Avast detects dududu.js as URL:MALnot only via the Network Shield (SOLVED)

See the VirusTotal analysis here: http://www.virustotal.com/file-scan/report.html?id=a8848dcd2ac0516fb80ec96bd4f9fdc6e54ea01cb0b29b072f1d5675fbc475e6-1298043858
and the more recent analysis: http://www.virustotal.com/file-scan/report.html?id=a8848dcd2ac0516fb80ec96bd4f9fdc6e54ea01cb0b29b072f1d5675fbc475e6-1298457098 (detection 0/42)
Attack described as HTTP Malicious Toolkit Variant Activity 12
The malware can be found here:
htxp://rumintuiha.org/dududu.js Network Shield blocks it as URL:Mal infection…
Wepawet shows it as benign, but it is definitely malware: http://wepawet.iseclab.org/view.php?hash=f68e07dd07ca3249a0f33ff686ac8db1&t=1298585254&type=js

Furthermore this malware was detected by wepawet there: http://wepawet.iseclab.org/view.php?type=js&hash=4487c786851ad647eb9b3bfd38d2ff08
found to be Phoenix exploit kit MDL, also look here:
http://support.clean-mx.de/clean-mx/viruses.php?as=AS52093&response=
and
http://honeywhales.com/results … for ywdngzevkw.php?n=2202
and
http://a.hatena.ne.jp/uzele/?gid=99993

polonus

NORMAN analysis

dududu.js : Clean!

AVIRA analysis

The file 'dududu.js' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

Hi Pondus,

As threats seems to be shortlived in the everchanging threat-landscape, this one apparently also was. In jsunpack I get:"[not analyzed] rumintuiha dot org/dududu.js
status: (referer=www.google.com/trends/hottrends)failure:
for the second one I also get: "[not analyzed] rumintuiha dot org/ywdngzevkw.php?n=2202
status: (referer=www.google.com/trends/hottrends)failure:
But when I open the wepawet analysis in wepawet, I get an avast webshield block for JS:ScriptSH-inf [Trj] in chrome.exe.
Rumintuiha.org is currently hosted at LLC Stone Star. The IP 194.247.58.51 links to a server in Star, Russian Federation. The company behind this all is LLC Stone Star. Webutation says: Domain cannot be accessed at this time. Please try again later or check for the typos, when trying to access the pointed by me url, the main domain is clean: http://www.webutation.net/en/review/rumintuiha.org
Also look here: http://amada.abuse.ch/?search=194.247.58.51 given as online and infected, this concerns
htxp://194.247.58.51/ir7.php?i=15 → analyzed here: http://www.virustotal.com/url-scan/report.html?id=f06c0b1a48b42ee908eba4e7eb47038c-1298639706
This where our particular trojan that avast flagged was present on the Internet:
http://support.clean-mx.de/clean-mx/viruses.php?virusname=mdl_trojan%20Carberp&sort=first%20desc
but the response there is apparently dead.
But there was Phoenix Toolkit for sure at that IP, and not detected:
http://www.virustotal.com/file-scan/report.html?id=2051f64ba897925e4c33867d7edf69e8a5880272b497dfe7a3616313cdca8370-1297619267
more recent, where avast detect it as Win32:Carberp-E, so SOLVED

polonus

There is a recent version on virus total where AVG detects it. Check here I guess they have added after the js was submitted to VT, that is why it didnt detect previously but now it detects.

Hi nmb,

There is a nice write up here by evilfingers on Phoenix Exploit´s Kit to be found at his blog:
http://evilfingers.blogspot.com/2009/09/phoenix-exploits-kit-another.html
another Web application developed in PHP and originally from Eastern Europe,
can be found in this list as well →
http://page2rss.com/page?url=www.malwaredomainlist.com/mdl.php?sort=Date%26search=%26colsearch=All%26ascordesc=DESC%26quantity=100%26page=0
e.g. 011/02/14_20:20 taklonaft dot com/ywdngzevkw.php?n=dekrek 194.247.58.51 vpn6-dip-t-pool2-194-247-58.51.sevpn.com. Phoenix exploit kit Ilnar Galimov etc.

polonus

Polonus, welcome back :slight_smile: