Author Topic: What about this script?  (Read 919 times)

Offline polonus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 20123
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
What about this script?
« on: March 24, 2011, 09:39:33 PM »
Howdy folks,

I added a gif image of a script. To me it looks suspicious. What do you think?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline CharleyO

  • avast! Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7102
  • Gender: Male
  • Be alert for error code - ID 10T
    • Personal Message (Offline)
Re: What about this script?
« Reply #1 on: March 25, 2011, 08:06:10 PM »
***

The first line tells me it's no good.    ;)


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline polonus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 20123
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: What about this script?
« Reply #2 on: March 25, 2011, 08:21:48 PM »
Norman found nothing, but it was mentioned in the listing here: http://malwaredomains.com/updates/20110324.txt
and mentioned here:
http://www.malwaredomains.com/wordpress/?p=1714
as reported to me something might be here: htxp://adserver.fuzzybean.com/www/delivery/fl.js  (see malzilla gif attached)
is trojan redirector malware (not dangerous itself, but known to alter shockwave settings)
further see: htxp://jsunpack.jeek.org/dec/go?report=4c35263ce4fd20950ed2f8ec4c7dee8a96b85c26
seen as benign here: http://wepawet.iseclab.org/view.php?hash=c39988364c65a30998a26fc6fcb9ab00&t=1301088385&type=js

Similar malware resides or could have resided here: htxp://www.freelotto.com/xmljs/FL.js
see: http://wepawet.iseclab.org/view.php?hash=eff40cb71cc361ebd56c804d21f3ae60&t=1301088773&type=js
but nothing detected at virustotal: http://www.virustotal.com/file-scan/report.html?id=0a1f3eee6e5779d09481ddb6ccc389ce89281985e5ae12deba46da202d2bbd26-1301088733
probably because it already has been taken out???:
http://jsunpack.jeek.org/dec/go?report=e551bb2202dd84fa6ad8dbd4d777612dcd69fd7c, but malzilla gets it...

polonus
« Last Edit: March 25, 2011, 08:41:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now