Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on May 22, 2014, 06:34:46 PM

Title: avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
Post by: polonus on May 22, 2014, 06:34:46 PM

See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.neodownloader.ru
Trojan detected in: Object: htxp://feelthesame.changeip.name/rsize.js  -> https://www.virustotal.com/nl/url/a4f44a49dc920a577790d24789ba6bda4c6e838ea05f54fe56d5f8393718cd3a/analysis/  and
http://urlquery.net/report.php?id=1395535056539 IDS alert Detected a Dynamic DNS URL
SHA1: d6d01e38799a81f875259708da406ef5dbfd24fe
Name: TrojWare.JS.iFrame.DEE

See: http://sitecheck.sucuri.net/results/www.neodownloader.ru#blacklist-status
6 instances of http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v7 in index.html
Javascript check = Suspicious

image().src = "//counter.yadro dot ru/hit?r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colordepth? screen.colordepth...

Included scripts = Suspect - please check list for unknown includes

htxp://buysitka.com/6jyj4fub.php
htxp://buysitka.com/6jyj4fub.php
For that included script re: Offensive html code:
<script src="htxp://buysitka.com/6jyJ4fuB.php" type="text/javascript">

Offensive url: htxp://buysitka.com/6jyJ4fuB.php
Url is blacklisted in Google Safe Browsing

dragspelsnytt dot se is on 89.221.250.15
ASN for 89.221.250.15: 3301
89.221.250.15 manually set to use abuse@aname.net (this site was also infested by this and reported by http://sakrare.ikyon.se/

For external links check etc. see: http://zulu.zscaler.com/submission/show/dcd5eb466d075d34e4ee243e14bf5333-1400775721  100/100% malicious

Missed here: http://www.avgthreatlabs.com/website-safety-reports/domain/neodownloader.ru/

polonus

Title: Re: avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
Post by: polonus on May 22, 2014, 10:28:16 PM

A more recent scan: https://www.virustotal.com/en-gb/url/a4f44a49dc920a577790d24789ba6bda4c6e838ea05f54fe56d5f8393718cd3a/analysis/1400789767/

https://www.virustotal.com/en-gb/file/b2e49d98566fc1934df0349560dfca12e2416dfa10745e6cb65b756cf84fb225/analysis/1400789771/

Thanks go to Pondus for making me aware of the more recent results,

polonus