Avast WEBforum
Other => Viruses and worms => Topic started by: adam2551 on October 14, 2009, 06:29:49 PM
-
I got different messages popping up when i visit, kroq.com, onlypoints.com, and chang4law.com
Is there a way to see if they are really infected? Thanks
-
Hi adam2551
check these :
1) http://www.google.com/safebrowsing/diagnostic?site=kroq.com
2) http://www.google.com/safebrowsing/diagnostic?site=onlypoints.com
3) http://www.google.com/safebrowsing/diagnostic?site=chang4law.com
and also see this : http://googleonlinesecurity.blogspot.com/2009/10/show-me-malware.html
nmb
-
Hi adam2551 and nmb,
Checked with Norton safe web scanner - kroq dot com was safe;
onlypoints dot com no threats, chang4law dot com not tested,
Wepawet on chang4law dot com reported:
Sample Overview
URL hXtp://www.chang4law.com
MD5 1057535a0aaec10289c36d774d30e667
Analysis Started 2009-10-14 10:27:51
Report Generated 2009-10-14 10:28:12
Jsand version 1.03.02
See the report for domain wXw.chang4law.com.
Detection results
Detector Result
Jsand 1.03.02 benign
Warning:
The analyzed resource contains one or more syntax errors.
This may affect the detection of malicious code.
Exploits
No exploits were identified.
Deobfuscation results
Evals
No evals.
Writes
<span id="menuContainer"></span>
(repeated 1 time)
Network Activity
Requests
URL Status Content Type
htXp://www.chang4law.com 200 text/html
hXtp://www.chang4law.com/mm_menu.js 200 text/javascript
Redirects
No redirects.
ActiveX controls
No objects/controls.
Shellcode and Malware
No shellcode was identified.
No additional malware was retrieved. But the malware is found here in the javascript code above:
re: http://badwarebusters.org/main/itemview/4302
Another example description of the malware can be found here: http://www.malwaredomainlist.com/forums/index.php?topic=2754.0
Analysis report for hxtp://www.onlypoints.com
Sample Overview
URL hxtp://www.onlypoints.com
MD5 c09763d98641acd9b2dc6b3cf5c13079
Analysis Started 2009-10-14 10:36:39
Report Generated 2009-10-14 10:36:46
Jsand version 1.03.02
See the report for domain wXw.onlypoints.com.
Detection results
Detector Result
Jsand 1.03.02 benign
Exploits
No exploits were identified.
Deobfuscation results
Evals
var google_protectAndRun
(repeated 2 times)
var google_handleError
(repeated 2 times)
var Goog_AdSense_getAdAdapterInstance
(repeated 2 times)
var Goog_AdSense_OsdAdapter
(repeated 2 times)
var sc_img1 = new Image();
sc_img1.src = "
hxtp://c19.statcounter.com/t.php?sc_project=2003099&resolution=1024&h=768&camefrom=&u=http
%3A//wXw.onlypoints.com&t=OnlyPoints.com%20-%20Play%20free%20flash%20multiplayer%20and%20r
anked%20games%20for%20prizes%20-%20OnlyPoints%20Games&java=1&security=8c5686a5&sc_random=0
.2501259057045536&sc_snum=1&invisible=1"
(repeated 1 time)
Writes
<script src='http://wXw.google-analytics.com/ga.js' type='text/javascript'></script>
(repeated 1 time)
<object ><embed ></embed></object>
(repeated 1 time)
Network Activity
Requests
URL Status Content Type
http://wXw.onlypoints.com 200 text/javascript
http://wXw.onlypoints.com/AC_RunActiveContent.js 200 text/javascript ***
http://wXw.onlypoints.com/arcade/plugins/site/themes/default/responseXML.js 200 text/javascript
http://wXw.onlypoints.com/arcade/plugins/site/themes/default/superfriend.js 200 text/javascript
http://wXw.google-analytics.com/ga.js 200 text/javascript
hXtp://pagead2.googlesyndication.com/pagead/show_ads.js 200 text/javascript
hXtp://www.statcounter.com/counter/counter.js 200 text/javascript
Redirects
No redirects.
ActiveX controls
Msxml2.XMLHTTP
No attribute setting or method call detected
ShockwaveFlash.ShockwaveFlash.7
Name Arg0 Count
Methods GetVariable
$version
1
Shellcode and Malware
No shellcode was identified.
No additional malware was retrieved. *** This is detected by avast as AC_RunActiveContent.js. VBS:Malware-gen,
polonus
-
Thanks sir Pol, for the detailed results.
nmb