Why does Kaspersky detect the HEUR: Trojan.Script.Generic Trojan on the site? (and possible solution)

Published on March 30, 2015

Why does Kaspersky detect the HEUR: Trojan.Script.Generic Trojan on the site? (and possible solution)

    Good day. I have yet another article related to security, or rather access to your sites, dear webmasters ... and let me tell you.

    Threat “HEUR: Trojan.Script.Generic”


    Perhaps you have a website and you didn’t use libraries like jQuery , but you just decided on javascript to "wrap the spaghetti code on the site" (let it be like me, for the sake of sports interest). And here you probably don’t even expect such “meanness” from your favorite Kaspersky antivirus, especially if you don’t use it ... but your friend uses it. He will then see such a message on your site “the object is infected with HEUR: Trojan.Script.Generic”:

    In the meantime, other antiviruses are silent.


    To tell you what’s the matter here, I’m forced to provide the code in javascript, so I’ll continue to talk about it.
    So I decided I had to play with the datalist to organize an autocomplete without third-party libraries (such a miracle appeared in HTML5, but the trouble with it with Russian letters is true, sorry for offtopic).
    Wrote form code:

    <form method="get" action="" >
      <input type="search" name="q" value="<?= $q; ?>" list="json-datalist" id="i_search" autocomplete="off" />
      <input type="submit" value=" Искать " />
    </form>
    <datalist id="json-datalist"></datalist>
    


    And then he wrote, as it seemed to me, a harmless code:
    // Принимаем элементы <datalist> и <input> 
    var dataList = document.getElementById('json-datalist');
    var input = document.getElementById('i_search');
    // Создаем новый XMLHttpRequest.
    var request = new XMLHttpRequest();
    // Перехватываем состояние запроса.
    request.onreadystatechange = function(response) {
      if (request.readyState === 4) {
        if (request.status === 200) {
          var jsonOptions = JSON.parse(request.responseText); // Parse the JSON
          // Перебираем массив JSON 
          jsonOptions.forEach(function(item) {
            var option = document.createElement('option');
             // Устанавливаем значение с помощью элемента в json-массив.
            option.value = decodeURIComponent(unescape(item)); 
            // Добавляем элементы списка <option> к <datalist>.
            dataList.appendChild(option); 
          });
          input.placeholder = "Please type"; 
        } else {
          // Если произошла ошибка
          input.placeholder = "Couldn't load datalist";
        }
      }
    };
    // обновим плейсхолдер
    input.placeholder = "Loading options...";
    //  Установить и сделать запрос
    request.open('GET', URL_BASE+'/data.json', true);
    request.send();
    


    Get our trojan!
    - Where is the trojan? You do not see? Oh, and I don’t see either, but Kaspersky sees!
    And he sees him here:
     request.open('GET', URL_BASE+'/data.json', true);
    

    Then we remove this line and everything is in order - our script does not work, and the antivirus is calm.

    "Debriefing"


    So you need to dig deeper into the interceptor of the request state - onreadystatechange .
    Our medicine will be a separate function , let's call it updatePage , in which we will write an enumeration of the returned JSON array and assign it here in our state interceptor:
     request.onreadystatechange = updatePage;
    


    As a result, I rewrote the code so that Kaspersky Anti-Virus no longer bothers us:
    var dataList = document.getElementById('json-datalist');
    var input = document.getElementById('i_search');
    var url = URL_BASE + '/data.json';
    var request = null;
    if(window.XMLHttpRequest)
    request = new XMLHttpRequest();
    else if (window.ActiveXObject)
    request  = new ActiveXObject(Microsoft.XMLHTTP);
    	function updatePage()
    	{
    	  if (request.readyState == 4)
    		if (request.status == 200)
    		{
    			var jsonOptions = JSON.parse(request.responseText);
    			jsonOptions.forEach(function(item) {
    				var option = document.createElement('option');
    				option.value = item;
    				dataList.appendChild(option);
    			});
    			input.placeholder = "Please type";
    		delete request;
    		}
    		else
    		{
    			input.placeholder = "Couldn't load datalist";
    		}
    	}
    request = getXmlHttp();
    request.open("GET", url, true);
    request.onreadystatechange = updatePage;
    request.send(null);
    

    PS I'm not saying that this is the only reason why a warning may appear in the form of such a message from a beloved antivirus, because there may also be cases where a truly “left-wing script” exists on your site.