polonus
3
Hi Pondus,
As threats seems to be shortlived in the everchanging threat-landscape, this one apparently also was. In jsunpack I get:"[not analyzed] rumintuiha dot org/dududu.js
status: (referer=www.google.com/trends/hottrends)failure:
for the second one I also get: "[not analyzed] rumintuiha dot org/ywdngzevkw.php?n=2202
status: (referer=www.google.com/trends/hottrends)failure:
But when I open the wepawet analysis in wepawet, I get an avast webshield block for JS:ScriptSH-inf [Trj] in chrome.exe.
Rumintuiha.org is currently hosted at LLC Stone Star. The IP 194.247.58.51 links to a server in Star, Russian Federation. The company behind this all is LLC Stone Star. Webutation says: Domain cannot be accessed at this time. Please try again later or check for the typos, when trying to access the pointed by me url, the main domain is clean: http://www.webutation.net/en/review/rumintuiha.org
Also look here: http://amada.abuse.ch/?search=194.247.58.51 given as online and infected, this concerns
htxp://194.247.58.51/ir7.php?i=15 → analyzed here: http://www.virustotal.com/url-scan/report.html?id=f06c0b1a48b42ee908eba4e7eb47038c-1298639706
This where our particular trojan that avast flagged was present on the Internet:
http://support.clean-mx.de/clean-mx/viruses.php?virusname=mdl_trojan%20Carberp&sort=first%20desc
but the response there is apparently dead.
But there was Phoenix Toolkit for sure at that IP, and not detected:
http://www.virustotal.com/file-scan/report.html?id=2051f64ba897925e4c33867d7edf69e8a5880272b497dfe7a3616313cdca8370-1297619267
more recent, where avast detect it as Win32:Carberp-E, so SOLVED
polonus