How to perform a search here...

Hi malware fighters,

We take a given malware domain, and enter the search query here: http://sucuri.net/index.php?page=scan2

Security Scan for htxp://v3p2.com

* Web Site detail
* Blacklisting status
* Malware information
* DNS Lookup
* Whois

Web server details
Scan for: htxp://v3p2.com
Hostname: v3p2.com
IP Address: 174.139.86.250 (174.139.86.250.CUSTOMER.KRYPT.COM.86.139.174.in-addr.arpa)
Date: 26-05-2010 15:02

Running on: Microsoft-IIS/6.0

Web Application details:
Javacript included

Remote Javascript included: htxp://count12.51yes.com/click.aspx?id=122363097&logo=1
Iframe included

Iframe included: index1.html
Javacript dump see attached picture JPG

^script language=“javascript” src=“htx://count12.51yes*com/click.aspx?id=122363097&logo=1” charset=“gb2312”^^/script^

Iframe dump

^iframe width=100 height=0 src=index1.html^^/iframe^
Interpretation get from jsunpack, paste the JS dump there (not this one because I have sanitized it here)
htxp://jsunpack.jeek.org/dec/go?report=e8343f370bf86c11ab16a8652562479df885127b
Blacklisting status we have to establish ourselves, but the scan was useful to see the site is green…

Domain clean by Google Safe Brownsing: v3p2.com

Domain clean by Norton Safe web: v3p2.com

Domain clean by Sucuri Web Blacklist: v3p2.com

Domain clean by the Phish Tank: v3p2.com

Domain clean by the Malware Domain List: v3p2.com

List:
http://sucuri.net/?page=tools&title=blacklist&detail=5d2c93c67a2be961b601327260cc0d98
http://sucuri.net/blacklist/MS-iplist.txt and here: http://sucuri.net/blacklist/MH-sitelist.txt

enjoy,

polonus

You have to break the jsunpack.jeek.org link to the results as avast will alert to that page as it contains the code, unless you have added that hXXp://jsunpack.jeek.org/dec/go?* to the web shield exclusions or do as I do use images as examples.

Many inquisitive forum members won’t have done that, nor perhaps should they even though the code isn’t live, the alert is likely to cause a coronary in some ;D

Even so called sanitised script tags or javascript in a code tag could cause avast to alert, again why I use images.

Hi DavidR,

Links made non-click-through, code given as attached picture, so the unaware won’t get alarmed and those that know what it is about can profit from the information. It was just given as a possible approach for further analysis for members like you, me, Pondus and others that come to analyze these infections when brought to the virus and worms forum section by users that were alerted by the avast shield,

polonus

I doubt that avast goes to the point of following the links to find they are malicious or not, unless they are accessed.

Yes, that is the problem as there are many others viewing this that may not fall into that category, so we have to look out for them also. But I always crop images to show only what is relevant for the poor saps on dial-up, compare mine at 7.34KB with 82.6KB ;D

Hi DavidR,

Thanks for the assist, also keep an eye out here for the latest web threats: http://safeweb.norton.com/buzz

Damian

Hi malware fighters,

Just stumbled upon this search to get to a real URL:
http://sucuri.net/?page=tools&title=check-url
http://blog.sucuri.net/ (free accessible)
enjoy, folks,

polonus