Hi we see a lot of devious PHP malcode...

Hi malware fighters,

Here is a trend, and the malcode is often missed, example: hxtp://treadmil-l.com/wp-content/upgrade/spread.txt??
Location of PHP/Pbot.A.9 (well the name is right with a certainty of over 60%)
A further listing of malware domains with this:
http://support.clean-mx.de/clean-mx/viruses.php?virusname=PHP/Pbot.A.9&sort=source%20desc
Description of this devious malcode here:
http://evilcodecave.blogspot.com/2009/11/malware-php-pbot-dissection.html
http://www.offensivecomputing.net/?q=node/1417
also see the code of such a bot: htxp://pastebin.com/dqCtmFB7
An example of one site with PHP/Pbot.A.9 missed and only reported by WOT:
http://www.mywot.com/en/scorecard/fgfg.pl and detected here: http://www.freepcsecurity.co.uk/
respectively mentioned the first time here: http://www.freepcsecurity.co.uk/2010/07/05/malicious-sites-july-05/

polonus

VirusTotal - script.txt - 1/42
http://www.virustotal.com/analisis/14e6b1fa6db610e18a0fa486a30dd79bb3e6bf74d9821acc1623e0f9f35448d3-1279464397

VirusTotal - script2.txt - 20/42
http://www.virustotal.com/analisis/90c3f6e23e20f49424cdf17685d2d503849733cdeffc2bb30817cb9376c30af0-1279464913

Hi Pondus,

That shows that the detection for the first malcode, php.downloader-5/,is far from optimal to say the least:
more of them listed:
http://support.clean-mx.de/clean-mx/viruses.php?virusname=PHP.Downloader-5&sort=firstseen%20desc
alive examples:

htxp://gassra.com/ams/spdz.txt?

htxp://highweald.org/logs/mysp.txt?

Also check here: http://lists.clean-mx.com/pipermail/viruswatch/20100210/013302.html

polonus

Or it is an ClamAV False Positive… ???