jimwillsher 65 Posted December 21, 2015 Share Posted December 21, 2015 www.texel.co.uk No issues with Firefox or Chrome, but when visiting with IE11, ESET 6.2.2033 flags the site with JS/Kryptik.AYR trojan. Can anyone confirm (or otherwise) if this is a false positive please? Many thanks Jim Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 21, 2015 Administrators Share Posted December 21, 2015 The detection is correct. A malicious java script is injected in the web page which was detected and blocked. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted December 22, 2015 Most Valued Members Share Posted December 22, 2015 i checked the link of the OP, the entire website is blocked only when using IE, on other browsers it's not blocked by eset. Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted December 22, 2015 ESET Insiders Share Posted December 22, 2015 The java script in question is only triggered if Internet Explorer is detected (via the user agent) as the browser being used. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 22, 2015 Administrators Share Posted December 22, 2015 The java script in question is only triggered if Internet Explorer is detected (via the user agent) as the browser being used. Right. The malicious script is injected only if certain conditions are met. I believe there are also other conditions than just a check for user-agent as I'm not always able to reproduce the detection with IE. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted December 22, 2015 Author Share Posted December 22, 2015 Many thanks -) Link to comment Share on other sites More sharing options...
AdeptusMechanicus 0 Posted December 28, 2015 Share Posted December 28, 2015 (edited) My company is getting numerous hits in ERAS for endpoints hitting random sites with the exact same threat name " JS/Kryptik.AYR Trojan ". All of these started triggering 2015-12-19. and has been everyday since. We have not had any hits on this signature before. Does anyone know what exactly the script is trying to do? hxxp://jaspersthewoodlands.com JS/Kryptik.AYR trojan hxxp://lunkerquest.com/gallery/lunkers JS/Kryptik.AYR trojan hxxp://wimberleyview.com/articles/sports JS/Kryptik.AYR trojan hxxp://www.armaglock.com/product/armaglock JS/Kryptik.AYR trojan hxxp://www.armaglock.com/shop JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com/index.php/about-us JS/Kryptik.AYR trojan hxxp://www.brotherskeepersmc.com/index.php/component/content JS/Kryptik.AYR trojan hxxp://www.coldcreekranch.com JS/Kryptik.AYR trojan hxxp://www.coldcreekranch.com/fallow.html JS/Kryptik.AYR trojan hxxp://www.elnidoresorts.com JS/Kryptik.AYR trojan hxxp://www.elnidoresorts.com/lagen-island JS/Kryptik.AYR trojan hxxp://www.mamatrains.com JS/Kryptik.AYR trojan hxxp://www.mamatrains.com/index.php/admissions-and-courses/deck-courses JS/Kryptik.AYR trojan hxxp://www.norguard.com/fall-protection-products/rescue-systems/gotcha-kit JS/Kryptik.AYR trojan hxxp://www.salononkirby.com JS/Kryptik.AYR trojan hxxp://www.soeholmmarine.dk/en JS/Kryptik.AYR trojan hxxp://www.webshellba.com/super-luxury-cars-future-best-wallpaper-hd-sjmgf/super-luxury-cars-future-best-wallpaper-hd-sjmgf-future-car-trends-for-desktop-car JS/Kryptik.AYR trojan Edited December 29, 2015 by AdeptusMechanicus removed links Link to comment Share on other sites More sharing options...
Recommended Posts