Avast has reported a virus at downthemall dot net. I completely trust this site, and I have gone to there before without any problems. It is possible that the website was hijacked, but if so I don’t really care on this computer, because I don’t use it for anything personal. How can I stop AVG from blocking this website?
Hi…
An FP or hijacking is possible, although Online Link Scan reports the site as clean. I’m curious, how does AVG figure into this? Do you have a AVG product installed alongside avast?
Regards…
Sorry, that was just an error on my part, I meant Avast… :-X
NoVirusThanks - downthemall.net - 7/16 - INFECTED
http://scanner.novirusthanks.org/analysis/99bf7e26e01f850e178a025171b620ec/aW5kZXg=/
VirusTotal - downthemall.net - 11/41
http://www.virustotal.com/analisis/59ff8d452e248a4a84b7d35f397bac2439532d72ac3ccacee914f23726eebace-1278009099
This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.downthemall.net
I think someone have been " downthemall " and done some website tuning… :o
Hi arconreef, ardvark and Pondus,
Pondus, you are so right, because the site is suspicious, because of 1 suspicious inline script found,
see atttached gif image…
What has been found on that site is reported here: http://www.google.com/safebrowsing/diagnostic?site=downthemall.net
Reported as suspicious also here:
http://wepawet.iseclab.org/view.php?hash=b015b380e12e4e866cab972801cec898&t=1278010699&type=js
Apparently the malcode comes from twitter,see: http://pastebin.com/mZ1JGhYF
but it is a Joomla malware script: http://www.google.com/support/forum/p/Webmasters/thread?tid=256902d9865b7cbd&hl=en
Joomla there was maliciously injected, my good anti-malware friends,
There is another suspicious hidden link there: pfgjmeepoxk.com/ld/goldmn suspicious:
and the last time suspicious content was found on this site by google was on 2010-07-01.
Malicious software includes 397 scripting exploits, 212 exploits, 26 trojans.
This site was hosted on 66 networks including AS3269 (TELECOM), AS7132 (SBIS), AS7725 (COMCAST).
Has this site acted as an intermediary resulting in further distribution of malware?
Has this site hosted malware? See: http://amada.abuse.ch/?search=pfgjmeepoxk.com
Yes, this site has hosted malicious software and it infected 13 domains, including lambdastreaming.com/, elbukanero.com/, trueblood-online.com/.
polonus
Hi malware fighters,
Good news for you, giving in: htxp://pfgjmeepoxk.com/ld/goldmn/
Do not repeat this, it will give an avast flag for S:Prontexi-CG [Trj]
About this ad-poisoning malware the avast bloggers reported here
: http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/
So I think we thoroughly analyzed this malware site.
Thanks, Pondus, for your malcode scanning contributions,
this really must make a difference for our users,
polonus
VirusTotal - GOLDMN.py - 4/40
http://www.virustotal.com/analisis/b88346304b576d80b734c005746fd854f018d27dda4946a404368bb31637d0de-1278013014
Hi malware fighters,
About that script there: htxp://webcache.googleusercontent.com/search?q=cache:ianycP-2efQJ:www.astalavista.com/index.php%3Fapp%3Dmailinglists%26do%3Dview%26mid%3D1%26id%3D90401+7FtuQd8!90%3B0!+0%3Bgy~t%3Fg%3Edg%3Edbu~tcKyMK%24M%3Eaeubi%3E|u~wdx%2Brbuq&cd=8&hl=en&ct=clnk
And the new malware wave: http://www.securityfocus.com/archive/1/511164/30/0/threaded
http://pastebin.com/mZ1JGhYF
Something in the obfuscated code translates to:
cc='%3c%5c%2fscript%3e';window["e"+""+/
signs of an attack site…
polonus
Hi malware fighters, what I prescribe in forthcoming cases, feed the obfuscated packed code here:
http://www.strictly-software.com/unpack-javascript.aspx
Now click unpack, then feed this into jsunpack with NS active in the browser, just for experts (code may spill or worse), now google initial part of code with google and read explanations of what it does (links from web application tool forums, security sites, etc.) now we will have a good idea what the code is aiming at and what the threat may be about, also if as there is here a malicious iFrame is involved, good hunting, folks,
D
Hi all…
Looks like I should have tried additional scanners. :
Regards…