HTML:Iframe-inf(www.partis.si) IE8 Virus-FP

Viruses and worms
1

Hi :slight_smile:

I tried to visit our torrent site called wxxw.Partis.si but Avast found a virus on this page.

Virus: http: //ads.partis.si/www/delivery/afr.php?zoneid=4&source=_blank&cb=<%=%20rand(1000)%20%>|>{gzip} [L] HTML:Iframe-inf (0)

if you open the same Website with Mozilla and Flock(with NS,AB…) Avast won,t find a virus.

Virustotal: http://www.virustotal.com/analisis/085ece44f81cc9cb83e8bf0a9ee724ae516d2ced83ffb9bdbe90fc49561552dd-1278009261

2

NoVirusThanks - partis.si - CLEAN
http://scanner.novirusthanks.org/analysis/2724dd906759b2a998b9515bf75c1f5f/cHJpamF2YQ==/

3

Well I can’t get in to check it out as it requires that you are registered, not to mention I can’t read the language.

However, since this is ads related there is a move where ads poisoning is becoming more prevalent. See http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/.

4

Hi DavidR and Pondus,

Attached scan report for this site, then check it out:
htxp://jsunpack.jeek.org/dec/go?report=5e4108e6ab81b1368d2b1b6416a0c9586d942153
htxp://jsunpack.jeek.org/dec/go?report=a8efddfa17356b62bf277c9167c25ff603eab249
htXp://jsunpack.jeek.org/dec/go?report=817cbe6b6400636b28e05287f7b28dfca27e94c1

pol

5

Hi Pondus,

About your recent downthem all analysis question, check the cache of this page, else you won’t see it: htxp://webcache.googleusercontent.com/search?q=cache:ianycP-2efQJ:www.astalavista.com/index.php%3Fapp%3Dmailinglists%26do%3Dview%26mid%3D1%26id%3D90401+7FtuQd8!90%3B0!+0%3Bgy~t%3Fg%3Edg%3Edbu~tcKyMK%24M%3Eaeubi%3E|u~wdx%2Brbuq&cd=8&hl=en&ct=clnk

polonus

6

I read this report but i didn,t understand anything :smiley: Can you tell me what is the point of this report and if Partis really contains a virus.

7

Hi JuninhoSlo,

Not given all clearance, as DavidR remarks, I think it can be considered benign, as avast flags it it could be malware. Do refrain from visiting until it is cleared…

polonus

8

Unfortunately, I don’t think this one is so easy to analyse/replicate if it is as I suspect ads poisoning as there is no real way to get at the original ad delivered by the hXXp: //ads.partis.si/www/delivery/afr.php page and rand selection.

9

Hi DavidR,

My posting now reads accordingly. Agree with you there, and the succuri report is not giving any info on eventual malcode, it is not blacklisted there, but as you say there is a new online malware wave rising, so keep those avast shields up, my friends,

polonus