Jump to content

Possible false positive

jimwillsher

By jimwillsher
in Malware Finding and Cleaning

 Share

Recommended Posts

jimwillsher

jimwillsher 65

Posted
Posted

www.texel.co.uk

 

No issues with Firefox or Chrome, but when visiting with IE11, ESET 6.2.2033 flags the site with JS/Kryptik.AYR trojan. Can anyone confirm (or otherwise) if this is a false positive please?

 

Many thanks

 

 

Jim

Link to comment
Share on other sites
  • Most Valued Members
shocked

shocked 60

Posted
  • Most Valued Members
Posted

i checked the link of the OP, the entire website is blocked only when using IE, on other browsers it's not blocked by eset.

Link to comment
Share on other sites
  • ESET Insiders
stackz

stackz 112

Posted
  • ESET Insiders
Posted

The java script in question is only triggered if Internet Explorer is detected (via the user agent) as the browser being used.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

The java script in question is only triggered if Internet Explorer is detected (via the user agent) as the browser being used.

 

Right. The malicious script is injected only if certain conditions are met. I believe there are also other conditions than just a check for user-agent as I'm not always able to reproduce the detection with IE.

Link to comment
Share on other sites
AdeptusMechanicus

AdeptusMechanicus 0

Posted
Posted (edited)

My company is getting numerous hits in ERAS for endpoints hitting random sites with the exact same threat name "  JS/Kryptik.AYR Trojan ". All of these started triggering 2015-12-19. and has been everyday since.  We have not had any hits on this signature before.  Does anyone know what exactly  the script is trying to do?

 
hxxp://jaspersthewoodlands.com JS/Kryptik.AYR trojan

hxxp://lunkerquest.com/gallery/lunkers JS/Kryptik.AYR trojan

hxxp://wimberleyview.com/articles/sports JS/Kryptik.AYR trojan

hxxp://www.armaglock.com/product/armaglock JS/Kryptik.AYR trojan

hxxp://www.armaglock.com/shop JS/Kryptik.AYR trojan

hxxp://www.brotherskeepersmc.com JS/Kryptik.AYR trojan

hxxp://www.brotherskeepersmc.com/index.php/about-us JS/Kryptik.AYR trojan

hxxp://www.brotherskeepersmc.com/index.php/component/content JS/Kryptik.AYR trojan

hxxp://www.coldcreekranch.com JS/Kryptik.AYR trojan

hxxp://www.coldcreekranch.com/fallow.html JS/Kryptik.AYR trojan

hxxp://www.elnidoresorts.com JS/Kryptik.AYR trojan

hxxp://www.elnidoresorts.com/lagen-island JS/Kryptik.AYR trojan

hxxp://www.mamatrains.com JS/Kryptik.AYR trojan

hxxp://www.mamatrains.com/index.php/admissions-and-courses/deck-courses JS/Kryptik.AYR trojan

hxxp://www.norguard.com/fall-protection-products/rescue-systems/gotcha-kit JS/Kryptik.AYR trojan

hxxp://www.salononkirby.com JS/Kryptik.AYR trojan

hxxp://www.soeholmmarine.dk/en JS/Kryptik.AYR trojan

hxxp://www.webshellba.com/super-luxury-cars-future-best-wallpaper-hd-sjmgf/super-luxury-cars-future-best-wallpaper-hd-sjmgf-future-car-trends-for-desktop-car JS/Kryptik.AYR trojan

Edited by AdeptusMechanicus
removed links
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...