Avast detects VBS:Agent-KZ [Trj] here: http://killmalware.com/kivent.com/
DreamHost abuse.
Severity: Malicious
Reason: Detected malicious drive-by-download attack
Details: Malicious obfuscated JavaScript threat
Any iframes? Yes there are.
Google Safe Browse reports Possible infection with malware via a WSHshell attack…
5 will flag it: https://www.virustotal.com/en/url/79cd95870d8db9092e2774426dd2bce2c86674a31dff345e7ca2e8a7aaa4b263/analysis/
DrWeb flags it as a known infection source
Spammy landing * here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.kivent.com%2F
List of scripts included
-http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
-http://www.nycfragrance.com/csvcategoryimportver1.0.3/system/css/layout/js/crazyIntro.js *
polonus
Pondus
February 3, 2016, 10:06pm
2
Avast detects VBS:Agent-KZ [Trj] here: http://killmalware.com/kivent.com/
Detect but with a different name
https://www.virustotal.com/en/file/89d921d8f9682aeef7a6bc22698939d4ad546b79867a8db9cd031f3398769436/analysis/1454536776/
and on jotti another name?
https://virusscan.jotti.org/en-US/filescanjob/wq8hh5egcm
HonzaZ
February 4, 2016, 11:23am
3
Here is a list of detections on that file:
89D921D8F9682AEEF7A6BC22698939D4AD546B79867A8DB9CD031F3398769436.dat
HTML:Dropper-R [Trj]
JS:Dropper-AQ [Trj]
JS:Dropper-CF [Trj]
JS:Dropper-CN [Trj]
VBS:Agent-KZ [Trj]
VBS:Agent-MD [Trj]
VBS:Agent-NR [Trj]
VBS:Dropper-DF [Trj]
VBS:Ramnit-A
VBS:Runner-BD [Trj]
On my PC HTML:Dropper-R [Trj] is shown.
Pondus
February 4, 2016, 12:59pm
4
OK, but it does not explain why avast comes up with two different detection name on exact same file ???
Did VT and jotti have different VPS at the moment i scanned?
HonzaZ
February 4, 2016, 1:14pm
5
Could be. Also could be that they do not have a end-user scanning engine, but use a custom one, which can be optimized… I really don’t know though