NOD32 Blocking of Malicious Javascript

Discussion in 'NOD32 version 2 Forum' started by TheKid7, Aug 5, 2006.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,502
    When I initially purchased a license for NOD32 (Preconfigured with BlackSpears Recommended Settings) I tested it at EICAR. Sometimes I would get a splash page from NOD32 and sometimes I would only get something like "Page Not Found", etc. Basically I would not be allowed access to any file at EICAR.

    I frequently look at discount/deals type websites. Almost all of the time there are no files to download. However, yesterday they had WinRAR 3.51 with free license. I filled out the form. They sent an E-Mail with the download link. When I clicked on the E-Mail link my BlueCoat Web Protection Filter denied access. I was stubborn and temporarily bypassed the Filter. There was tab for a link to the free license. When I move the mouse over the tab it was labeled as Java script. I repeatedly clicked on the link and there was not response. Is this link not working be what NOD32 does in that case to prevent infection?

    I looked at forum posts for that website. Only one person reported that the actual download file had a Trojan in it. The following is what one person out of 100+ posted:

    --------------------------------------------------------------------------

    I followed the instructions and links from the email I received.

    As soon as I installed the program, Symantec Anti-virus found Trojan.Dropper in the file: Default.sfx in the WinRar folder.

    Here's Symantec's page re: this trojan:
    http://www.symantec.com/security_res...082718-3007-99

    It's a low-level threat, but the fact that I've downloaded any kind of threat really bugs me.

    Anyone else run into this?
    -------------------------------------------------------------------------
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It sounds more like you have a Javascript issue than anything else. When you click on the "Smilies" in this forum, do they work?

    Cheers :D
     
    Last edited: Aug 7, 2006
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,194
    I've often wondered, sometimes out loud, how people get infected all the time.

    I no longer wonder.
     
  4. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Default.sfx is not a trojan, never was never will be.
    In previous versions of WinRAR the file was packed using UPX (archives too) but they removed it since most AV-vendors didn't bother fixing their False/Positive. The new version (3.51) only TheHacker is detecting it as: Aplicacion/NetCat.

    And if you do not want to have Javascript enabled all the time, I suggest you download Firefox + NoScript extension.
     
  5. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    TheKid7,

    Try submitting the suspicious file to http://www.virustotal.com or http://virusscan.jotti.org . These are two online services that will run the suspicious file through several different virus scanners. It could be that the 100+ posters were correct, and the 1 poster had found a false positive.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.