New Virus today?

amyamandaallen

Anyone been hit by this this morning?

JS/Snz.A

It seems to be doing the rounds on web servers this morning.

Any info available?

Cheers

FreedomF

Yeah I've also got the same thing, can't find any other information on this on the web and it has only appeared today, keep on needing to reboot everytime the error appears. Seems to appear when in a browser.

What Antivirus are you using?

edster

We are running eTrust here, and it has incorrectly identified this mythical JS/SNZ.A in jsquery (http://sourceforge.net/project/showfiles.php?group_id=145697) a javascript AJAX library. We've been using it since the summer, and visiting the jsquery homepage also flags this error.

Sie

Its a JS virus imbedded within a webpage from what I can see..

Flagged as Trojan by eTrust.

Picked up at fuk.co.uk (following above google search)

The JS/Snz.A was detected in C:\DOCUMENTS AND SETTINGS\**USERNAME**\JQUERY[1].JS. Machine: **MACHINE**, User: **MACHINE**\**USER**. File Status: File was cured; system cure performed.

Deleted temp internet files and performed a system scan, no further alerts....

Roadwolf

I got it a few times while surfing thru Gamespot.com

My CA Firewall deleted the file right away but there seems to be no info on it yet. My computer hasn't frozen or needed reboots at all. but, some websites appear to be causing the computer to lag tonight, which is very unusual.

it seems to plant itself in your cache.

I am using Firefox as well, if that helps.

Boema

Same problem here... I'm using Etrust.
Does anybody have any clue about this one? Is it harmful or just a problem with etrust? The only information I can find about this virus is from people who are using etrust...

hbrianne

It apparently has stuck my machine as well. My SBC Yahoo anti-virus just picked it up.

I would greatly appreciate any removal tips.

Ozjono

Hi! Im in australia, and Im using CA. I first got this virus report when i went to www.tv.com The file name of it is mootools[1].js Hope this helps cheers jono

Sie

Invasion......

Ozjono

I think it may have something to do with javascript, however when I deleted Java it still appeared on the www.tv.com website. Sorry If someone has already said about Java, tis new yrs eve in Australia Few Beverages being had

Roadwolf

there seem to be a few questionable blog enteries that have been posted within the last 30 mins aswell, related to this virus name if you search on google. i tried watching a posted video on one of them and it locked up firefox. luckily i am fairly sure that nothing was harmed, it seemed to ask me to install something over and over again. so probably not a good idea to click on a video.

but odd none the less.

Updated Firefox virus location:

C:\Documents and Settings\***USER NAME***\Local Settings\Application Data\Mozilla\Firefox\Profiles\es6vqqq4.default\Cache\00C87BB2d01

again, CA Firewall seems to have deleted all traces of it right away - every time it comes up (when i visit different sites). Avira didn't even notice it.

paulsteel

Hi all,

This has just spung up for me today on several computers. It appears when you go to several specific websites. The files infected are mootools[1].js jsquery[1].js and one other I cannot find at the moment. All are in temporary internet files.

If you go into the same website the same virus message will pop up

This forum is about the only place I can find info on it. We are using etrust and IE7

Hope this helps,

Paul

edster

I'm fairly certain that eTrust have done something odd with their most recent update. JSQuery is most certainly not a virus, and mootools is another javascript library, which coincidentally we have also used and has never caused a problem before today.

Seems someone over there has had one xmas drink too many!

Ozjono

HAHA Aussies can handle their booze! Seriously though, that is what CA antivirus is telling me, I went to windows update, and also to java.com to try and find updates to correct a misdiagnosis, and also updated CA, but the virus alert keeps coming up.

Natalie_ca

I just had this too.

I use Mozilla-Firefox and went to a website that I frequent and clicked on a link that took me to an outside site. I immediately got a popup from CA Antivirus saying that it deleted a js/snz.a virus from my cache files area.

I tried searching for it at CA Antivirus but can't find it there. I did a google search and this is the only forum that has any kind of discussion going on about it.

Roadwolf

edster wrote:

I'm fairly certain that eTrust have done something odd with their most recent update. JSQuery is most certainly not a virus, and mootools is another javascript library, which coincidentally we have also used and has never caused a problem before today.

Seems someone over there has had one xmas drink too many!

Well, if CA Firewall is catching it too... must be something fishy?

edster

Nope - nothing fishy, eTrust is from CA.

tommyboy

Its looking more and more like an Etrust specific problem:

The mention of the Yahoo AV makes it look like a more global problem, but that service sits on an Etrust variant anyway.

Its great that Etrust don’t mention anything on their website at all about it, if you do a search for the JS/Snz.a (or anything remotely similar) it doesn’t bring back a thing. You would think they would bother to put a mention of it in their virus encyclopedia if its been added to their definition.

The latest definition files came across yesterday, maybe it’s a problem with definition file and its producing a false positive. If that’s the case – lets hope that the employees at CA antivirus department have not all booked new years eve off. I can just imagine Maureen from accounts dancing with Geoff the .net developer when he should be fixing his definition file.

edster

I work for a large organisation, and we're raising it directly with CA. Let's just see how quickly, they can get a fix out though. . .

Ozjono

Thank you for your help everyone Enjoy your new years celebrations!

Roadwolf

edster wrote:

Nope - nothing fishy, eTrust is from CA.

Ah ok didn't do my homework

Natalie_ca

tommyboy wrote:

Its looking more and more like an Etrust specific problem:

The mention of the Yahoo AV makes it look like a more global problem, but that service sits on an Etrust variant anyway.

Its great that Etrust don’t mention anything on their website at all about it, if you do a search for the JS/Snz.a (or anything remotely similar) it doesn’t bring back a thing. You would think they would bother to put a mention of it in their virus encyclopedia if its been added to their definition.

The latest definition files came across yesterday, maybe it’s a problem with definition file and its producing a false positive. If that’s the case – lets hope that the employees at CA antivirus department have not all booked new years eve off. I can just imagine Maureen from accounts dancing with Geoff the .net developer when he should be fixing his definition file.

I tried to report the issue to CA, but I can't find anywhere on their site to do that.

Roadwolf

The increase in listings for the 'virus' name on b l o g s p o t (coming up from a google search of the virus name) is quite odd tho. several blogs repeat the name of the virus over and over, and it almost looks like an automated message. all of these blogs showed up tonight?

just a clip from the latest one:

"Nyt news service. Do not write anti virus en ligne, national association of science. A coalition of anti virus en ligne, god in the experience, flat js/snz.a, do all the river. Was said to anti virus en ligne, ahead in the term. You go to anti virus en ligne- the rev paul stop. Government wants to anti virus en ligne- add js/snz.a, known in the section. The tax is anti virus en ligne, the one i sense. All manner of anti virus en ligne, s discretion slate either. You see is anti virus en ligne, the profile of slip, town snz.a, not do this last. The irish republic anti virus en ligne."

<shrugs>

nevdunn

Hi there. new to the site but just to let you know I run Zone Alarm. It found it and 'treated it'.

tommyboy

Roadwolf - its just an automated process. These sites you refer to a clever sites that take common search terms and throw them into a page - so that you click on them. Because there are not many pages regarding this particular phrase - they are appearing at the top of google etc. They will dwindle down the ranking eventually.

Its a bit like peer to peer searches - e.g Lime wire - where you can type in ANY name you like and you can guarantee there will be a result that almost exactly matches. it.... Dont worry about them. Its a big fat red herring mate. Clever though.

[DnC]

I just registered for this.

Good to see that I'm not the only one having the problem, I was already getting worried when I at first couldn't find anything about it. I also had it with gamespot.com and something that was really strange. At tribal wars, a webbased strategy game, I'm in a tribe and when I access our tribal forum I get the message, but nowhere else on the site. Neither do I get it on the main forum where everyone has access to (the main tribal wars forum and people's personal tribal forum are seperate from eachother).

I just today bothered to install IE7 and before was still using IE5. Thought it "might" just solve the problem, but that was a long shot because I didn't know what else could help.

I'm really hoping indeed what people say here is the truth and CA just messed up an update.

Very annoying, but at least I'm not completely worried anymore that my system might get borked by a virus that didn't seem to exist by anything I could find prior to this site popping up through google eventually.

Roadwolf

tommyboy wrote:

Roadwolf - its just an automated process. These sites you refer to a clever sites that take common search terms and throw them into a page - so that you click on them. Because there are not many pages regarding this particular phrase - they are appearing at the top of google etc. They will dwindle down the ranking eventually.

Its a bit like peer to peer searches - e.g Lime wire - where you can type in ANY name you like and you can guarantee there will be a result that almost exactly matches. it.... Dont worry about them. Its a big fat red herring mate. Clever though.

clever indeed.

i am bored and entertaining myself with trying to find more info on this , so... lol

I am intrigued that ZoneAlarm detected it tho.

edster

Roadwolf wrote:

I am intrigued that ZoneAlarm detected it tho.

I am as well - unless it's not a virus fingerprint, but I wonder if they share some element of a heuristics engine, which is picking them both up. . .

Salleh

my site http://www.ragnarok-ph.com is also having this problem. Im using CA and im afraid that visitors might be afraid to visit my site again >.<

CA should explain immediately as this is a serious problem

adam1302

just did a virus check with CA anti-virus at random and found it on 3 accounts on my pc.

tommyboy

Someone else http://www.dynamoo.com/blog/2007/12/jssnza-likely-false-positive-in-etrust.html seems to think its a false positive also.

Keep checking the CA site for new sig updates.