Heuristic virus, VBS.Rmnet.2, on SSL-site?

Viruses and worms
1

This is a suspicious page
Result for 2014-07-21 18:55:19 UTC
Website: htxps://dl.dropboxusercontent.com
Checked URL: htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/Web …
Heuristic viruses detected:
Object: htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html
SHA1: b2a8cf255f7fab9ca8a17ddfe068b78971e9c1c7
Name: Virus.VBS.Ramnit.c
Recently nothing here: http://urlquery.net/report.php?id=1405971751741
But earlier detections: IDS alert for ET POLICY DropBox User Content Access over SSL
SSL seems OK: http://www.sslshopper.com/ssl-checker.html#hostname=https://dl.dropboxusercontent.com

When heuristic virus is confirmed this installs a trojan on the device.
At least DrWeb’s URL Checker confirms the infection:

Checking: htxp://webplayer.unity3d.com/download_webplayer-3.x/3.0/uo/UnityObject.js
File size: 21.01 KB
File MD5: 09074a04793fb5ae42a43efca5e8ea0a

htxp://webplayer.unity3d.com/download_webplayer-3.x/3.0/uo/UnityObject.js - Ok

Checking: htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html
Engine version: 7.0.9.4080
Total virus-finding records: 5378295
File size: 262.81 KB
File MD5: 50a5e79c81cd1399b8cb7f2e309911c2

htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html - archive JS-HTML

htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html/JSTAG_1[175][127] - Ok
htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html/JSTAG_2[812][40feb] infected with VBS.Rmnet.2
htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html/JSTag_3[17a][122] - Ok
htxps://dl.dropboxusercontent.com/u/245001632/UNITY%20DEMOS/HappyFields/WebPlayer.html/JSTag_4[817][40fe6] infected with VBS.Rmnet.2

polonus

2

:wink:

https://www.metascan-online.com/en/scanresult/file/4afad530602d40c5b516e3e0fe3df59c
https://www.virustotal.com/en/file/777da55d2469ba1e23e38fdf9110856bde8a0a291f6c6482f8803b378fd02a73/analysis/1405973092/

3

TrojWare.JS.Agent.caa and SEO-Spam on Polish government site.
Here we have detection as avast! blocks: JS:Clickjack-B[Trj].

See: https://www.virustotal.com/nl/url/8d3770798bbd7a7ea85146bb4d9c743e3a0fbc
and http://app.webinspector.com/public/reports/show_website?result=3&sit
Address is unreachable?
None of the common names in the certificate match the name that was entered (autoinformator.bydgoszcz.pl). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
Site infested with SEO Spam according to Sucuri’s
ISSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO htxp://autoinformator.bydgoszcz.pl
SEO Spam MW:SPAM:SEO htxp://autoinformator.bydgoszcz.pl/404testpage4525d2fdc
SEO Spam MW:SPAM:SEO htxp://autoinformator.bydgoszcz.pl/autoinformator-bydgoszcz.pl/index.php…
SEO Spam MW:SPAM:SEO htxp://autoinformator.bydgoszcz.pl
Known javascript malware. Details: htxp://sucuri.net/malware/entry/MW:SPAM:SEO
Code: [Select]
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}dnnViewState();
Reason of it being ifested: Web application version:
Joomla Version 2.5.7 for: htxp://autoinformator.bydgoszcz.pl/media/media/js/mediamanager.js
Joomla Version 2.5.0 to 2.5.2 for: htxp://autoinformator.bydgoszcz.pl/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.20 or 3.3

polonus

4

https://www.metascan-online.com/en/scanresult/file/f5d4aa66d2cb4d7bb074538fffd30588
https://www.virustotal.com/en/file/ea0ebd8a48d25f5185fdaaea22bb2e63a3234b8432b7d7db45020aef9c4959d0/analysis/1405975713/

5

We meet this malware again here: https://www.virustotal.com/#/url/826ab6316e5e703e62f318cb9c84a7dcd43dd66c69ba03f3ae719e63b90849c0/detection

Re: https://urlquery.net/report/088e2ffb-01a9-48bb-b621-32d20dd3bb69

polonus