Jump to content

addthis_widget.js alert spam


Recommended Posts

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

  • THREAT NAME
    JS/TrojanDownloader.Pegel.BH
     
     
  • THREAT TYPE
    trojan
     
     
  • SEVERITY
    Warning
     
     
  • OCCURRED
    2017 Sep 26 12:18:44
     
     
  • THREAT HANDLED
    Yes
     
     
  • RESTART NEEDED
    No
     
     
  • ACTION TAKEN
    connection terminated
     
     
  • ACTION ERROR
     
     
     
  • OBJECT TYPE
    file
     
     
  •  
     
  • CIRCUMSTANCES
     
     
     
  • SCANNER
    HTTP filter
     
     
  • ENGINE VERSION
    13535 (20160524)
     
     
  • PROCESS NAME
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
     
     
  •  
Edited by jtown82
Link to post
Share on other sites
  • Administrators
1 hour ago, jtown82 said:

Well actually I just got another alert from a more recent updated machine.   

 

Updated with ESET info on that machine.  

ESET Remote Administrator Agent 6.3.136.0

ESET Endpoint Antivirus 6.4.2014.0

  • THREAT NAME
    JS/TrojanDownloader.Pegel.BH
  • THREAT TYPE
    trojan
  • SEVERITY
    Warning
  • OCCURRED
    2017 Sep 26 12:18:44
  • THREAT HANDLED
    Yes
  • RESTART NEEDED
    No
  • ACTION TAKEN
    connection terminated
  • ACTION ERROR
  • OBJECT TYPE
    file
  • CIRCUMSTANCES
  • SCANNER
    HTTP filter
  • ENGINE VERSION
    13535 (20160524)
  • PROCESS NAME
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
  •  

See the engine version - 13535 from May 2016.

Link to post
Share on other sites
  • Administrators

ESET's products check for newer updates in 1-hour interval by default. We don't recommend changing the default update task. Also make sure that you don't use deferred / delayed updates which would make up for the delay in getting the detection removed.

Link to post
Share on other sites

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

Link to post
Share on other sites
  • Administrators
3 minutes ago, Tack said:

I have same problem with JS/TrojanDownloader.Pegel.BH. ERA is spamming alerts for this Trojan which infect  literally 40-50 different computers at the same time.  The problem still exist with 16160 Virus signature database version.

The weird i saw today is that Trojan use different user account from owner pc.

Any solution for that ?

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

Link to post
Share on other sites
On ‎9‎/‎29‎/‎2017 at 5:25 AM, Marcos said:

This is impossible as the signature was completely removed several days ago.

Please provide ELC logs from the machine where it's still being detected.

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

Link to post
Share on other sites
  • Administrators
On 10/3/2017 at 4:00 PM, John.From.VT said:

I can provide ELC logs from a machine with the latest definitions (today it's 16179) that has been alerting "addthis_widget[1].js contains JS/TrojanDownloader.Pegel.BH Trojan" every day since Wednesday 9/27 through yesterday 10/2. They are 2.3GB, so if I can get a sharefile.com link provided from ESET I'll upload them.

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

Link to post
Share on other sites
On ‎10‎/‎7‎/‎2017 at 6:34 PM, Marcos said:

Logs collected by ELC shouldn't be that large so it will be definitely worth checking them. You can upload the archive to Dropbox, Onedrive, Wetransfer, etc. and provide me with a download link.

The logs have been running for a while to troubleshoot other problems, hence the size. I think at this point this is no longer a problem, since I have not received any more alerts about this widget since Monday afternoon.

Link to post
Share on other sites
  • Administrators
7 minutes ago, Dudus said:

Hello, I received this photo from a visitor of my website. I cannot reproduce it on my PC. It is in Hungarian but I think you can understand it.

eset-addthis.png

This detection was removed about 2 weeks ago since after years of existence it has recently started to trigger detection on the said script due to certain changes having been made to it. The user should run update in order to receive current modules.

Link to post
Share on other sites
  • 4 weeks later...
  • Administrators
3 hours ago, Tdub said:

I've had a number of alerts with this show up again Yesterday and Today. any updates that would trigger in the last few days?

The only possible explanation would be that these clients had an older version of the detection engine installed.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...