Avast is one of 5 that will detect HTML_MALIFRAM.AA aka HTML:Script-inf

See: htxp://vscan.urlvoid.com/analysis/8772d2c8928e3975b1c22e55f3fb50f8/aW5kZXgtaHRtbA==/
and see: htxp://zulu.zscaler.com/submission/show/6c20e8a35692c41ad7b22ac67b1830b5-1330730628 Malicious 100/100
See: htxps://www.virustotal.com/url/402ae178cd1ef746208b300b1c364fec7323200f3aca3b52e138bda01af50e04/analysis/1330731074/
see: htxps://www.virustotal.com/file/550aa0089d7e3460763dc8960a4e82139ac7ce18d781e7c28919e1e79ad1050e/analysis/
all live instances of this malware are found to reside at IP 87.106.229.159, above-mentioned as from 2012-03-02 00,

polonus

Hi Polonus,

This site actually cross-scripts to 4 other sites containing the potentially malicious “ajaxam.js”.

However, I am not able to access these scripts as of now. Maybe it was taken down?

Also, do you have any information about what the contents of this JavaScript contained? Do they work together? Or do they contain the same scripts to still work if one site gets ‘blacklisted’ or taken down?

You can also see this: http://blog.soleranetworks.com/2011/12/02/e-payment-drive-bys-deliver-fresh-malware-to-your-door/
Similar “ajaxam.js” file is there.