The malware resides here: htxp://empresalife.com/inco/attachment.php
virustotal scan results:
http://www.virustotal.com/file-scan/report.html?id=6cdf74487097efdbcdbbabcb5923186b2ca1f285b3d6e64280c369bdf8586203-1301090789
found to be suspicious here: http://wepawet.iseclab.org/view.php?hash=e3cffc60d31e546b04de7d76ce112762&t=1300522695&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=128f3c919b94292442da879d0801c375b

also here: htxp://empresalife.com/inco/ detected as Suspicious Executable Image Download Web Attack…
Sucuri gives it still as clean: http://sitecheck.sucuri.net/scanner/
while they also have this link there: http://safeweb.norton.com/report/show?url=empresalife.com
So users that check the free sucuri scan should also check by clicking all blacklist status links,
and do an additional lookup at unmasked parasites, where it is also is still missed…
And if there use this info: http://www.threatexpert.com/report.aspx?md5=c37fd33acd75bfcbd0ccf7dd8030eae6

polonus

Site is down

http://www.downforeveryoneorjustme.com/http://empresalife.com/inco/attachment.php

Hi Pondus,

Strange for me it is up, see attached gif…

polonus

you are correct, if i click the link i posted it now show the link is live ???

Hi Pondus,

Yes I thought this was strange from the onset, because where I found the detection (you know that source from me) the site is being given as still alive and kicking this Trojan.Generic.KD.167367. Well, and it would be pointless to give alerts for avast non-detects when the sites are dead or have been taken down.
Well we have to report this even when the malware is shortlived and the threat landscape is changing all the time a bit like waves of an ocean, because the malcreants can always register and find other domains to launch the same attacks from,

polonus

Well it seems down now. And at the malware realtime site it reads “dead”…

polonus