Hi forum friends,

I scanned this URL: http://www.virustotal.com/url-scan/report.html?id=11500155d1670255abd38de0050b1c56-1316617500
and then opened up: http://www.virustotal.com/file-scan/report.html?id=7515958b740a4313df59b9c0ba25ec25194914da3a0582be3deab454f91319fc-1316625144
with no results, while the URL was infected with

• Oracle Java Web Start Plugin Command Line Argument Injection, CVE-2010-0886
• Java Plugin LaunchJNLP DocBase, CVE-2010-3552
• Detected Blackhole exploit kit v1.2 HTTP GET request
  see: http://urlquery.net/report.php?id=3341
  and http://siteinspector.comodo.com/public/reports/360443
  Wepawet analysis could not be done because scanning was blocked by the avast Webshield flagging JS:ScriptDC-inf[Trj]

polonus

There are something starnge with VT these days…very slow…and the html scan you posted, all AV show updated 2011.09.18 or older ?

seems Wepawet found something - malicious
http://wepawet.iseclab.org/view.php?hash=11500155d1670255abd38de0050b1c56&t=1316628893&type=js

and the code found by wepawet give this detection
http://virusscan.jotti.org/en/scanresult/c81e0f1739aecc74115ccb025b942e64a1d62ba2
http://virusscan.jotti.org/en/scanresult/217451080e2283e3c40ef60e7859f04e789dcd57

and from the anubis report MD5
http://www.virustotal.com/file-scan/report.html?id=dae8ac2b38705e04ecc6e21ac2384b953bc8c6379afffcd57ad18dc729fbcc6b-1316629585

Hi Pondus,

I now succeeded to upload to Anubis and an analysis report is here: http://anubis.iseclab.org/?action=result&task_id=14b1e34adaae27ba4050602923d79bf4e
From this analysis you can see the code used in dialing to a NEOSPLOIT site: “HKU\​S-1-5-21-842925246-1425521274-308236825-500\​\​\​\​\​\​\​\​ …secure and anonymous”.
Mutexes like Shell.CMruPidlList and _SHuassist.mtx, are characteristic for Blackhole Exploit Kit malware - malcode was detected 2011/09/21_15:07

polonus