BillionUploads Trojan alert

Viruses and worms
1

Object: hxtp://billionuploads.com/sjfh7btnan1y|{gzip}
Infected: JS:ScriptPE-inf[Trj]

On different sites and forums only Avast users are reporting problems with BillionUploads.
Is this alert about adware ?
Polonus,do you know something about this ?
Thanks.
Edit: Here is example link - hxtp://billionuploads.com/pesbz1eh1hbw
Trojan alert is triggered after clicking on Download or Watch button.

2

You are wrong. There are multiple checks that report that site as “risky”
http://zulu.zscaler.com/submission/show/9803386eb47e478c30397cce7dcdd3fc-1381584355

3

Also Google reports that it has hosted malware in the last 90 days.
http://www.google.com/safebrowsing/diagnostic?site=billionuploads.com

4

I am getting this alert.

5

@Eddy
Wrong about what ? I didn’t say it is FP,but some people think it is.
http://forum.icefilms.info/viewtopic.php?f=143&t=103444
I am waiting for analysis by Polonus.
Thanks.

6
On different sites and forums only Avast users are reporting problems with BillionUploads.
As Steven and I showed you, not only avast users report it as a problem. Several other sites do so as well as users with other av's then avast. A little Google search showed that people who are using another av then avast also have problems with that website.

15(!) site/ip checkers are reporting that the site can’t be trusted.

7

Hi abrumptum,

The flagged malware mentioned only bites when java is installed on the OS.
Java is a risk that JS:ScriptPE-inf[Trj] is exploiting, it abuses Java flaws.

An urlquery shows there are problems for the same IP: https://www.virustotal.com/en/ip-address/141.101.116.44/information/

Let us dive into this for the site an sich:
Some code anomaly here:
billionuploads dot com/js/jquery-1.8.3.min.js benign
[nothing detected] (script) billionuploads dot com/js/jquery-1.8.3.min.js
status: (referer=billionuploads dot com/pesbz1eh1hbw)saved 93636 bytes 06e872300088b9ba8a08427d28ed0efcdf9c6ff5
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function p.getElementsByTagName
error: undefined variable p *
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

I predict that “contact.php and the validate.class.php files are nor reaching each other” info credits go to trag * from dynamic forums

variables are being set inside a conditional block. If $_POST['submit'] is not set, then none of those other variables will be either
*

Risk for IP is mentioned by one or more sources: given as benign here: http://zulu.zscaler.com/submission/show/94970ab57e3eaa6be1ce4838fec59880-1381587673

For Quttera scan I get un unreachable: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fbillionuploads.com%2Fjr9pka3qx6jb#tab1
http://www.isitdownrightnow.com/billionuploads.com.html (up and running)

IP is in this list: http://www.e-fensive.net/malware.pests

There is an existing virus on the uploader IP: http://192.96.205.162/cgi-bin/s33/up_flash.cgi
https://www.virustotal.com/en/url/df029fef966a61d18b6405285c508f56f1c444dee011cca7bfacc8b97e60b22b/analysis/
Avast will detect this threat as JS:DownloadNSave-J [Adw]

There are insecurity risks on the site ->: https://asafaweb.com/Scan?Url=billionuploads.com (that makes the site could come under attack,
excessive header info, clickjacking)

That’s all so far,

polonus

8

Hi Polonus,
For now,I’ll avoid BillionUploads.
Anyway,I don’t have or need Java.
Thanks.

9

BillionUploads fixed whatever was the problem.
There is no more Trojan alerts.