Website Infected with HTML:IFrame-MP [Trj]

[Yanto.Chiang]

Dear All,

According to avast! antivirus this website : hxxtp://www.takemeoutindonesia.com was infected by HTML:IFrame-MP [Trj.

And for some web scan tool there is nothing infected on this website :

http://www.virustotal.com/url-scan/report.html?id=af318043253af82e9a9e7d859c259b3b-1283838999
http://scanner2.novirusthanks.org/analysis/73e3a3ed9abcb01400707e45b1ef1e63/d3d3LXRha2VtZW91dGluZG9uZXNpYS1jb20=/

But at W.O.T i found this website detected as infected and have a poor reputation :
http://www.mywot.com/en/scorecard/www.takemeoutindonesia.com

And same with JSunpack indicated that there is a hidden malicious software inside of this website :

http://jsunpack.jeek.org/filescount.html

Just want to share, if there's anybody in here can help me to reveal out this entertainment show website it would very helpful to advice anyone to access this website.

cheers,

[Pondus]

VirusTotal - chrisdomroll.js - 3/43
http://www.virustotal.com/file-scan/report.html?id=a7814d661729ae60800a6f0264e53f253621724668c3ac87ca81efe65b32865f-1283847633

[Stewdza]

It is a Virus, so even GData said that is a trojan horse. Trust avast! always.

[Yanto.Chiang]

It is a Virus, so even GData said that is a trojan horse. Trust avast! always.

Hi Stewdza,

Yes i trust, but in depth i would like to see in details what is the parameter which caused this website detected was infected by a trojan.

cheers,

[Stewdza]

It is a Virus, so even GData said that is a trojan horse. Trust avast! always.

Hi Stewdza,

Yes i trust, but in depth i would like to see in details what is the parameter which caused this website detected was infected by a trojan.

cheers,

Hi, i understand your reason. Probalby it is deep hiden malware (some part of the code is malicious). Keep studing until you find right answer on your question.
Regards.

[Pondus]

It is a Virus, so even GData said that is a trojan horse. Trust avast! always

That is not a supprise since GData is using two virus engines and one is avast! the other is bitdefender

[DavidR]

Well there is something at the very least suspect about that .js file chrisdomroll.js on the hxxp://www.takemeoutindonesia.com, site.

The last very long line of obfuscated javascript in this file creates a hidden iframe to an unknown URL, see image of decoded javascript file.

[polonus]

Hi YantoChiang,

This scorecard is not very encouraging: http://www.mywot.com/en/scorecard/takemeoutindonesia.com
The analysis of the code DavidR mentioned: http://jsunpack.jeek.org/dec/go?report=25f769ce9430a29a831d8685cb1def271b63af1b
Similar report on this from another site with christdomroll.js rollover iFrame code, which was apparently hacked: http://newverhost.com/reports/83/87/791/nelleandlizzy_com.html

polonus

[Yanto.Chiang]

Hi DavidR and Polonus,

We are many thanks for your kindly details observation,

Since i didn't found any result from JSunPack yesterday.

But now after your guys explained in details information, that is very helpful to me. And since yesterday i already send email to their corporate regarding to this matters.

cheers,

[DavidR]

You're welcome.

[Yanto.Chiang]

Hi David and Polonus,

Until today their management still not respond or changed their script yet even i already send warning e-mail to them.

cheers,

[DavidR]

Some people are slow to respond or even believe they are infected, even in the face of the evidence. Just goes how much they value their customers or potential customers, companies like this frequently only realise too late.

[Yanto.Chiang]

Hi David,

Thanks for your kindly advise...

cheers,

[DavidR]

No problem.