HTML:Iframe-inf

[gimmeshelter]

Greetings -
Got the malware blocked message while trying to access the site hxxp://moviemaker.com. Tried to contact the webmaster, buy unfortunately I can't get to the website at all!  Ideas?  Suggestions? 

[Pondus]

This page seems to be <suspicious>
7 suspicious inline scripts found.
22 hidden external links found.
http://www.UnmaskParasites.com/security-report/?page=moviemaker.com

VirusTotal - html scan
http://www.virustotal.com/file-scan/report.html?id=bad7e680a9a9705bb7804bb3d61816605ad40fb890feb203908acac72e4b6907-1294515776

NoVirusThanks - 2/16
http://vscan.novirusthanks.org/analysis/b6bc15353171b438a4c66569215ae131/aW5kZXg=/

[spg SCOTT]

Hi gimmeshelter, welcome to the forum

avast! seems to be alerting on an iframe on the site which appears to be there about 7 times.

This iframe appears at the end of a very long one line script.

Scott

[danny96]

i think that it's FP. Becauses Virustotal shows only 3 objects founded by Avast engine.

[spg SCOTT]

i think that it's FP. Becauses Virustotal shows only 3 objects founded by Avast engine.

The site in the iframe:
http://www.google.com/safebrowsing/diagnostic?site=fragisdown.com/in.cgi%3F13

Whether it is a false positive or not I don't know...

[DavidR]

I have no doubt that this site has been hacked, as the site that the iframe tries to connect to as Scott mentions has been the subject of previous malware and browser exploits. Firefox safe browsing alerts on this site if you try to connect, image1 as does avast image2.

So the target site of the iframe still contains malware.

[spg SCOTT]

Thanks David

One thing, snagit?

[DavidR]

For some reason avast doesn't like it when snagging the image of the firefox alert, why I don't know, it didn't used to do that with earlier avast versions.

Snagit 9.1, 1Click, Active Window an absolute doddle.

I haven't been tempted with the upgrade to version 10, I think $24.95 (I think is too much for an update). There is still so much that I don't use in 9.1 I could probably stuck with snagit 6 which I think I started off with.

[Pondus]

i think that it's FP. Becauses Virustotal shows only 3 objects founded by Avast engine.

The VBA32 engine on VirusTotal is still running 2011.01.06 update, but on NoVirusThanks it have 08/01/2011, so there will be one extra detection when updated

On Virscan it show suspicious detection with the old signatur
http://virscan.org/report/ef7245e9b6867d71ae43f8f0783d98b7.html

[spg SCOTT]

Snagit 9.1, 1Click, Active Window an absolute doddle.

I haven't been tempted with the upgrade to version 10, I think $24.95 (I think is too much for an update). There is still so much that I don't use in 9.1 I could probably stuck with snagit 6 which I think I started off with.

So using the capture active window feature causes an alert?
I have to try that with evernote...

[DavidR]

Thinking back I don't think it will have been the active window (I just used that to capture the avast alert), the alert came after doing a region scan of the firefox alert.

I don't know what is going on with the web shield alerts since 5.1, but I no longer see any unp99999.tmp file in the _avast5_ folder that I would usually use for analysis.

[spg SCOTT]

I don't know what is going on with the web shield alerts since 5.1, but I no longer see any unp99999.tmp file in the _avast5_ folder that I would usually use for analysis.

I don't use that method myself, but the _avast5_ folder never shows the tmp files, even if an alert is open now...wonder what changed? (though I suppose this is for another thread...)

[DavidR]

I don't know what is going on with the web shield alerts since 5.1, but I no longer see any unp99999.tmp file in the _avast5_ folder that I would usually use for analysis.

I don't use that method myself, but the _avast5_ folder never shows the tmp files, even if an alert is open now...wonder what changed? (though I suppose this is for another thread...)

Yes, perhaps that would be best.

[danny96]

I have no doubt that this site has been hacked, as the site that the iframe tries to connect to as Scott mentions has been the subject of previous malware and browser exploits. Firefox safe browsing alerts on this site if you try to connect, image1 as does avast image2.

So the target site of the iframe still contains malware.

favicon.ico
This is the most infected image ever!
This is not FP. That image is dangerous!

[Pondus]

NORMAN analysis, say infected and will add detection

  moviemaker.com.htm : Processed - HTML/IFrame.HJ