Author Topic: avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]  (Read 955 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 30086
  • malware fighter
See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.neodownloader.ru
Trojan detected in: Object: htxp://feelthesame.changeip.name/rsize.js  -> https://www.virustotal.com/nl/url/a4f44a49dc920a577790d24789ba6bda4c6e838ea05f54fe56d5f8393718cd3a/analysis/  and
http://urlquery.net/report.php?id=1395535056539 IDS alert Detected a Dynamic DNS URL
SHA1: d6d01e38799a81f875259708da406ef5dbfd24fe
Name: TrojWare.JS.iFrame.DEE

See: http://sitecheck.sucuri.net/results/www.neodownloader.ru#blacklist-status
6 instances of http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v7 in index.html
Javascript check = Suspicious

image().src = "//counter.yadro dot ru/hit?r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colordepth? screen.colordepth...

Included scripts = Suspect - please check list for unknown includes

htxp://buysitka.com/6jyj4fub.php
htxp://buysitka.com/6jyj4fub.php
For that included script re: Offensive html code:
<script src="htxp://buysitka.com/6jyJ4fuB.php" type="text/javascript">

Offensive url: htxp://buysitka.com/6jyJ4fuB.php
Url is blacklisted in Google Safe Browsing

dragspelsnytt dot se is on 89.221.250.15
ASN for 89.221.250.15: 3301
89.221.250.15 manually set to use abuse@aname.net (this site was also infested by this and reported by http://sakrare.ikyon.se/

For external links check etc. see: http://zulu.zscaler.com/submission/show/dcd5eb466d075d34e4ee243e14bf5333-1400775721  100/100% malicious

Missed here: http://www.avgthreatlabs.com/website-safety-reports/domain/neodownloader.ru/

polonus
« Last Edit: May 22, 2014, 06:46:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 30086
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!