Avast Community

Again the avast! Web Shield detects!

Viruses and worms

polonus July 2, 2014, 3:06pm 1

See: http://scanurl.net/?u=sacredearthenergyhealing.com&uesb=Check+This+URL#results
and in particular: http://sitecheck.sucuri.net/results/sacredearthenergyhealing.com
Known javascript malware. Details: http://labs.sucuri.net/db/malware/malware-entry-mwiframehd371
_q_n; avast! Web Shield detects

polonus

polonus July 2, 2014, 6:33pm 2

Site with trojans/ infected with SEO Spam.
Flagged here: http://sitecheck.sucuri.net/results/www.restaurore.com
Vulnerable because Web application version:
Joomla Version 2.5.9 for: http://www.restaurore.com/media/media/js/mediamanager.js
Joomla Version 2.5.17 for: http://www.restaurore.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3

Trojans detected:
Object: hxtp://www.restaurore.com/index.php/en/
SHA1: 3e0c4d30a7961542c43324eae3166bd7128c9a8b
Name: TrojWare.JS.Agent.caa

Detected by avast WebShield as JS-Clickjack-B[Trj].

pol

polonus July 3, 2014, 11:23am 3

Nice that the malcode (trojan)
is being blocked and detected by avast! Web Shield: http://killmalware.com/bfttelesat.com/#
see: https://www.virustotal.com/en/url/4930e9aaaa14a21a40cf4e3434da1bdbb70e7d243c013f85c2f6283b0e5d00e7/analysis/1404385558/
IDS alerts here: http://urlquery.net/report.php?id=1404385783451
external link to malicious site: http://www.knujon.com/domains/tehrantakhfif.ir.html
domain badness history: https://www.virustotal.com/en/domain/tehrantakhfif.ir/information/
Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-include-suspicious?v14

pol

polonus July 3, 2014, 11:57am 4

avast! Web Shield detects JS:Includer-AUF [Trj] here: http://killmalware.com/katarina-tour.com/#
Blacklisted by Yandex: https://www.virustotal.com/en/url/973c68f06578fe8d7ca400a42e8d53ca0abf516a5f1e5008a5c78a478a59c06c/analysis/1404388460/
malicious redirects go to: htxp://yaylimlikoyu.com/wp-includes/wxcrrbmk.php?id=121573932
see: https://www.mywot.com/en/scorecard/domainsigma.com?utm_source=addon&utm_content=popup
→ http://www.scamaudit.com/domain/yaylimlikoyu.com

pol

polonus July 4, 2014, 1:08pm 5

Blacklisted code on url scan detected by avast! Web Shield as JSIncluder-ALB[Trj] aka TrojWare.JS.Kryptik.xt on htxp://quttera.com/detailed_report/durbait.com
see: http://app.webinspector.com/public/reports/22924184
https://www.virustotal.com/en/url/172c61775bf9933a288c2d38a746fc12b5636def327207020fa38563dbe976fb/analysis/
and http://sitecheck.sucuri.net/results/durbait.com/

polonus

polonus July 6, 2014, 2:51pm 6

avast Webshield detects as JS:Decode-BDD[Trj]. Site blacklisted by Google.
See: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.bibianna.com
DrWeb’s URL-checker flags htxp://www.bibianna.com infected with JS.IFrame.500 aka TrojWare.JS.Kryptik.acc
See: https://www.virustotal.com/nl/url/3b24931a43178bb5e0e3762f5ced9c44bc79f53f3fb37a980d28a421a1f2fe2e/analysis/1404657022/
IP badness history: http://support.clean-mx.de/clean-mx/viruses.php?ip=199.204.248.106&sort=first%20desc
and https://www.virustotal.com/nl/ip-address/199.204.248.106/information/
http://www.projecthoneypot.org/ip_199.204.248.106 → mail server, dictionary attacker and bad web host.

polonus

polonus July 7, 2014, 10:13pm 7

See: http://app.webinspector.com/public/reports/22987691 - known infection source
See: https://www.virustotal.com/nl/url/42ed87d8327d39e84c84ae10c07999f560d605f0d75208b2eadf79f25dcf017f/analysis/1404770989/
avast! Webshield detects as JS:Includer-BCM[Trj]
See: http://support.clean-mx.de/clean-mx/portals.php?virusname=TR/Clicker.aam&sort=firstseen%20desc (same IP)
avast detects there as HTML:Script-inf

polonus

Update - link seems dead now…
(checked by Pondus, thanks for that}

D

Announcements