Jump to content

Archived

This topic is now archived and is closed to further replies.

jtown82

addthis_widget.js alert spam

Recommended Posts

Correct. That was an example from yesterday. As I mentioned, it has tapered off today, we presume due to the new definitions that were pushed out.

Share this post


Link to post
Share on other sites

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

  • THREAT NAME
    JS/TrojanDownloader.Pegel.BH
     
     
  • THREAT TYPE
    trojan
     
     
  • SEVERITY
    Warning
     
     
  • OCCURRED
    2017 Sep 26 12:18:44
     
     
  • THREAT HANDLED
    Yes
     
     
  • RESTART NEEDED
    No
     
     
  • ACTION TAKEN
    connection terminated
     
     
  • ACTION ERROR
     
     
     
  • OBJECT TYPE
    file
     
     
  •  
     
  • CIRCUMSTANCES
     
     
     
  • SCANNER
    HTTP filter
     
     
  • ENGINE VERSION
    13535 (20160524)
     
     
  • PROCESS NAME
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
     
     
  •  

Share this post


Link to post
Share on other sites
1 hour ago, jtown82 said:

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

  • THREAT NAME
    JS/TrojanDownloader.Pegel.BH
  • THREAT TYPE
    trojan
  • SEVERITY
    Warning
  • OCCURRED
    2017 Sep 26 12:18:44
  • THREAT HANDLED
    Yes
  • RESTART NEEDED
    No
  • ACTION TAKEN
    connection terminated
  • ACTION ERROR
  • OBJECT TYPE
    file
  • CIRCUMSTANCES
  • SCANNER
    HTTP filter
  • ENGINE VERSION
    13535 (20160524)
  • PROCESS NAME
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
  •  

See the engine version - 13535 from May 2016.

Share this post


Link to post
Share on other sites

My best guess is the new definitions are gradually populating out to the workstations.  Ours has also tapered off.

Share this post


Link to post
Share on other sites

ESET's products check for newer updates in 1-hour interval by default. We don't recommend changing the default update task. Also make sure that you don't use deferred / delayed updates which would make up for the delay in getting the detection removed.

Share this post


Link to post
Share on other sites

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

Share this post


Link to post
Share on other sites
3 minutes ago, Tack said:

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

Share this post


Link to post
Share on other sites
On ‎9‎/‎29‎/‎2017 at 5:25 AM, Marcos said:

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

Share this post


Link to post
Share on other sites
On 10/3/2017 at 4:00 PM, John.From.VT said:

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

Share this post


Link to post
Share on other sites
On ‎10‎/‎7‎/‎2017 at 6:34 PM, Marcos said:

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

The logs have been running for a while to troubleshoot other problems, hence the size. I think at this point this is no longer a problem, since I have not received any more alerts about this widget since Monday afternoon.

Share this post


Link to post
Share on other sites

Hello, I received this photo from a visitor of my website. I cannot reproduce it on my PC. It is in Hungarian but I think you can understand it.

eset-addthis.png

Share this post


Link to post
Share on other sites
7 minutes ago, Dudus said:

Hello, I received this photo from a visitor of my website. I cannot reproduce it on my PC. It is in Hungarian but I think you can understand it.

eset-addthis.png

This detection was removed about 2 weeks ago since after years of existence it has recently started to trigger detection on the said script due to certain changes having been made to it. The user should run update in order to receive current modules.

Share this post


Link to post
Share on other sites

I've had a number of alerts with this show up again Yesterday and Today. any updates that would trigger in the last few days?

Share this post


Link to post
Share on other sites
3 hours ago, Tdub said:

I've had a number of alerts with this show up again Yesterday and Today. any updates that would trigger in the last few days?

The only possible explanation would be that these clients had an older version of the detection engine installed.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...