addthis_widget.js alert spam

[Marcos 4,926]

I see "2017-09-25" in your log but today is Sept 26.

[K-Dub 0]

Correct. That was an example from yesterday. As I mentioned, it has tapered off today, we presume due to the new definitions that were pushed out.

[jtown82 1]

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

• THREAT NAME

  JS/TrojanDownloader.Pegel.BH
   
   
• THREAT TYPE

  trojan
   
   
• SEVERITY

  Warning
   
   
• OCCURRED

  2017 Sep 26 12:18:44
   
   
• THREAT HANDLED

  Yes
   
   
• RESTART NEEDED

  No
   
   
• ACTION TAKEN

  connection terminated
   
   
• ACTION ERROR

   
   
   
• OBJECT TYPE

  file
   
   
• OBJECT URI

  hxxp://s7.addthis.com/js/300/addthis_widget.js
   
   
• CIRCUMSTANCES

   
   
   
• SCANNER

  HTTP filter
   
   
• ENGINE VERSION

  13535 (20160524)
   
   
• PROCESS NAME

  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
   
   
•  

Edited September 26, 2017 by jtown82

[Marcos 4,926]

1 hour ago, jtown82 said:

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

• THREAT NAME

  JS/TrojanDownloader.Pegel.BH
• THREAT TYPE

  trojan
• SEVERITY

  Warning
• OCCURRED

  2017 Sep 26 12:18:44
• THREAT HANDLED

  Yes
• RESTART NEEDED

  No
• ACTION TAKEN

  connection terminated
• ACTION ERROR
• OBJECT TYPE

  file
• OBJECT URI

  hxxp://s7.addthis.com/js/300/addthis_widget.js
• CIRCUMSTANCES
• SCANNER

  HTTP filter
• ENGINE VERSION

  13535 (20160524)
• PROCESS NAME

  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
•  

See the engine version - 13535 from May 2016.

[enforcer 0]

My best guess is the new definitions are gradually populating out to the workstations.  Ours has also tapered off.

[Marcos 4,926]

ESET's products check for newer updates in 1-hour interval by default. We don't recommend changing the default update task. Also make sure that you don't use deferred / delayed updates which would make up for the delay in getting the detection removed.

[Tack 0]

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

[Marcos 4,926]

3 minutes ago, Tack said:

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

[John.From.VT 0]

On ‎9‎/‎29‎/‎2017 at 5:25 AM, Marcos said:

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

[Marcos 4,926]

On 10/3/2017 at 4:00 PM, John.From.VT said:

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

[John.From.VT 0]

On ‎10‎/‎7‎/‎2017 at 6:34 PM, Marcos said:

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

The logs have been running for a while to troubleshoot other problems, hence the size. I think at this point this is no longer a problem, since I have not received any more alerts about this widget since Monday afternoon.

[Dudus 0]

Hello, I received this photo from a visitor of my website. I cannot reproduce it on my PC. It is in Hungarian but I think you can understand it.

[Marcos 4,926]

7 minutes ago, Dudus said:

Hello, I received this photo from a visitor of my website. I cannot reproduce it on my PC. It is in Hungarian but I think you can understand it.

This detection was removed about 2 weeks ago since after years of existence it has recently started to trigger detection on the said script due to certain changes having been made to it. The user should run update in order to receive current modules.

[Tdub 0]

I've had a number of alerts with this show up again Yesterday and Today. any updates that would trigger in the last few days?

[Marcos 4,926]

3 hours ago, Tdub said:

I've had a number of alerts with this show up again Yesterday and Today. any updates that would trigger in the last few days?

The only possible explanation would be that these clients had an older version of the detection engine installed.