org . These are two online services that will run the suspicious file through several different virus scanners. It could be that the 100+ posters were correct, and the 1 poster had found a false positive.
     
Thread Status:
Not open for further replies.