Virus

[Gregx]

I just thought I'd post this to see if I can get some help . Who ever is behind this seems to be working very hard to get my info.
So here it is hxxp://www.korang.com/lovesanta.php?jacob158.jpeg
This link was sent to me from my sons e-mail address the link is a java type thing that loads vista 2012 virus. While. I removed it and changed all pass words and installed newer anti virus
anyway hope this is helpful .
Thanks

[Pondus]

please edit the link so that it is not clickable... change http to hxxp


VirusTotal
http://www.virustotal.com/file-scan/report.html?id=f13f61eccefc5e686aeb4de24254615d9b0e2dcd625fb2998401da41b1a8fd19-1324693168

Not detected by Malwarebytes or Superantispyware

have sendt sample  

[Gregx]

Sorry had no idea it would post a working link.

[true indian]

since pondus has sent the sample it should be detected soon.

[!Donovan]

See http://urlquery.net/report.php?id=13323

For you NoScript users, add this to your blacklist!

Did some investigating. See attached.

The 'scanner' is obfuscated by setting variables with unescape (hex) coding. After all the variables have been defined, the site writes the coding with the 'unescape()' function inside of the 'document.write()' function. There is also a javascript file that supports the decoding of the main 'scanner'.

[polonus]

IP belongs to phishing sites for PayPal and other, most are now dead,
See: http://urlquery.net/report.php?id=13323

See what malzilla gets at main site -http://www.korang.com see attached image
I get a suspicious here: http://urlquery.net/report.php?id=13370
Suspicious here:
-www.boonex.com/trac/dolphin/chrome/common/js/trac.js suspicious
[suspicious:2] (ipaddr:173.192.32.154) (script)
-www.boonex.com/trac/dolphin/chrome/common/js/trac.js
     status: (referer=-www.boonex.com/trac/dolphin/wiki)saved 3703 bytes 269180d0ab6979f7a774ba33bbb2a0a9791aeb46
     info: [decodingLevel=0] found JavaScript

Some boonex self-advertising safety report: http://www.safe-browsing.net/safety/b--boonex.com

polonus