Again the fabulous webshield to protect us: Threat detected!

Trying to go to this malware site: -http://fragarena.com.br/list.txt
Naturally you have the avast webshield up, and as a user you are being blocked immediately to even connect out there:
PHP.Agent-Z]Trj] detected.
See: http://www.virustotal.com/url-scan/report.html?id=9a948c119f7608bac074fbc7f820bb01-1323181498
See: http://www.virustotal.com/file-scan/report.html?id=8871737c0b2892dce267e1854751a984362a0e625fb894e8d663df1bd643670a-1323185277
Avast also neatly detects this PHP_CHAPLOIT.SMM malware as PHP:Agent-Z [Trj]

OK for the notorious virus hunters among us it was found in jsunpack list 4
(do not venture out there if not security savvy enough)

polonus

Studying the code, it uses a backtool action?

Why would they name the exploit backtool? :-\

Also, it appears that this code calls the command prompt?
To think a website can call the command prompt. >:(

Good thing it was detected by avast!

See attached.

All links are broken, so this coding probably wouldn’t function correctly. Nice catch by avast!, though.

And…

/* Parte Atualiza 02:48 12/2/2006 */

Plus attached. Recolored for fun. ;D

Hi Donovansrb10,

Thanks for explaining this malcode injection for us,
and good avast is protectiing the users against it,

polonus