AVG Reports HTML/Frame virus detected in ajax_1.5.pack[1].js


#1

Maybe this is not in the right forum, but it’s the best one I could find.

Hey guys! Tonight my AVG antivirus program started barking about “multiple threat detection” concerning a javascript pack file named “ajax_1.5.pack[1].js”. I get a double detection warning every time I refresh the page or navigate between pages.

I’m not sure if you guys are intentionally using this archive or if it’s comming in via a third party. But, I’d rather not ask AVG to simply ignore the threat.

This is brand new behavior. I visited theanimenetwork.com last night and all was fine.

Please do something about thie RIGHT AWAY!


#2

well it certainly looks virus-like in its location!

http://static.theanimenetwork.com/plugins/system/pc_includes

plugins?
system?

this is improper formatting for a website directory hierarchy. dont even make a URL look like it is emulating a local directory on the client users device!

it doesnt seem to do anything, cause i blocked its access and the ajax script not being present i am still able to load and play Allison & Lillia.

ajax is mostly user by trackers to see where you are going like the one that counts hits for Google.

if you can, jsut block the script and dont worry about it. it isnt needed to view TAN website.


#3

[quote=“pbisson” post=140725]Maybe this is not in the right forum, but it’s the best one I could find.

Hey guys! Tonight my AVG antivirus program started barking about “multiple threat detection” concerning a javascript pack file named “ajax_1.5.pack[1].js”. I get a double detection warning every time I refresh the page or navigate between pages.

I’m not sure if you guys are intentionally using this archive or if it’s comming in via a third party. But, I’d rather not ask AVG to simply ignore the threat.

This is brand new behavior. I visited theanimenetwork.com last night and all was fine.

Please do something about thie RIGHT AWAY![/quote]

Hey pbisson,

We need some more info to narrow down the problem you are experiencing.

-What operating system are you using when you are getting this alert?
-What browsers and version are you using when you get this alert?

Thanks,

-Mo-


#4

Sure, mor than glad to help …

I’m using Win7 x64 and IE9. If I use Chrome, I don’t get the alert. Perhaps HTML/Framer is an IE specific exploit. It’s definitely comming from TAN because it’s loaded twice with every page refresh and navigation. The file is located in the IE cache and is replaced every time I hit TAN or navigate around within it.

It seems to be interfering with how the video is working. The player seems to have stopped working. Also, navigation and refresh are very very slow. Possibly this is because AVG is blocking that scrupt and screwing things up.

BTW: I consider this a pretty serios problem. Getting a double AVG threat detection constantly is pretty annoying and it prevents proper use of TAN website. I hope you guys figure it out soon.


#5

Hey pbisson,

Thanks for the info. To start, have you completely cleared your cache?
If not, at this time please clear your cache.
After clearing your cache, go directly to theanimenetwork.com before going to any other websites.

If after clearing your cache and going directly to theanimenetwork.com before other websites you are still getting the alert, please let us know.

Thanks,

-Mo-


#6

Yep, that’s the first thing I did. Clear the cache, reset IE settings to default, restart IE. Home page is a blank page, so no external nav on startup, then nav right to TAN as the first URL. This virus thing is definitely some thing new. All was well just a day ago.


#7

I’m thinking AVG is being overprotective. Might be a case of a common program that wasn’t made with the intent of being used for malware actually being used with malware. The staff should double check the file anyway.

Also noticed that mootools.js is in the same directory as the file in question.


#8

Generally, in my experience, when AVG is complaining, something is wrong. AVG is very highly rated. In more than 10 years of use, I’ve never gotten a false alarm. I don’t use the free version, not that it matters for the anti-virus function. I’ve sent the file off to AVG for verification.

Moisme, what do you think? Where’s this file comming from? I’m going to guess that it’s not actually part of TAN.com site and that it’s comming in on a third party. Can you track it down?


#9

yep, AVG just responded that the threat detection is valid. It’s a known malware, back-door installer that is an IE exploit. Sounds scary huh?


#10

pbisson -

We are not detecting any issues with the object. It is a standard part of JomSocial.

Try visiting http://demo.jomsocial.com/
Let us know if you get any warnings from AVG there.

We appreciate how alarming a message like this can be. So far, we have had no other reports for this from other users and have been unable to replicate it on our end. We will continue to monitor this issue with you.

Thanks!


#11

Yep, I get the same alert when I visit http://demo.jomsocial.com/

I just updated the virus database and I still get the alert. AVG says HTML/Framer is #3 threat in the world at the moment. I don’t think we should trivialize this.

I don’t get the warning when I’m using Chrome. But, I DO get the warning when I’m using Mozilla Firefox 20 and IE 9.


#12

pbisson -

Thank you. That confirms what we have been suspecting: the issue is with the sub-component itself.

JomSocial is aware of the issue.

Other developers began to experience the same issue at the same time you did. So far, none of them have found anything malicious in the object either.

At present, the community is leaning towards this being a false-positive with AVG, but we’re all waiting for the official word from JomSocial and a resolution to the alert.

We’re monitoring the situation closely with JomSocial. Situations like these are not something we take lightly.

If you wish, you can join the JomSocial support forums for more information:
http://www.jomsocial.com/forum/technical-issues/5334-html-framer-infection-2-8-4#26189


#13

[quote=“spazzysam” post=140757]If you wish, you can join the JomSocial support forums for more information:
http://www.jomsocial.com/forum/technical-issues/5334-html-framer-infection-2-8-4#26189[/quote]

not going to buy the junky forum software jsut to see what is going on…

thanks for escalating it to the developer and such.

couldnt someone just log in to the TAN amazon account, delete the file that is there and try to use an older one maybe the 1.3 until this is resolved, rather than have a potentially, or reported malicious file on TAN?

the script itself only creates a hidden IFRAME with only god knows (insert religion of choice or Keima-kun) what kind of form is inside it with URI encoding and such… better safe than sorry as it were?


#14

Well, that IS the exploit. This variant may be innocuous, but there are at least 46 variants out there according to AVG. It seems to me that it should be scrubbed out of the system as soon as possible. Plus, I’m effectively unable to view any videos while it’s there. It somehow screws up the page formatting (client side) and the video player never comes up properly.


#15

OH … and I’m SOOOOO glad I’m not imagining this and that I’m not the only one with the problem.


#16

I just studied the file in question, AVG is at fault. The only logic that could be used to be a virus, jQuery is just as guilty, or any other JS library that supports AJAX or at least the stringify function for converting a JS object to JSON.

The issue that AVG might be detecting is that I have seen AJAX libraries use iFrames to support uploading files through iFrames as XMLHttpRequest doesn’t support that feature.


#17

OK, for two days now, I haven’t gotten one of these warning messages. And, that even though I’ve got a byte identical ajax-1-5.js file. In fact, I restored one of the copies I had moved to AVG’s “virus vault”, and now it scans as not being a virus. With such evidence, I’m going to assume AVG updated it’s database and/or method of identification. Let’s hope we don’t see THIS ugly thing any time soon again. :woohoo:


#18

could the difference be not in the file itself, but the suspicious name it had?

aside from the [1] in the previous file, you mention this time the filename ajax-1-5.js as opposed to ajax_1.5.pack[1].js

maybe “.pack.js” was setting AVG off

though i am still showing “pack” as part of the filename TAN tries to put on my computer and is still being blocked.

curious…


#19

It looks like the AVG report was a false positive and they updated their virus definitions file Tuesday evening.
JomSocial has thoroughly checked the subcomponent and found nothing wrong.

If anyone else was getting the AVG Alert earlier this week, please let us know if you are currently still getting it.
For now, we are labeling this issue as resolved.

Thanks again for reporting the issue, Pbisson!


#20