Sponsored by..

Monday, 31 December 2007

Js/snz.a - likely false positive in eTrust / Vet Anti-Virus

It appears that CA's eTrust Anti-Virus product (also known as Vet Anti-Virus, often bundled with other security applications such as ZoneAlarm) is coming up with a false positive for js/snz.a for several complex javascript applications.

As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.

The signature that has the problem is 31.3.5417 dated 31/12/07

Some of the Javascript files that seem to trigger an alert are named:

  • jquery.js
  • mootools.js
  • ifx.js
  • show_ads.js
  • relevancead.js
  • submodal.js
  • iutil.js
  • ifxslide.js
There may be other javascript apps that show the same problem - of course, filenames are arbitary and can be absolutely anything at all.

If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx

Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.

You can submit suspect files to CA here for analysis, that may well help them to fix the problem.

Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!

Thursday, 27 December 2007

Dating Scam Sites V

Another bunch of dating scam sites, to follow on from these. Hosted on 210.14.129.25.

  • Engineride.info
  • Enginewreck.info
  • Glorylandusa.info
  • Glorywaychurchx.info
  • Honordays.info
  • Honorholes.info
  • Honorministries.info
  • Morninghonor.info
  • Oldgloryshirts.info
  • Simoldglory.info
  • Usoldglory.info
  • Theredglow.info

Sample email:

Hey you
I read your profile on-line a few minutes ago and you seem intresting
email me at Nikki@GloryWayChurchx.info and I will reply with a Picture and Info
about me right away
I will stay online and wait for your email
Talk to you soon

Tuesday, 18 December 2007

Highly targeted phish - frauddept@ustreas.gov


This is a highly targeted phish aimed at senior management in a company. The manager (typically a principle officer or other named contact) is named in full, along with the full name of the target company. Attached is a file called complaint.zip with a trojan.

In this case, the email comes from frauddept@ustreas.gov but it could potentially come from any government agency. The bottom line.. exercise caution with unsolicited email attachments.

Dear [Real Name],

A complaint has been filled against the company you are affiliated to [Company Name] in regards to the possibillity of tax avoidance and money laundering schemes.

The complaint was filled by Mr. Benjamin Kent on 12/10/2007 and contains refferences that link your company and another 4 companies in an attemt to gain illegal proffit.

Registration : [Reference] Date: 12/10/2007

A copy of the initial complaint and claims has been attached to this e-mail.Please print and keep this copy for your personal records.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:

Claims based on product liability;

Claims for personal injuries;

Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the US Department of Treasury.

The Department of Treasury offers a binding arbitration service for

disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.