Is HTML:script-inf on wxw.4399.com/flash/[any game id].htm FP?

Viruses and worms
1

So from today, every game description page from wxw.4399.com is blocked with HTML:script-inf
for example:
hxxp://www.4399.com/flash/140469.htm
hxxp://www.4399.com/flash/140441.htm
hxxp://www.4399.com/flash/140571.htm

What {gzip} file does avast think is not malicious before but malicious now?
http://www.avast.com/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_90_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-default&p_vir=SFRNTDpTY3JpcHQtaW5m&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=aHR0cDovL3d3dy40Mzk5LmNvbS9mbGFzaC8xNDAzOTUuaHRtfHtnemlwfQ&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default&p_elm=7&p_lex=286&p_lid=en-ww&p_lng=tw&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_bld=empty&p_vep=9&p_ves=0&p_vbd=2021&p_hid=c568b8ec-42d9-479a-a715-f06ab0c823ec&p_ram=3549&p_cpu=6.5

Edit: Upon Checking, I found that since the recent virus definition update, this site picture sources and game comment sections are all blocked as well as a {gzip} file avast! does not like on the game page itself and the game description page.

2

https://www.virustotal.com/en/file/142c69a176be0b227ce8699b0a103fa464a8911e5b24fed04c6caa9c75bceda1/analysis/1405958381/

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

3

I have sent the website to avast
Do you think I should contact the site for this issue? Every sub-page I have visit have 51 avast! popup
So far the domain that are blocked:
URL:Mal hxxp://f1.img4399.com/ (game pictures)
URL:Mal hxxp://a.img4399.com/ (game pictures)
URL:Mal hxxp://s4.img4399.com/ (game pictures)
URL:Mal hxxp://s1.img4399.com/ (game pictures)
URL:Mal hxxp://s3.img4399.com/ (game pictures)
URL:Mal hxxp://s2.img4399.com/ (game pictures)
URL:Mal hxxp://m.img4399.com/ (game pictures)
The “htm” that are blocked:
HTML:script-inf hxxp://www.4399.com/flash/xxxxx.htm (game description pages, put game id in xxxxx)
HTML:script-inf hxxp://www.4399.com/flash/xxxxx_x.htm (game page, put numbers in xxxxx_x)
HTML:script-inf hxxp://huodong.4399.com/comment/4399685.htm?dm=huodong3.4399.com (don’t know what is this but it is at the bottom of a page)
HTML:script-inf hxxp://my.4399.com/game_hlddz/ (web/online/social network game)
HTML:script-inf hxxp://cdn.comment.4399pk.com/html/138380.htm?popup=yes&dm=www.4399.com (The online user comments section in every game page, where malware popup triggered on load)

4
Do you think I should contact the site for this issue?
depends what avast say..... if detection is correct, yes but if it is a avast false positive, no
5

It get more serious :o
From the virus definition update not long ago, there has been a new type of detection popup when the 4399.com online user comment section is being loaded

URL: hxxp://www.4399.com/comment/news/pl_form.html?fid=35774&pid=85|{gzip}
JS:ScriptIP-inf [Trj]

This time it state clearly it is a trojan.
The website has good reputation as shown in mywot: https://www.mywot.com/en/scorecard/4399.com
I have sent more website to avast but now it still detected as malware

6
The website has good reputation as shown in mywot: https://www.mywot.com/en/scorecard/4399.com
a good reputation does not make a website immune to hacking

if detection is correct i can not say … will investigate a bit
https://www.virustotal.com/nb/file/93185c1ef6f651ed3fd9d84d61e0c146676d8253a02a7a36dad2bf1ac2de7ef6/analysis/1406197885/

7

Oh no! More trojan popup and even the actual online game (4399开心农场) is a trojan?
URL: hxxp://my.4399.com/forums-mtag-tagid-1.html?toLogin=1&tid=200840|{gzip}
JS:ScriptIP-inf [Trj]

URL: hxxp://my.4399.com/game_kxnc/?from=www|{gzip}
JS:ScriptIP-inf [Trj]
And another 4399.com related domain that is blocked
URL: hxxp://enter.wanwan4399.com/bin-debug/GreenGame.html
URL:Mal
I done some scan using zulu zscaler and urlquery but it look like nothing bad is found.
Some other Chinese user has report the same issue in baidu forum
http://tieba.baidu.com/p/3176129719
http://tieba.baidu.com/p/3175953766

8

Norman/BlueCoat lab confirms infected

hxxp://www.4399.com/flash/140441.htm - added detection - Script.BH
https://www.virustotal.com/nb/file/28fb2a8ffd8f0814173037e92e17160dd4a4a9b6b6b339a99e48119dce84f50d/analysis/1406198140/

hxxp://www.4399.com/comment/news/pl_form.html?fid=35774&pid=85|{gzip} - added detection - Script.BI
https://www.virustotal.com/nb/file/93185c1ef6f651ed3fd9d84d61e0c146676d8253a02a7a36dad2bf1ac2de7ef6/analysis/1406197885/

9

The detections have stopped for 2 days. But from today the main page is blocked again
URL: hxxp://www.4399.com/
JS:ScriptIP-inf
So is the detection correct?

edit: Is it blocking the ads (hxxp://w.cnzz.com/c.php?id=30039538) as shown here: http://zulu.zscaler.com/submission/show/c2406be69c8b98a82f27525b001aa66f-1405949163

10
So is the detection correct?
read reply #7