[L] JS:Redirector-CH [Trj] (0)

system · June 1, 2010, 6:17am

Link : hxxp://swimandscuba.netfirms.com/indexmovie/
I received this in a facebook message which has typos so this is probably not a false positive.

What does this do?

mkis · June 1, 2010, 7:03am

please change yr link so that it is a not an active hyperlink.
For example, change to the folowing -
Link : hxxp://swimandscuba.netfirms.com/indexmovie/

This deactivates the link, such that users, especially newbies, will not be in danger of infection if they click the link. At the same time, more expert users can still see what is the web address.

system · June 1, 2010, 7:04am

Ok , have edited my post.

Yanto.Chiang · June 1, 2010, 7:18am

Hi,

Your reference link is look not harmful or clean :

http://safeweb.norton.com/report/show?url=http://swimandscuba.netfirms.com/indexmovie/&x=9&y=11
http://www.unmaskparasites.com/security-report/

And avast! detected this website infected as same as your information, it could be rite because this website contains a lot of video files.

avast! [User]: File “http://swimandscuba.netfirms.com/indexmovie/3jnjm6.php” is infected by “JS:Redirector-CH [Trj]” virus.
“%3” task used
Version of current VPS file is 100601-0, 06/01/2010

system · June 1, 2010, 9:23am

I don’t think we should trust those site advisors , afterall netfirms.net is a hosting site and I believe the advisors simply traces the domain name.

polonus · June 1, 2010, 10:55am

Hi malware fighters,

It isn’t there any longer:
Blank page / could not connect
No ad codes identified

Empty source - Could not connect to site?

polonus

system · June 1, 2010, 1:16pm

Whhhaaaaat?!

If you mean you cannot access the site , change the hxxp to http.

system · June 1, 2010, 1:40pm

What.

Pondus · June 1, 2010, 2:34pm

Looks like a redirect that will send you to 89.195.68.23:518/3933a4e97c2/ a porn movie site
where you will be asked to download a flash update

VirusTotal - setup.exe - 13/39
http://www.virustotal.com/analisis/53e7b74315a3a487cfe4d63750ea708b0550e7e2902e5a5e3a8de0e4c665e71e-1275402070

Wepawet - 89.195.68.23:518/3933a4e97c2/
http://wepawet.cs.ucsb.edu/view.php?hash=121f7966a743917287d515858583379d&t=1275403703&type=js

polonus · June 1, 2010, 3:27pm

Hi Pondus,

Right, that is what is happening, because the url does not go anywhere with NoScript and RequestPolicy active in the browser, and that is what I experienced filling in the URL in my bad iFrame detector scanner.
What happens in a not protected browser, we get this: video…

<script src='fbli.php'></script>loading...

,
which is a suspicious looking GET request containing %3C, %3E, and %2F, cross-domain script loading, redirecting to: http://www.robtex.com/ip/89.195.68.23.html#blacklists
htxp://bitisoftwares.com/alerting.html This URL is currently listed as malicious by TrendMicro…

polonus

Pondus · June 1, 2010, 3:39pm

But why the error in unmaskparasites ? on this 89.195.68.23:518/3933a4e97c2/

ahaaa…you found the Pondus pic …done some homework ;D

polonus · June 3, 2010, 7:43pm

Hi Pondus,

Because it is a FTP download link, and if you would have tried it out in Malzilla, you would have known,

polonus

[L] JS:Redirector-CH [Trj] (0)

Announcements