Websites that say they are infected

[adam2551]

I got different messages popping up when i visit, kroq.com, onlypoints.com, and chang4law.com

Is there a way to see if they are really infected?  Thanks

[nmb]

Hi adam2551

check these :

1) http://www.google.com/safebrowsing/diagnostic?site=kroq.com
2) http://www.google.com/safebrowsing/diagnostic?site=onlypoints.com
3) http://www.google.com/safebrowsing/diagnostic?site=chang4law.com

and also see this : http://googleonlinesecurity.blogspot.com/2009/10/show-me-malware.html

nmb

[polonus]

Hi adam2551 and nmb,

Checked with Norton safe web scanner - kroq dot com was safe;
onlypoints dot com no threats, chang4law dot com not tested,
Wepawet on chang4law dot com reported:
Sample Overview

URL   hXtp://www.chang4law.com
MD5   1057535a0aaec10289c36d774d30e667
Analysis Started   2009-10-14 10:27:51
Report Generated   2009-10-14 10:28:12
Jsand version   1.03.02
See the report for domain wXw.chang4law.com.

Detection results

Detector   Result
Jsand 1.03.02   benign
Warning:

The analyzed resource contains one or more syntax errors.
This may affect the detection of malicious code.

Exploits

No exploits were identified.
Deobfuscation results

Evals

No evals.
Writes

<span id="menuContainer"></span>
(repeated 1 time)
Network Activity

Requests

URL   Status   Content Type
htXp://www.chang4law.com   200   text/html
hXtp://www.chang4law.com/mm_menu.js   200   text/javascript
Redirects

No redirects.
ActiveX controls

No objects/controls.
Shellcode and Malware

No shellcode was identified.

No additional malware was retrieved. But the malware is found here in the javascript code above:
re: http://badwarebusters.org/main/itemview/4302
Another example description of the malware can be found here: http://www.malwaredomainlist.com/forums/index.php?topic=2754.0

Analysis report for hxtp://www.onlypoints.com

Sample Overview

URL   hxtp://www.onlypoints.com
MD5   c09763d98641acd9b2dc6b3cf5c13079
Analysis Started   2009-10-14 10:36:39
Report Generated   2009-10-14 10:36:46
Jsand version   1.03.02
See the report for domain wXw.onlypoints.com.

Detection results

Detector   Result
Jsand 1.03.02   benign
Exploits

No exploits were identified.
Deobfuscation results

Evals

var google_protectAndRun
(repeated 2 times)
var google_handleError
(repeated 2 times)
var Goog_AdSense_getAdAdapterInstance
(repeated 2 times)
var Goog_AdSense_OsdAdapter
(repeated 2 times)
var sc_img1 = new Image();
sc_img1.src = "
hxtp://c19.statcounter.com/t.php?sc_project=2003099&resolution=1024&h=768&camefrom=&u=http
%3A//wXw.onlypoints.com&t=OnlyPoints.com%20-%20Play%20free%20flash%20multiplayer%20and%20r
anked%20games%20for%20prizes%20-%20OnlyPoints%20Games&java=1&security=8c5686a5&sc_random=0
.2501259057045536&sc_snum=1&invisible=1"
(repeated 1 time)
Writes

<script src='http://wXw.google-analytics.com/ga.js' type='text/javascript'></script>
(repeated 1 time)
<object ><embed  ></embed></object>
(repeated 1 time)
Network Activity

Requests

URL   Status   Content Type
http://wXw.onlypoints.com   200   text/javascript
http://wXw.onlypoints.com/AC_RunActiveContent.js   200   text/javascript ***
http://wXw.onlypoints.com/arcade/plugins/site/themes/default/responseXML.js   200   text/javascript
http://wXw.onlypoints.com/arcade/plugins/site/themes/default/superfriend.js   200   text/javascript
http://wXw.google-analytics.com/ga.js   200   text/javascript
hXtp://pagead2.googlesyndication.com/pagead/show_ads.js   200   text/javascript
hXtp://www.statcounter.com/counter/counter.js   200   text/javascript
Redirects

No redirects.
ActiveX controls

Msxml2.XMLHTTP
No attribute setting or method call detected
ShockwaveFlash.ShockwaveFlash.7
Name   Arg0   Count
Methods   GetVariable   
$version
1
Shellcode and Malware

No shellcode was identified.

No additional malware was retrieved. *** This is detected by avast as AC_RunActiveContent.js. VBS:Malware-gen,

polonus

[nmb]

Thanks sir Pol, for the detailed results.

nmb