Discussion:
[clamav-users] FP Win.Trojan.Agent-1395367
(too old to reply)
Hajo Locke
2016-04-20 07:02:51 UTC
Permalink
Hello,

there seems to be a new FP within a Wordpress Plugin.
Download ist here:
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip

File
jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js
is reported as Win.Trojan.Agent-1395367

Seems to be an automatic created md5 Signature, because content of file
looks ok
http://pastebin.com/zi2TcJJF

I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a
lot and i dont want to make a new global whitelisting.

Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-04-20 07:20:58 UTC
Permalink
The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP.

Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conclude it’s contents “looks ok”, but you did the right thing by submitting it for consideration.

AegisLab also seems to think it’s infected, but VT believes it’s “Probably harmless!":
<https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/>

This should be self evident, but for the ClamAV Signature Team’s Info: MD5=585005690e530e8047374cf14e479281

-Al-
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of file looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot and i dont want to make a new global whitelisting.
Thanks,
Hajo
Hajo Locke
2016-04-20 07:31:19 UTC
Permalink
Hello,
Post by Al Varnell
The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP.
Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conclude it’s contents “looks ok”, but you did the right thing by submitting it for consideration.
i think not every code is reviewed manually, according to the source.
For me code dont looks suspicious. But lets wait for opinion of the pro's.
Post by Al Varnell
<https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/>
This should be self evident, but for the ClamAV Signature Team’s Info: MD5=585005690e530e8047374cf14e479281
-Al-
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of file looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot and i dont want to make a new global whitelisting.
Thanks,
Hajo
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Hajo Locke
2016-04-20 08:45:14 UTC
Permalink
Hello,
Post by Hajo Locke
Hello,
Post by Al Varnell
The signature was just added yesterday in daily:21498 and yes it is
an MD5 of size 892 bytes, so it could well be an FP.
Not sure what you mean by “automatic created md5 Signature” and given
that it’s a JavaScript I don’t know how you can conclude it’s
contents “looks ok”, but you did the right thing by submitting it for
consideration.
i think not every code is reviewed manually, according to the source.
For me code dont looks suspicious. But lets wait for opinion of the
pro's.
Post by Al Varnell
AegisLab also seems to think it’s infected, but VT believes it’s
<https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/>
This should be self evident, but for the ClamAV Signature Team’s
Info: MD5=585005690e530e8047374cf14e479281
Found same issue with other file.
File qppr_frontend_script.min.js is reported as Win.Trojan.Agent-1395005
This is part of Wordpress Quick Page/Post Redirect Plugin
https://de.wordpress.org/plugins/quick-pagepost-redirect-plugin/installation/

MD5=952e1832aad1345100c20d86639900e5
Post by Hajo Locke
Post by Al Varnell
-Al-
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File
jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js
is reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of
file looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin
a lot and i dont want to make a new global whitelisting.
Thanks,
Hajo
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Hajo
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-04-20 08:52:10 UTC
Permalink
This one was added on Friday in daily:21494

Similar results as before on VT:
<https://www.virustotal.com/en/file/4d81cd951bc1cc8095a0b6385baa47b9c5fb6fe1440661563a09dbd2f7e243db/analysis/>

-Al-
Post by Hajo Locke
Hello,
Post by Hajo Locke
Hello,
Post by Al Varnell
The signature was just added yesterday in daily:21498 and yes it is an MD5 of size 892 bytes, so it could well be an FP.
Not sure what you mean by “automatic created md5 Signature” and given that it’s a JavaScript I don’t know how you can conclude it’s contents “looks ok”, but you did the right thing by submitting it for consideration.
i think not every code is reviewed manually, according to the source. For me code dont looks suspicious. But lets wait for opinion of the pro's.
Post by Al Varnell
<https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/>
This should be self evident, but for the ClamAV Signature Team’s Info: MD5=585005690e530e8047374cf14e479281
Found same issue with other file.
File qppr_frontend_script.min.js is reported as Win.Trojan.Agent-1395005
This is part of Wordpress Quick Page/Post Redirect Plugin
https://de.wordpress.org/plugins/quick-pagepost-redirect-plugin/installation/
MD5=952e1832aad1345100c20d86639900e5
Post by Hajo Locke
Post by Al Varnell
-Al-
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of file looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot and i dont want to make a new global whitelisting.
Thanks,
Hajo
Alain Zidouemba
2016-04-20 14:01:16 UTC
Permalink
Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The
signature Win.Trojan.Agent-1395367
has been removed.

- Alain
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File
jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is
reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of file
looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot
and i dont want to make a new global whitelisting.
Thanks,
Hajo
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Hajo Locke
2016-04-21 07:59:24 UTC
Permalink
Hello,
Post by Alain Zidouemba
Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The
signature Win.Trojan.Agent-1395367
has been removed.
Thanks to all.

Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-04-21 08:08:29 UTC
Permalink
Looks like the other was dropped, as well in Daily:21500
* Win.Trojan.Agent-1395005
* Win.Trojan.Agent-1395367
Sent from Janet's iPad

-Al-
Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The
signature Win.Trojan.Agent-1395367
has been removed.
- Alain
Post by Hajo Locke
Hello,
there seems to be a new FP within a Wordpress Plugin.
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip
File
jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is
reported as Win.Trojan.Agent-1395367
Seems to be an automatic created md5 Signature, because content of file
looks ok
http://pastebin.com/zi2TcJJF
I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot
and i dont want to make a new global whitelisting.
Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler)
2016-04-21 16:06:02 UTC
Permalink
Yeah, sorry, I was swamped yesterday and didn’t get to follow up, we obviously dropped them both.
--
Joel Esler
Manager, Talos Group




On Apr 21, 2016, at 4:08 AM, Al Varnell <***@mac.com<mailto:***@mac.com>> wrote:

Looks like the other was dropped, as well in Daily:21500

Dropped Detection Signatures:

* Win.Trojan.Agent-1395005

* Win.Trojan.Agent-1395367

Sent from Janet's iPad

-Al-

On Apr 20, 2016, at 7:01 AM, Alain Zidouemba wrote:
Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The
signature Win.Trojan.Agent-1395367
has been removed.

- Alain

On Wed, Apr 20, 2016 at 3:02 AM, Hajo Locke <***@gmx.de<mailto:***@gmx.de>> wrote:
Hello,

there seems to be a new FP within a Wordpress Plugin.
Download ist here:
https://jetpack.com/install/?from=wporg
http://downloads.wordpress.org/plugin/jetpack.latest-stable.zip

File
jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js is
reported as Win.Trojan.Agent-1395367

Seems to be an automatic created md5 Signature, because content of file
looks ok
http://pastebin.com/zi2TcJJF

I already reported this as FP at http://www.clamav.net/reports/fp
I hope to get this fixed fast because our costumers use this plugin a lot
and i dont want to make a new global whitelisting.

Thanks,
Hajo
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtad
Loading...