I’m wondering if someone could identify whether or not a site is malicious. I’m normally very careful about where I go, but I accidentally clicked on this link, and given the number of keyloggers distributed through WoW-based links/sites, I’m a bit nervous. Additionally, my PC stalled at the shutting down stage last night, and I rarely have any problems like that.
could you please edit your post and deactivate the link (replace http with anything…) so that other users here don’t accidentally click on it and access that bad site…if it’s one, thanks
Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.
Everything on the site is in Chinese, so I don’t really have a way to converse with the webmaster. I did some googling to find mentions of the site, but most of that was in Chinese as well.
An analysis of the malware can be found here: htxp://wepawet.cs.ucsb.edu/view.php?hash=2e299ed6da33faadcb0e117ba3283a98&t=1255543858&type=js
Do not visit this link with a vulnerable Flash player, or with a browser without NoScript installed,
avast will flag the analyzing site and will disconnect from the dropper, which is at
I find the favicon.php somewhat strange to start with as it is normally favicon.ico and it is a common form of hacking to either delete the favicon.ico file and create a customised 404 error page to do drive by downloads. Or to modify the favicon.ico file so it is a bit strange to see favicon.php for a different domain.
So this isn’t the trigger page in the http:// forum.hwsw.hu / site, but the destination/payload page. I could attempt to check the favicon.php page which I suspect would confirm the detection (it does, see image), but it doesn’t find where the problem arises in http:// forum.hwsw.hu /.
Well not so happy about the live link there, the curious may click and get infected, so make it non-clickable by putting hxtp in stead of http or wxwe in stead of www…
We now know it has malcode, but other reports give the site as an all green: http://www.siteadvisor.com/sites/hwsw.hu
And on unmasked parasites this link is not flagged either:
link - hXtp://www.keymedia.hu/keymediajs.cgi?site=hwsw
which is the malcode in question, so good we did some amalysis here, and another proof that avast in these respects is "top of the bill",
polonus
A bit nonrelated: it seems that we have an epidemic. On the IT forum a LOT of guys have mentioned that their XP-s have been wasted today. Description: after restart the Windows logo appears, but the GUI won’t start, instead it freezes at a black screen with moveable cursor. Same in safe mode.
Is it a virus?
At least 15 reported cases on this forum alone, all users reported to have updated antivir programs. No malware has been found after scanning. The solution, as it seems, is to boot with a hiren’s type boot-cd and restore the registry to a previous date.
Sorry for the offtopic, but you seem to be still active
This is an ongoing story. That is why I propagate the use of a script blocker inside a browser, like Firefox with NoScript (that Giorgi Maone extension has not been circumvented yet), also the extension RequestPolicy can block these nasties from redirected sites. On the other hand there are so many webadmins and hosters with obsolete or exploitable software, and so many users with older versions of apps full of exploits, older browser versions, not fully updated and upgraded OS and third party software that a large community are sitting ducks for this, especially for a multitude install.
Another factor that in these age and times firm system admins stay with XP and the virut file infector has proven beyond a doubt that the file protection system etc, in XP is not full proof to say the least.
Vista and Windows7 have additional mui’s and added layers,
Hi,
when the alert appears, the best way is to send to us (as possible false positive – from bottom right link of dialog) for futher analysis, because some infections are only one time – if we tries to replicate accessing the website, we don’t have alert.
True, but this epidemic seemed to infect all sorts of computers (different windows SP versions, updated and not, different AV softwares, on different ISPs etc.), totally unconnected to each other. At least 100 machines were affected that I’m aware of.
It turned out that it’s the Daonol.F trojan (most likely). Not sure how to prevent it from happening again (besides the general methods you have recommended previously).
ps. thanks for the PM, but the credit really goes to the Hungarian guys at HWSW.hu, i was just the messenger.