Advice Request HEUR:Trojan-PSW.Script.Generic

[JB007]

Hello,
KTS blocks the access to this site "francis-miot.com" because of the detection of "HEUR:Trojan-PSW.Script.Generic".
I know this site for many years and I never have any problem, so I think that it could be a false positive.
I checked with VT and there is 1 detection {VirusTotal} ; I also checked with Virus Desk and the answer is that this URL is unknown, so I submitted the URL ; I also opened a ticket with Kaspersky support.
I know that Kaspersky support is very slow, so I hope that you can help me...

 

[eonline]

According to Netcraft it is catalogued as "Shopping Site Skimmer Detected". I suggest you send an email to the site administrator which is as follows: contact (@) francis-miot (dot) com telling him about this incident. They must solve the problem that some antivirus like kaspersky or Netcraft extension mark as malicious the site.

You can search for references in Google: Shopping Site Skimmer Detected - Google Search

 

[harlan4096]

Also I've sent it to KVirusDesk, waiting for final verdict...

 

[JB007]

According to Netcraft it is catalogued as "Shopping Site Skimmer Detected". I suggest you send an email to the site administrator which is as follows: contact (@) francis-miot (dot) com telling him about this incident. They must solve the problem that some antivirus like kaspersky or Netcraft extension mark as malicious the site.

You can search for references in Google: Shopping Site Skimmer Detected - Google Search

Also I've sent it to KVirusDesk, waiting for final verdict...

Thanks @Lobito Punky and @harlan4096
I have yet send the information to"francis-miot contact" on November 14th but get no answer until now.

 

[eonline]

I visited the site without Mcafee giving any alerts and I don't think I'm infected.

 

[Gandalf_The_Grey]

I visited the site without Mcafee giving any alerts and I don't think I'm infected.

But you haven't ordered and paid anything yet...
According to Netcraft:

What are shopping site skimmers?
A shopping site skimmer is a malicious script that steals your payment card information when you checkout on an online store, and sends it back to a fraudster to use later. Netcraft finds and detects shopping site skimmers on the Internet and blocks them in the Extension.

There could be a malicious script running on that website.
I would wait for the report of Kaspersky Virus Desk before buying anything on that site.

 

[bribon77]

It seems to me a false positive.
I just visited the link with Emsisoft and it says nothing.

 

[harlan4096]

Final verdict from Kaspersky analyst:

Hello,

This is not a false alarm. This site is infected.

Here is the malicious code:

"<script>
function b64EncodeUnicode(str) {

...
,buildData());
}
}
};"

If you are a webmaster, please remove the above code from the page. Also we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

Best regards,

 

[JB007]

Final verdict from Kaspersky analyst:

Thank you very much @harlan4096
I'm disappointed you have contacted VirusDesk after me and get an answer before me
I'll try to contact again the webmaster, did you post the complete answer ?

 

[harlan4096]

For malicious/phishing URLs They usually take around 2 days to finally response... I got a 1st response confirming the detection, then I asked if a possible false positive and that is the final answer... and yes, this is the complete answer (only ommited the name of the analyst)...

To send my request just used Kaspersky Virus Desk and gave my email (@gmail) to confirm the final verdict...

 

[JB007]

For malicious/phishing URLs They usually take around 2 days to finally response... I got a 1st response confirming the detection, then I asked if a possible false positive and that is the final answer... and yes, this is the complete answer (only ommited the name of the analyst)...

To send my request just used Kaspersky Virus Desk and gave my email (@gmail) to confirm the final verdict...

Thanks @harlan4096
I did the same steps but with "Kaspersky Virus Desk" in French...

 

[JB007]

Tested with Netcraft extension:

 

[Moonhorse]

Sophos says nothing, submitted to bitdefender throught bitdefender traffliclight extension

 

[SeriousHoax]

Sent to ESET with the response of Kaspersky and ESET is gonna add it to their signatures in the next update

 

[JB007]

Hello,
Just got the answer of Kaspersky support but the malicious script is not the same

 

[SeriousHoax]

Hello,
Just got the answer of Kaspersky support but the malicious script is not the same

The script looks incomplete. Did you paste the full code?

 

[JB007]

Yes this is the file included on the mail:
"
Merci de votre réponse monsieur
Je vous le renvoie en pièce jointe.

Bien à vous

malicious script.txt (0.01Mb) "
Are you sure that the script is incomplete ? If yes I can try to ask again.
NB: previously I received 2 mails from the support but the script was not visible...

 

[harlan4096]

The answer I got from the analyst of course did not show the full script, just the main structure, but I think it is the same

 

[Gandalf_The_Grey]

Sucuri Security

SiteCheck is a website security scanner that checks any site, link, or URL for malware, viruses, blacklist status, seo spam, or malicious code. Check your website safety for free with Sucuri Security.

sitecheck.sucuri.net

So malware detected and running on outdated software:

Website Malware & Security

• Malware detected by scan (Critical Risk)
• No injected spam detected (Low Risk)
• No defacements detected (Low Risk)
• No internal server errors detected (Low Risk)
• Site is outdated (High Risk)

 

[JB007]

Sucuri Security

SiteCheck is a website security scanner that checks any site, link, or URL for malware, viruses, blacklist status, seo spam, or malicious code. Check your website safety for free with Sucuri Security.

sitecheck.sucuri.net

So malware detected and running on outdated software:

Thanks @Gandalf_The_Grey
I never heard about "Sucuri Security". Is it reliable ?