[clamav-users] jquery-1.2.6.pack.js is now a Win.Trojan.Agent-1430626
Al Varnell
alvarnell at mac.com
Thu Jun 2 05:26:46 UTC 2016
On Wed, Jun 01, 2016 at 09:41 PM, Raphaël wrote:
>
> Hi,
>
> One of my teammate recently got notified about (more) trojans since the 21640 update
> http://lists.clamav.net/pipermail/clamav-virusdb/2016-May/002964.html
>
> A derivated version of jquery-1.2.6.pack.js now matches a known signature:
>
> # download original JQ
> $ wget http://code.jquery.com/jquery-1.2.6.pack.js
>
> # play with whitespace to match SVN raw file
> $ sed -r -e 1i$'\x0a' -e '/Date:|Rev:/s/ \$$//' -e '/Date:|Rev:/s/\$//' jquery-1.2.6.pack.js > jquery-1.2.6.pack.mod.js
>
> $ clamscan jquery-1.2.6.pack.mod.js
>> Win.Trojan.Agent-1430626 FOUND
The signature is an MD-5 hash value, so not necessarily associated with javascript, but see VT reference below.
> Given the importance of today (closed-source) javascript in computing
> tasks that makes sense. But I fear this wasn't not expected.
>
> Out of curiosity, how/who/why does it comes from?
Where does what come from, the signature? If so, the clamav signature writing team who may have gotten it from VirusTotal here:
<https://www.virustotal.com/en/file/b715dac714bcd5d1e989f4cc3621b8274b3a8fdebb52fc70e07ba91072bcef59/analysis/>.
Appears to have been submitted multiple times since Nov 2011. One comment indicates that it might be PUA and "the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat.” Votes are 3 to 1 malicious, but I’m not sure why.
> How many such false positive does the DB possibly contains already?
Probably a lot, but we’ll never no unless users like your you and I submit them as a False Positive Report:
<http://www.clamav.net/reports/fp>
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2370 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160601/641a3f2d/attachment.bin>
More information about the clamav-users
mailing list