False positive or virus?

My friend have been trying to access a supposedly legitimate website, however, avast! blocked it and the infection was HTML:Iframe-inf

the website is wXw.snowcity.com.sg/

snowcity is a place of attraction in my country and this is the official website.

virustotal results:
http://www.virustotal.com/file-scan/report.html?id=b2c1581bde5cdb4949a4f360498fde5dc6d24cdd5cca77fe7efa18b71d1dd01e-1303553049

could someone tell me is this an infection website or a false positive?

Another website in my country flagged, wXw.dragonbrand.com.sg. This is the website of a bird nest product in my country.
Currently,only avast! detects it according to virustotal

http://www.virustotal.com/file-scan/report.html?id=65d9189718ebefa80c0df7377ac2e1db1f5e20f3ae102e34a5a544ee5ea7ed18-1302938369

thanks in advance

Hi ayuta,

The site is definitely infected. A hidden iFrame to htxp://disreco.com/images/start.php?id=vlnd, see attached gif,
this is a blacklisted domain, so good avast blocked the hacked site…as sucuri scan states:
malware:
http://sucuri.net/malware/entry/MW:IFRAME:HD202
&
http://sucuri.net/malware/entry/MW:BLK:2

The hidden embedded link is also found here: http://safeweb.norton.com/report/show?url=snowcity.com.sg

The second site may be cleansed at the moment from the iFrame malware, because I get:

“Unable to properly scan site. Site returning error (40x): HTTP/1.1 400 Bad Request”

polonus

+1

But at the moment the site is not in working condition. (disreco.com)

Avast identified correctly (hidden iFrame).

http://www.mywot.com/en/scorecard/snowcity.com.sg

Hi Dim@rik,

Yes these might be remnants of an old malcode campaign: "malicious software was hosted on 4 domains, including iseyh.com/, uaerup.com/, disreco.com/ (found in the unmasked parasites’ cache from 2011-02-14). These campaigns as you state are mostly rather short-lived and taken down as soon as they have been detected, good avast even flags the vulnerabilities, webmasters should update their website software and scan their websites. As we can detect it, they can, proves many are being taken by surprise or by being unaware,

polonus

P.S. As I get a report, the second site seems been reinfected this time from: htxp://curem.net/t.php?id=267433,
(used for hidden downloads not visible to user)
see: http://sucuri.net/malware/entry/MW:IFRAME:HD202
malware found in the URL (for Google’s UA): wXw.dragonbrand.com.sg/catalog/index.html…

D

Hi Polonus,

thank you for the information. I am really glad there are malware fighters like you guys around.

polonus sorry, I should answer the person (
ayuta), but accidentally missed and answered you.
You are all correctly describe the problem.

Sorry for my English.