Author Topic: Does avast detect script-blogfa-js? (Read 2408 times)

polonus · « **on:** February 20, 2011, 05:50:43 PM »

The malware is at: htxp//mythemes.ir/t33/script-blogfa.js

Nothing found here:
See: http://www.virustotal.com/url-scan/report.html?id=c519849105caf7b6da391526c04a3740-1298216531
Flagged here:
See malware details: http://sucuri.net/malware/entry/MW:IFRAME:HD28,
Javascript encoding used to hide a malicious iframe

For the script also: htxp://jsunpack.jeek.org/dec/go?report=baa5633ff787981a08c2aca676b72228e71d9b5a
(given as benign, see attached)

Look here: http://vscan.urlvoid.com/analysis/d7ac7863baf6d63ec18b39db8aaaf1ef/c2NyaXB0LWJsb2dmYS1qcw==/

polonus

Pondus · « **Reply #1 on:** February 20, 2011, 07:08:32 PM »

Nope, only Avira detect

VirusTotal - script-blogfa.js - 1/43
http://www.virustotal.com/file-scan/report.html?id=a082c59b50022dad5fdd2a637bd03799444663d8240d67d79724e6a26655b584-1298225202

Also malware reported by Sucuri Scanner

polonus · « **Reply #2 on:** February 20, 2011, 07:25:01 PM »

Hi Pondus,

Check here: http://rexbd.net/validator/index.php?url=http...
Look here: http://wepawet.iseclab.org/view.php?hash=c519849105caf7b6da391526c04a3740&t=1298226589&type=js (crypto)
It would be better if this heuristic script was found proactively by avast, because afterwards it has to be cleansed from the browser cache (or removed from user/app data) and one could be in need a flash desinfection routine. It is always a good habit for users to go and give their user file. e.g.: Computer: users : username etc. a thorough scan once in a while. I personally found up a couple of issues after a full scan, after using malzilla.
For that reason it is also a good procedure to clean up after a browser session,

polonus

spg SCOTT · « **Reply #3 on:** February 20, 2011, 07:55:32 PM »

I have submitted this script to avast via the chest, with a link included.

Pol, be sure to check the malzilla settings to clear cache on exit

polonus · « **Reply #4 on:** February 20, 2011, 08:59:59 PM »

Hi spgSCOTT,

Thanks for the tip, but the settings are set that way. First instance it had run it sandboxed and then you also have to empty the contents of the sandbox, thanks for submitting the script,

pol

Omid Farhang · « **Reply #5 on:** February 20, 2011, 11:12:13 PM »

Nice to see malwares from Iran!

Pondus · « **Reply #6 on:** February 21, 2011, 07:38:22 AM »

NORMAN analysis confirms it is malware

Quote

script-blogfa.js : Processed - JS/Agent.KA

Author Topic: Does avast detect script-blogfa-js? (Read 2408 times)

polonus

Does avast detect script-blogfa-js?

Pondus

Re: Does avast detect script-blogfa-js?

polonus

Re: Does avast detect script-blogfa-js?

spg SCOTT

Re: Does avast detect script-blogfa-js?

polonus

Re: Does avast detect script-blogfa-js?

Omid Farhang

Re: Does avast detect script-blogfa-js?

Pondus

Re: Does avast detect script-blogfa-js?