Not blocked URL containing a trojan

[Secondmineboy]

URL: 184.82.118.106/MMS/postal-animada.exx (Ending is .exe)

Virustotal: https://www.virustotal.com/de/file/634ac0465a6c374ca9ff5bd484098e7ed4be693ead1f1ace3a4dcd88e6ed9772/analysis/1384019365/ (File)
                 https://www.virustotal.com/de/url/104129cc586436c7a083be3920dace9bf65241ac13287818775e9d9c168eab99/analysis/1384019542/ (Website)

When ran it opens this URL: hxxp://www.gusanito.com/esp/tarjetas/postales/amistad/faltas_sobre_la_arena/937
File is unknown to Symantec at the moment.

hxxp://184.82.118.106/:

Google: http://www.google.com/safebrowsing/diagnostic?site=184.82.118.106
Part of the site has been blacklisted 6 times in the last 90 days.

Symantec: http://safeweb.norton.com/report/show?url=184.82.118.106 (2 Dirve by Downloads)

VERIFIED PHISH: http://www.phishtank.com/phish_detail.php?phish_id=1843316

URLQuery: http://urlquery.net/report.php?id=7546276

Zulu: http://zulu.zscaler.com/submission/show/22be87746f72cd3fa6c72e7d3a8fef56-1384020084 (100% Malicious)

[polonus]

Direct link to malware site: http://app.webinspector.com/public/reports/18306101
Malware: TrojWare.Win32.Refroso.bj

See: http://support.clean-mx.de/clean-mx/viruses.php?review=92.48.90.136&sort=email%20asc
So it seems that malware is dead now, so avast cannot detect it anymore!

See: https://www.virustotal.com/en/url/803221d125f7a9e0655a32b1e66e82d44c8106289a1abe7bb17bf67b187b79cd/analysis/1384019950/
The DrWeb URL check says it all:
htxp://184.82.118.106/MMS/postal-animada.exe is in Dr.Web malicious sites list!

Checking: htxp://184.82.118.106/MMS/postal-animada.exe
Engine version: 7.0.5.6250
Total virus-finding records: 4658309
File size: 49.50 KB
File MD5: d790cba80ddc8dec4eca23331d3ca3d0

htxp://184.82.118.106/MMS/postal-animada.exe packed by FLY-CODE
>htxp://184.82.118.106/MMS/postal-animada.exe packed by PESTUB
>>htxp://184.82.118.106/MMS/postal-animada.exe - Ok

But wait avast detected this malcode when it was still "un"dead:
https://www.virustotal.com/en/file/f7639e4cdda6a1d5adbfdd789c628f869a68dd99e336663862a0e1be69996cc5/analysis/

So we have protection!

pol

[Secondmineboy]

No detection for me on Virustotal: https://www.virustotal.com/de/file/634ac0465a6c374ca9ff5bd484098e7ed4be693ead1f1ace3a4dcd88e6ed9772/analysis/1384020477/
Your scan is an year old.
Downloaded from Comodo site Inspector link.

Also the file is hanging around on my desktop, undetected.

The site that you posted there where Avast detects it as rootkit is completely dead.

Heres an Malwr analysis of the file from my desktop: https://malwr.com/analysis/MGQ1ZTYzYWY5NDRmNDcwMjkxMDIwYzAxOWVjMGVmNTc/

ITS STEALING PRIVATE INFORMATION!!!!!

[polonus]

Hi Steven Winderlich,

Agree with you that site and IP should be blocked by avast, just like it is on DrWeb;s malicious sitelist.
Regularly new versions of this malware is being launched and the one you pointed out still goes under the avast! detection radar.
See: https://www.virustotal.com/nl/file/634ac0465a6c374ca9ff5bd484098e7ed4be693ead1f1ace3a4dcd88e6ed9772/analysis/
Analysis: http://anubis.iseclab.org/?action=result&task_id=145057ee4ad52e72401a334d866ee91b2&format=html
There is still room for this to be a false positive, as rooting apps use non standard procedures that can be considered by some antivirus apps as dangerous.

pol

[Secondmineboy]

Ive already sent it to avast via mail (download link and file).

Maybe they will block it.