Avast WEBforum

Other => Viruses and worms => Topic started by: Gregx on December 24, 2011, 03:10:06 AM

Title: Virus
Post by: Gregx on December 24, 2011, 03:10:06 AM

I just thought I'd post this to see if I can get some help . Who ever is behind this seems to be working very hard to get my info.
So here it is hxxp://www.korang.com/lovesanta.php?jacob158.jpeg
This link was sent to me from my sons e-mail address the link is a java type thing that loads vista 2012 virus. While. I removed it and changed all pass words and installed newer anti virus
anyway hope this is helpful . ???
Thanks

Title: Re: Virus
Post by: Pondus on December 24, 2011, 03:26:27 AM

please edit the link so that it is not clickable... change http to hxxp


VirusTotal
http://www.virustotal.com/file-scan/report.html?id=f13f61eccefc5e686aeb4de24254615d9b0e2dcd625fb2998401da41b1a8fd19-1324693168

Not detected by Malwarebytes or Superantispyware

have sendt sample   ;)

Title: Re: Virus
Post by: Gregx on December 24, 2011, 03:50:04 AM

Sorry had no idea it would post a working link.

Title: Re: Virus
Post by: true indian on December 24, 2011, 05:12:48 AM

since pondus has sent the sample it should be detected soon.

Title: Re: Virus
Post by: !Donovan on December 24, 2011, 09:44:44 PM

See http://urlquery.net/report.php?id=13323

For you NoScript users, add this to your blacklist!

Did some investigating. See attached.

The 'scanner' is obfuscated by setting variables with unescape (hex) coding. After all the variables have been defined, the site writes the coding with the 'unescape()' function inside of the 'document.write()' function. There is also a javascript file that supports the decoding of the main 'scanner'.

Title: Re: Virus
Post by: polonus on December 24, 2011, 11:53:20 PM

IP belongs to phishing sites for PayPal and other, most are now dead,
See: http://urlquery.net/report.php?id=13323

See what malzilla gets at main site -http://www.korang.com see attached image
I get a suspicious here: http://urlquery.net/report.php?id=13370
Suspicious here:
-www.boonex.com/trac/dolphin/chrome/common/js/trac.js suspicious
[suspicious:2] (ipaddr:173.192.32.154) (script)
-www.boonex.com/trac/dolphin/chrome/common/js/trac.js
     status: (referer=-www.boonex.com/trac/dolphin/wiki)saved 3703 bytes 269180d0ab6979f7a774ba33bbb2a0a9791aeb46
     info: [decodingLevel=0] found JavaScript

Some boonex self-advertising safety report: http://www.safe-browsing.net/safety/b--boonex.com

polonus