trojan script 473411

**5thfoot** · Tue 12 Oct '10, 11:12am

Originally posted by Lynne

What host are you guys using? Are you contacting your hosts and asking for help to figure out how this happened (by looking through the access_logs)?

There's nothing wrong with our servers/installations. This is a false positive. this script: vbulletin_quick_edit_picturecomment.js

is erroneously triggering a trojan alert on these anti-virus programs: BitDefender, G Data, Emsisoft, F-Secure, Ikarus, nProtect.

There is nothing we can do.

To fix this vBulletin need to modify that script so it does not look like a trojan to those antivirus programs,......or....... those anti-virus programs need to update their defective virus definitions.

In the meantime all 3.8.x installations are building a data profile as trojan sources. won't be long now before they are blocked as "dangerous websites"

**Trevor Hannant** · Tue 12 Oct '10, 12:29pm

Have you raised this in the Tracker?

**bforum** · Tue 12 Oct '10, 1:02pm

nvm

**bforum** · Tue 12 Oct '10, 1:03pm

Originally posted by 5thfoot

there is a thread here:

Trojan Horse - Belgiumdigital forum

http://forum.belgiumdigital.com/f59/trojan-horse-333409.html

Forum voor alle off-topic postings, postings die dus absoluut NIETS met fotografie te maken hoeven hebben. Lees de specifieke forumregels erop na in de sticky posting.

unfortunately in Dutch and my translator is making a mess of it... can any dutch speaker confirm the conclusion that it's a false positive?

anti-virus known to be producing this warning (so far):

G-Data
F-Secure
'Virgin Media Security' which uses third party software, possibly Kaspersky ?
BitDefender

anti-virus not producing a awarning:

Avast
Trend Micro
AVG

there still searching what it is ,but they think its not the forumsoftware but the site where the photos are hosted on ,since this is implemented in the forum
they check also the adverts and the codes ,strange thing is Firefox with pop up blocker is giving no warning at al
IE give a virus warning ,if they find the answer ill post it here ,in case if i forget (shi% load of work) do pm me ,i am more than willing to let u know ...

**Zachery** · Tue 12 Oct '10, 1:32pm

It sounds like you have a gifjar file, its an image with a jar (java program) inside of it, which it might be flagging.

**bforum** · Tue 12 Oct '10, 1:38pm

what i did on the site of Belgiumdigital.com was checking their photo sections ,and indeed with IE
i got a warning ,somehow i did not get the feeling it was a third party photo hosting site issue ,but more in the
advertisments they used ,i followed the advertisment servers urls and blocked all of them ,using the host file in windows.
i looked into Google to find a full list of advert sites i could block .
found a nice list with about hundred of ad servers .
copy pasted them in the host file and its working ,since that i dont have warning anymore
perhaps luck perhaps not

**5thfoot** · Tue 12 Oct '10, 4:10pm

I have no idea what the last four posts are going on about.

Anyway, for those concerned individuals that have read the thread, you will be relieved to know the errant virus definitions are updating with only two now reporting instead of six. These will no doubt drop out shortly too and we will be back to normal.

http://www.virustotal.com/file-scan/report.html?id=2919b90d14be972b08272408adbf3f581f1f15704024e70a47a09edcfcda2ce4-1286928094

**dbode** · Tue 12 Oct '10, 10:18pm

Hi Lynne,

this is definately a false positive. Our servers have not been hacked. I checked other websites with G Data activated and every website around using vbulletin is telling me, that there is the virus when I hit the javascript.

So there are two possibilities:

a) Every vbulletin on the world is infected.
b) It is a false positive.

The problem is how to fix it - wait for the virus definitions to recognise your script as a false positive or fix it by changing the code.

**Nucleus1** · Wed 13 Oct '10, 6:28am

I am using One.com and they also says that my website has not been hacked.

**Zachery** · Thu 14 Oct '10, 10:35am

Well do you have any ads on your site?

**smiggy** · Thu 14 Oct '10, 12:37pm

So, this isn't a security exploit?

**Zachery** · Thu 14 Oct '10, 12:40pm

Really depends how its getting in. If its from a third party content provider you added to your own site, thats not really something we are responsable for.

**big.blue** · Thu 14 Oct '10, 9:52pm

Originally posted by 5thfoot

I have no idea what the last four posts are going on about.

Anyway, for those concerned individuals that have read the thread, you will be relieved to know the errant virus definitions are updating with only two now reporting instead of six. These will no doubt drop out shortly too and we will be back to normal.

http://www.virustotal.com/file-scan/...ce4-1286928094

Thanks 5thfoot, you were right all the time. This whole thing was a errant virus definition. I just checked out my site, Pictures & Albums no longer give Trojan warnings now. Its seems fixed at last.

vBulletin 3 End of Life

trojan script 473411

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment