Hi malware fighters,

This is a suspicious script and currently listed as malicious.
Mind you, that avast (does not detect it yet)… well does as we can read further down (correction- pol)
6f1f8a6d2a2c8c0ce95ed208a4cacdec
Infection Type: JS
Description: Malicious Javascript can either source in or directly execute code on a web page that can conduct drive-by-downloads, cause unwanted pop-ups or pop-unders, log keystrokes, steal browsing history, and so on.
Code Length: 52 bytes
Analysis for you: http://wepawet.iseclab.org/view.php?hash=c25f4d8603797abdbb3c07857702c9a1&t=1279744844&type=js
http://www.threatexpert.com/report.aspx?md5=aad0755c4f21fdbceccee743ca6499f1 (another variant of this malcode apparently)

Only Microsoft detects this as 1.6004 2010.07.21 Trojan:Win32/Winwebsec according to VT results
from the Wepawet result page (all down at the right bottom of the page)

polonus

I would be very surprised if avast didn’t detect it so I went checking and avast does detect it, image1 and so does firefox safe browsing, image2.

http://www.virustotal.com/analisis/2939d65ee5e953e1231a486b4c556f2ea9f81eeef700f8a5fd4b3eafcbfe50a8-1279748887 Only avast, gdata and sunbelt detect it on VT

Edit: also jsunpack image3.

Hi DavidR,

How did I arrive at these results then, compare the hash for the malcode, because there are various varieties of it,
http://www.virustotal.com/analisis/fd004260bfcb88e573be5145811c87332bbef485ffb681f4ac820e6cd2b143d2-1279744813

I never said that the shields did not detect… I tested that out as well,

polonus

A direct attempt to connect to the site/urchin.js, image3 is the decoded content of that .js file.

They are the same MD5 and SHA1 on the VT results are the same as is the file size (which it should with the same MD5) so I can’t sat why when I uploaded it, it didn’t say hash found, etc.

Edit: You effectively did say that avast doesn’t detect it “Mind you, that avast does not detect it yet…”

Hi DavidR,

It could be that the VT results on wepawet scan page were older and at that time probably avast did not have the detection yet, still it is weird, means that wepawet is not filling us in with the actual protection results as they should be and that is misleading, a further reason why it was good for you to have double-checked it, but still I think it is weird…

polonus

P.S. Did correct the text accordingly,

D.

Weird:
Your VT File c25f4d8603797abdbb3c07857702c9a1- received on 2010.07.21 20:40:13 (UTC)
My VT File unp118408463.tmp received on 2010.07.21 21:48:07 (UTC)

So mine is about hour after yours, so during that time VT may have been updating VPS.

Even stranger, now my upload is showing a different MD5 and a smaller size as mine is only the actual urchin.js file and not as you did submit the wepawet page, always best to scan the original content. So VT must have been having a fit during that time.

Hi DavidR,

Another lesson learnt, most of the time I do the malcode URL look-up and then our friend, Pondus, he will check on the VT results, but while doing this one gains in experience. Mega scanners have their particular hick-ups and their evaluation differs in certain respects from the real life theater, especially so where heuristics are concerned. Main goal for us all here is that all users are being protected, and if that is the case, polonus is a happy person,

pol

Yes, the main thing is that avast users are protected, the web shield has been very hot on these kind of hacks/redirects.