Object: hxtp://billionuploads.com/sjfh7btnan1y|{gzip}
Infected: JS:ScriptPE-inf[Trj]
On different sites and forums only Avast users are reporting problems with BillionUploads.
Is this alert about adware ?
Polonus,do you know something about this ?
Thanks.
Edit: Here is example link - hxtp://billionuploads.com/pesbz1eh1hbw
Trojan alert is triggered after clicking on Download or Watch button.
Eddy
2
@Eddy
Wrong about what ? I didn’t say it is FP,but some people think it is.
http://forum.icefilms.info/viewtopic.php?f=143&t=103444
I am waiting for analysis by Polonus.
Thanks.
Eddy
6
On different sites and forums only Avast users are reporting problems with BillionUploads.
As Steven and I showed you, not only avast users report it as a problem. Several other sites do so as well as users with other av's then avast. A little Google search showed that people who are using another av then avast also have problems with that website.
15(!) site/ip checkers are reporting that the site can’t be trusted.
Hi abrumptum,
The flagged malware mentioned only bites when java is installed on the OS.
Java is a risk that JS:ScriptPE-inf[Trj] is exploiting, it abuses Java flaws.
An urlquery shows there are problems for the same IP: https://www.virustotal.com/en/ip-address/141.101.116.44/information/
Let us dive into this for the site an sich:
Some code anomaly here:
billionuploads dot com/js/jquery-1.8.3.min.js benign
[nothing detected] (script) billionuploads dot com/js/jquery-1.8.3.min.js
status: (referer=billionuploads dot com/pesbz1eh1hbw)saved 93636 bytes 06e872300088b9ba8a08427d28ed0efcdf9c6ff5
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function p.getElementsByTagName
error: undefined variable p *
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
I predict that “contact.php and the validate.class.php files are nor reaching each other” info credits go to trag * from dynamic forums
variables are being set inside a conditional block. If $_POST['submit'] is not set, then none of those other variables will be either
*
Risk for IP is mentioned by one or more sources: given as benign here: http://zulu.zscaler.com/submission/show/94970ab57e3eaa6be1ce4838fec59880-1381587673
For Quttera scan I get un unreachable: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fbillionuploads.com%2Fjr9pka3qx6jb#tab1
http://www.isitdownrightnow.com/billionuploads.com.html (up and running)
IP is in this list: http://www.e-fensive.net/malware.pests
There is an existing virus on the uploader IP: http://192.96.205.162/cgi-bin/s33/up_flash.cgi
https://www.virustotal.com/en/url/df029fef966a61d18b6405285c508f56f1c444dee011cca7bfacc8b97e60b22b/analysis/
Avast will detect this threat as JS:DownloadNSave-J [Adw]
There are insecurity risks on the site ->: https://asafaweb.com/Scan?Url=billionuploads.com (that makes the site could come under attack,
excessive header info, clickjacking)
That’s all so far,
polonus
Hi Polonus,
For now,I’ll avoid BillionUploads.
Anyway,I don’t have or need Java.
Thanks.
BillionUploads fixed whatever was the problem.
There is no more Trojan alerts.