HTML/Drop.Agent.AB on website detected?

See: https://www.virustotal.com/nl/url/83ef0c886b6756458200c558ccf1c8f8186e55b5e33f2b52e29f8216f34e9b5c/analysis/
Unable to scan properly? https://sitecheck.sucuri.net/results/asso-evenement.com#sitecheck-details
eMetrics tracking via: htxps://count.carrierzone.com/app/count_server/count.js
uMatrix has prevented the following page from loading:
htxps://count.carrierzone.com/app/count_server/count.js GoBack!
Code added as result of a hack. Carrierzone is some sort of spam protecting service for web and mail servers,
with a bad web rep (spam): https://www.mywot.com/en/scorecard/carrierzone.com?utm_source=addon&utm_content=popup

polonus

Good catch Pol…
http://zulu.zscaler.com/submission/show/13cd77be6cc85d0fd13a0c9275adc4ad-1432557147

evryone detect it
https://www.virustotal.com/en/file/fa8559b087adddbbdec76ddf8f20b0046d2605bd79bc2131d2c4ac34919a42d9/analysis/1432558399/

Yep, thanks Pondus. :slight_smile:

Could well be everybody detects it and that is a good thing, but probably admins installed carrierzone as a protection and got the ill results that way.
There are more that have this malware at the mo at -obh.net.
Up(nil): HTML/Drop.Agent.AB RIPE GB abuse at -ovh.net 178.32.52.67 to 178.32.52.67 -asso-evenement.com htxp://asso-evenement.com (the one we already presented above)
and:
Up(nil): HTML/Drop.Agent.AB RIPE GB abuse at -ovh.net 178.32.52.67 to 178.32.52.67 -banlieu-en-action.org htxp://banlieu-en-action.org
Up(nil): HTML/Drop.Agent.AB RIPE GB abuse at -ovh.net 178.32.52.67 to 178.32.52.67 -beurette-coquine.net htxp://beurette-coquine.net
Up(nil): HTML/Drop.Agent.AB RIPE GB abuse at -ovh.net 178.32.52.67 to 178.32.52.67 -boutiques-ephemeres.com htxp://boutiques-ephemeres.com
Up(nil): HTML/Drop.Agent.AB RIPE GB abuse at -ovh.net 178.32.52.67 to 178.32.52.67 -ddream-media.fr htxp://ddream-media.fr (source VirusWatch MX).

pol

Is this similar malware - Bck/Prorat.HT
Also detected by almost all: https://www.virustotal.com/nl/url/06ed6bc716bbb5c180a0d3fbea9d094a58892db193b39d31416fa7821b22e7b6/analysis/1432559087/
https://www.virustotal.com/nl/file/4530cbf050b3d3bbc500bee17c48056bcaacbb86d476c80ec8bbb4c0aa6238b9/analysis/1389661599/
Realtime situation there: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=193.106.172.%
most of it LONG OVERDUE! malcode.

pol

There are more that have this malware at the mo at -obh.net.
well, lets fid out .... back in 5 ;)

yepp, exact same on all
https://www.virustotal.com/en/file/fa8559b087adddbbdec76ddf8f20b0046d2605bd79bc2131d2c4ac34919a42d9/analysis/1432559798/
https://www.virustotal.com/en/file/fa8559b087adddbbdec76ddf8f20b0046d2605bd79bc2131d2c4ac34919a42d9/analysis/1432559798/
https://www.virustotal.com/en/file/fa8559b087adddbbdec76ddf8f20b0046d2605bd79bc2131d2c4ac34919a42d9/analysis/1432559798/
https://www.virustotal.com/en/file/fa8559b087adddbbdec76ddf8f20b0046d2605bd79bc2131d2c4ac34919a42d9/analysis/1432559798/

No … that is a .exe file, the others are html script

old also First submission 2012-12-24 20:17:49 UTC ( 2 years, 5 months ago )