Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on December 06, 2011, 04:40:16 PM

Title: Again the fabulous webshield to protect us: Threat detected!
Post by: polonus on December 06, 2011, 04:40:16 PM

Trying to go to this malware site: -http://fragarena.com.br/list.txt
Naturally you have the avast webshield up, and as a user you are being blocked immediately to even connect out there:
PHP.Agent-Z]Trj] detected.
See: http://www.virustotal.com/url-scan/report.html?id=9a948c119f7608bac074fbc7f820bb01-1323181498
See: http://www.virustotal.com/file-scan/report.html?id=8871737c0b2892dce267e1854751a984362a0e625fb894e8d663df1bd643670a-1323185277
Avast also neatly detects this PHP_CHAPLOIT.SMM malware as PHP:Agent-Z [Trj]

OK for the notorious virus hunters among us it was found in jsunpack list 4
(do not venture out there if not security savvy enough)

polonus

Title: Re: Again the fabulous webshield to protect us: Threat detected!
Post by: !Donovan on December 07, 2011, 02:28:21 AM

Studying the code, it uses a backtool action?

Why would they name the exploit backtool? :-\

Also, it appears that this code calls the command prompt?
To think a website can call the command prompt. >:(

Good thing it was detected by avast!

See attached.

Title: Re: Again the fabulous webshield to protect us: Threat detected!
Post by: !Donovan on December 07, 2011, 11:46:56 PM

All links are broken, so this coding probably wouldn't function correctly. Nice catch by avast!, though.

And...

Code: [Select]

/* Parte Atualiza 02:48 12/2/2006 */
Plus attached. Recolored for fun. ;D

Title: Re: Again the fabulous webshield to protect us: Threat detected!
Post by: polonus on December 07, 2011, 11:51:29 PM

Hi Donovansrb10,

Thanks for explaining this malcode injection for us,
and good avast is protectiing the users against it,

polonus