Author Topic: [L] JS:Redirector-CH [Trj] (0)  (Read 6671 times)

0 Members and 1 Guest are viewing this topic.

Gundam00

  • Guest
[L] JS:Redirector-CH [Trj] (0)
« on: June 01, 2010, 08:17:23 AM »
Link : hxxp://swimandscuba.netfirms.com/indexmovie/
I received this in a facebook message which has typos so this is probably not a false positive.


[L] JS:Redirector-CH [Trj] (0)

What does this do?
« Last Edit: June 01, 2010, 09:04:14 AM by Gundam00 »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #1 on: June 01, 2010, 09:03:30 AM »
please change yr link so that it is a not an active hyperlink.
For example, change to the folowing -
   Link : hxxp://swimandscuba.netfirms.com/indexmovie/

This deactivates the link, such that users, especially newbies, will not be in danger of infection if they click the link. At the same time, more expert users can still see what is the web address.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Gundam00

  • Guest
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #2 on: June 01, 2010, 09:04:46 AM »
Ok , have edited my post.

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1371
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #3 on: June 01, 2010, 09:18:04 AM »
Hi,

Your reference link is look not harmful or clean :

http://safeweb.norton.com/report/show?url=http://swimandscuba.netfirms.com/indexmovie/&x=9&y=11
http://www.unmaskparasites.com/security-report/

And avast! detected this website infected as same as your information, it could be rite because this website contains a lot of video files.

avast! [User]: File "http://swimandscuba.netfirms.com/indexmovie/3jnjm6.php" is infected by "JS:Redirector-CH [Trj]" virus.
"%3" task used
Version of current VPS file is 100601-0, 06/01/2010


Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Gundam00

  • Guest
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #4 on: June 01, 2010, 11:23:17 AM »
I don't think we should trust those site advisors , afterall netfirms.net is a hosting site and I believe the advisors simply traces the domain name.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #5 on: June 01, 2010, 12:55:19 PM »
Hi malware fighters,

It isn't there any longer:
Blank page / could not connect
No ad codes identified

Empty source - Could not connect to site?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Gundam00

  • Guest
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #6 on: June 01, 2010, 03:16:34 PM »
Whhhaaaaat?!

If you mean you cannot access the site , change the hxxp to http.

13thSlayer

  • Guest
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #7 on: June 01, 2010, 03:40:45 PM »
Whhhaaaaat?!

If you mean you cannot access the site , change the hxxp to http.
What.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37583
  • Not a avast user
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #8 on: June 01, 2010, 04:34:06 PM »
Looks like a redirect that will send you to  89.195.68.23:518/3933a4e97c2/  a porn movie site
where you will be asked to download a flash update

VirusTotal - setup.exe - 13/39
http://www.virustotal.com/analisis/53e7b74315a3a487cfe4d63750ea708b0550e7e2902e5a5e3a8de0e4c665e71e-1275402070


Wepawet - 89.195.68.23:518/3933a4e97c2/
http://wepawet.cs.ucsb.edu/view.php?hash=121f7966a743917287d515858583379d&t=1275403703&type=js

« Last Edit: June 01, 2010, 07:55:15 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #9 on: June 01, 2010, 05:27:22 PM »
Hi Pondus,

Right, that is what is happening, because the url does not go anywhere with NoScript and RequestPolicy active in the browser, and that is what I experienced filling in the URL in my bad iFrame detector scanner.
What happens in a not protected browser, we get this: video...
Code: [Select]
<script src='fbli.php'></script>loading...,
which is a suspicious looking GET request containing %3C, %3E, and %2F, cross-domain script loading, redirecting to: http://www.robtex.com/ip/89.195.68.23.html#blacklists
htxp://bitisoftwares.com/alerting.html This URL is currently listed as malicious by TrendMicro...

polonus
« Last Edit: June 01, 2010, 05:37:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37583
  • Not a avast user
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #10 on: June 01, 2010, 05:39:52 PM »
But why  the error in unmaskparasites ?  on this 89.195.68.23:518/3933a4e97c2/


ahaaa....you found the Pondus pic .....done some homework  ;D
« Last Edit: June 01, 2010, 05:48:21 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: [L] JS:Redirector-CH [Trj] (0)
« Reply #11 on: June 03, 2010, 09:43:16 PM »
Hi Pondus,

Because it is a FTP download link, and if you would have tried it out in Malzilla, you would have known,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!