Mailing List Archive

ClamAV claiming Trojan.JS.Downloader Found
ClamAV 0.93

Hi,

Just wondering why clamav reports the attached files as being a virus:
Trojan.JS.Downloader-1. I'm not sure what the compressed code translates
to and wasn't sure if there are any online tools which would safely
unpack it to try to see if the code does contain any malicious content.

mouseover.js: Trojan.JS.Downloader-1 FOUND
smooth.js: Trojan.JS.Downloader-1 FOUND
ie2.js: Trojan.JS.Downloader-1 FOUND

Here is the code from one of the files (ie2.js) just in case the mailing
list blocks the attached files:

eval(function(p,a,c,k,e,r){e=function(c){return
c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('b.2("a",1(){$$("#6
4").9(1(0){0.2("7",1(){0.8("3")});0.2("5",1(){0.c("3")})})});',13,13,'el|function|addEvent|sfHover|li|mouseleave|navigacija|mouseenter|addClass|each|load|window|removeClass'.split('|'),0,{}))


thx,

SW
Re: ClamAV claiming Trojan.JS.Downloader Found [ In reply to ]
Steve West wrote:
> ClamAV 0.93
>
> Hi,
>
> Just wondering why clamav reports the attached files as being a virus:
> Trojan.JS.Downloader-1. I'm not sure what the compressed code translates
> to and wasn't sure if there are any online tools which would safely
> unpack it to try to see if the code does contain any malicious content.

Hi Steve,
Thanks for the report, however the bad signature was removed ~30 hours ago.
You'd better run freshclam more often.

-aCaB
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html