Rogue antivirus site - virginantivirus dot com now at a domain parking page?

[polonus]

Hi, this was/is still being detected by Trend Micro - Webreputation as "This URL is currently still listed as malicious"
http://www.mywot.com/en/scorecard/virginantivirus.com  4 instances of red (malicious content)
Avast detects this as Fake-AV-GF : http://www.virustotal.com/file-scan/report.html?id=60d509a36dfdb6f77619678b85e3cad15464064197e713423afbdb892fd2e766-1298209207
When I go there with malzilla I am confronted with the script, see image attached below.
According to a google search the address is now at a domain parking page? See the attached thumbnail GIF? And so has this threat now gone?
Please comment?

polonus

[Pondus]

The fake scanner is still there

Wepawet say benign
http://wepawet.iseclab.org/view.php?hash=314cef975ebe74b69a18dda4b55f94ea&t=1298211931&type=js

Sucuri say Clean

Unmaskparasites say Suspicious
http://www.UnmaskParasites.com/security-report/?page=www.virginantivirus.com
but if you click on the red suspicious then  google say not dangeorus for the last 90days

 

and the downloaded FakeAV

VirusTotal - AntiSpyWareSetup.exe - 0/43
http://www.virustotal.com/file-scan/report.html?id=629ebf10660e1f490c22f809108fb5fabbb2f54aa9d0bb525fe447ba1c5c52c1-1298212610


MalwareBytes detect it as Trojan.fakeAlert

[Alan Baxter]

And so has this threat now gone?

The threat is still there.  If I go to that site without Avast Web Shield, I still get the rogue/fake av scan and I'm prompted to accept the bogus download.  I've reported it to stopbadware.org with the Firefox "Report Web Forgery" feature.

[polonus]

Hi Pondus and Alan Baxter,

You are both right, and thanks for confirming this. The roque AV is still at that address, just scanned using jsunpack and it says: virginantivirus dot com/ suspicious and the info on the Google search page about a domain parking page is irrelevant and might be deliberately confusing to invite clicks. So good it is being blocked by the avast webshield,

This information can be found at the bottom of the virustotal analysis page:
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml  and http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
So an overall 0 /43 (0.0%) result but something suspicious definitely detected there,

polonus

[Pondus]

Reported to Google  http://www.google.com/safebrowsing/report_badware/

and the sample is in avast mailbox  




OBS: Norton SafeWeb say clean, there is even a picture of the fake scanner    
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.virginantivirus.com
edit: Norton safe web now detect it

[Asyn]

Report    2011-02-20 16:48:25 (GMT 1)
IP Address    76.76.116.171
IP Hostname    reverse-mtl-76-76-109-171.gogax.com
IP Country    CA
AS Number    N/A
AS Name    N/A
Detections    2 / 26 (8 %)
Status    SUSPICIOUS

http://www.malwaredomainlist.com/mdl.php?search=76.76.116.171
http://www.mywot.com/en/scorecard/76.76.116.171

[polonus]

Hi Asyn,

Exactly so, good you checked on the URL, then we find this here:
http://support.clean-mx.de/clean-mx/viruses?virusname=JS:FakeAV-GF
and the scumware org scan shows: http://www.scumware.org/report/76.76.116.171
and there are some more where that came from, see:
http://amada.abuse.ch/?search=76.76.116.171

polonus

[Asyn]

NP, pol.
asyn

[essexboy]

Safezone does not like it either

[spg SCOTT]

Well, that is just the webshield monitoring the safezone browser

[m00nbl00d]

The exploit would die with javascript disabled.

Norton Safeweb seems to report two threats from that domain, not clean. Added after?

By the way, LinkScanner blocks it (Don't be too harsh on me. I'm just stating that it does. ) -http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://virginantivirus.com

[polonus]

The scumreport gives ten instances from that URL: http://www.scumware.org/report/76.76.116.171

Norton Safe Web also gives this: MSIE FakeAV Notification Alert
Locatie:    hxtp://virginantivirus.com/?id=06abQDYx  but that is another detection,
and not Trojan.JS.Fraud.bg

And here another 5 instances of the same threat:
http://amada.abuse.ch/?search=76.76.116.171

If the malware site is being validated you get: Errors found while checking this document:
Line 16, Column 28, Damage not well-formed (invalid token) ....
see: http://rexbd.net/validator/index.php?url=virginantivirus.com

pol