Hi Pondus,
Why? Good question, my friend. Heuristical find and in the logs you read that it does not have any reliable address for "Moved Permanently",
see the code-link I give here for the offensive URL logged and look it up:
see: -http://jsunpack.jeek.org/?report=f4dffa024dd81d6cc9a133a59fe86394753e682a
Link given only for the security savvy, with ample script protection active and in a VM,
also consider this info:
http://google.com/safebrowsing/diagnostic?site=mahasiddhatrading.com/Again, Pondus, with your intruiging questions you have led polonus again to interesting additional background info for this malware, well done,
In the wepawet analysis the red link to: -http://android.womenthemanual.com/count
(the link that was not moved permanently, but actually "hidden" in clear sight
if we had looked a little closer. Good find, Pondus!!!)
avast webshield flag that url as infected with JS:Redirector-KP[Trj] as well...
Link is suspicious and found up by DrWeb's url checker when scanned
DrWeb purples it as being suspicious:
Checking: =http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340
Engine version: 7.0.0.11250
Total virus-finding records: 2538276
File size: 67.55 KB
File MD5: bd2bf93c9859bc264df45b3154829811
=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340 probably infected with SCRIPT.Virus
=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340 - archive JS-HTML
>=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340/JSTAG_1[10cc4][db] - Ok
>=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340/JSTAG_2[10dc9][52] - Ok
So the wepawet analysis should also be used with appropriate protection measures in place..
pol
