virus JS.Obfus-48

macfrombrampton wrote:

Today Jan-8 ClamXav found a virus called JS.Obfus-48 after I downgraded my Firefox version from 9.01 to 8. The Virus was found in the Users/(mydirectory)/Library/Caches/Firefox/Profiles/gn7cw1kc.default/Cache/9/C0 /787ABd01.

I am wondering if anyone has had any experience with this virus?

No, but I'll tell you what I think I know about it.

First, it's not a Mac OS X specific infection or it would have "OSX" in it's name. Nor is it a virus. It's a JavaScript which seems to have been designed to obfuscate a hyperlink. Since it's in your FireFox Cache it means you visited a web page using FireFox at the date and time this file was created and it contained a JavaScript which would have run if you clicked on it. Any harm it might have done is in the past and if it is a threat to your Mac it is harmless sitting in your cache. If I were guessing I would say that if you clicked on the link you would have ended up on a different web page than the one you thought you were going to. What was on that page is anybody's guess.

Since clamav does not provide descriptions of any of their infections and every AV software provider is free to name their malware whatever they want to, there is no way to know exactly what most malware does. The clamav database currently has 778 signatures that start with "JS" and 163 of those are "JS.Obfus." I have translated the signature but won't post it here as that would just result in all readers having it in their browser cache.

Turn off JavaScript in FireFox Preferences, just to be safe. If FireFox is your default browser then double-click on the Identified cache file to open it. If some other browser is default, then drag the file to your FireFox icon to open it. This should open the page with the embedded JavaScipt in it. One of the hyperlinks on that page would normally activate it.

macfrombrampton wrote:

I would like to know what this virus does. Clamxav identified the virus but I do not seem to find the function of the virus

Try uploading the file to VirusTotal. Their analysis will tell you what other AV vendors call this infection, then perhaps Google can help you.

Were you able to identify the site where this is coming from? Don't post it here as someone might go their by accident, but I can give you a place to post the url if you have it.

There are no viruses for osx. JS.Obfus-48 is malware.

Viruses: Are programs that earn their name by their ability to replicate themselves locally & often across a network. Many attach themselves to to other programs. When you launch one of these programs, the virus code launches as well & the virus goes about its nefarious business. Viruses are exceedingly rare on the Mac. There are no know viruses for OSX.

Trojans: Promises one thing but delivers another. You can download a program but when you run the program, the contents of your computer are instead beamed to an underground data center in Kamchatka. If you obtain software from reliable sites, you are unlikely to get a Trojan horse.

Adware: Has an embedded advertising component - one that displays or downloads ads when you run the software. Some adware is legitimate, part of the price of using a free program such as the Iconfactory's Twitterrific or Eudora for example.

Spyware: Grabs data from your computer & ofen uses it for the purposes of evil, sending personal info to a baddie or when you're using your web browser, redirecting you to site you don't want to visit.

Mac users have nothing to worry about regarding Spyware & Adware because in order for the worse forms to work, the OS must allow unrestricted access to its more sensitive parts. The Mac OS doesn't.

Free Software: ClamXaviAntiVirus Mac Viruses

User Tip: Mac Viruses

Macintosh Viruses

It doesn’t get PC viruses.

macfrombrampton wrote:

When I run Clamav it just finds the infected file. I will work on locating it, but it has appeared more than once which suggest it is coming through my Web browser Firefox 8.0 or Mail application on the Mac.

Agree, one of your browser caches or mailboxes is the most likely source, although there are reports of JavaScript being embedded into PDF and other types of documents.

macfrombrampton wrote:

The web site only provides the virus application name and the name of the virus but does not identify what the virus is trying do.

Are you talking about VirusTotal? If so, that's correct. What you need to do is find out what other AV vendors are naming that virus and then go to their site to see if they have a more complete explanation. For instance, if F-Prot called it XYZ-79 then go to the F-Protect site and search for "XYZ-79".

I tried to find your submission to VirusTotal last night, but it's not showing up, so now I'm not sure what you were referring to.

While I was searching I ran across a couple of other references.

It was added to the clamav database on Jan 3 of this year along with 22 more similar ones. There were lots of submissions from various sources, mostly anonymous, but you can read about it here Old Nabble - clamav-virusdb - Update (daily: 14233). Note that the signature coder was Arnaud Jacques so he would be the person at clamav.net to ask if he knows what it does.

There was also a discussion on the ClamWin Forum by a Windows user who found it in his FireFox cache, ask the same question and got many of the same answers I've been giving you.

macfrombrampton wrote:

THe Virus I am trying to find its function is called JS.Obfus-48 identified by clamxav.

Yes, you have said that at least three times now. I would be willing to bet that the reason you haven't gotten any answers is that you are asking a bunch of Mac users and it doesn't do anything on a Mac.

So, as I've told you before, the only person that might know is Arnaud Jacques who coded up the definition of this malware. You can find his email address here http://www.clamav.net/lang/en/about/team/ but you may have to speak French.