Malicious defacement with iFrames blacklisted and flagged by Avast.

Avast detects VBS:Agent-KZ [Trj] here: http://killmalware.com/kivent.com/
DreamHost abuse.
Severity: Malicious
Reason: Detected malicious drive-by-download attack
Details: Malicious obfuscated JavaScript threat

Any iframes? Yes there are.

Google Safe Browse reports Possible infection with malware via a WSHshell attack…

5 will flag it: https://www.virustotal.com/en/url/79cd95870d8db9092e2774426dd2bce2c86674a31dff345e7ca2e8a7aaa4b263/analysis/

DrWeb flags it as a known infection source

Spammy landing * here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.kivent.com%2F

List of scripts included
-http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
-http://www.nycfragrance.com/csvcategoryimportver1.0.3/system/css/layout/js/crazyIntro.js *

polonus

Avast detects VBS:Agent-KZ [Trj] here: http://killmalware.com/kivent.com/
Detect but with a different name https://www.virustotal.com/en/file/89d921d8f9682aeef7a6bc22698939d4ad546b79867a8db9cd031f3398769436/analysis/1454536776/

and on jotti another name?
https://virusscan.jotti.org/en-US/filescanjob/wq8hh5egcm

Here is a list of detections on that file:


89D921D8F9682AEEF7A6BC22698939D4AD546B79867A8DB9CD031F3398769436.dat
HTML:Dropper-R [Trj]
JS:Dropper-AQ [Trj]
JS:Dropper-CF [Trj]
JS:Dropper-CN [Trj]
VBS:Agent-KZ [Trj]
VBS:Agent-MD [Trj]
VBS:Agent-NR [Trj]
VBS:Dropper-DF [Trj]
VBS:Ramnit-A
VBS:Runner-BD [Trj]

On my PC HTML:Dropper-R [Trj] is shown. :slight_smile:

OK, but it does not explain why avast comes up with two different detection name on exact same file ???

Did VT and jotti have different VPS at the moment i scanned?

Could be. Also could be that they do not have a end-user scanning engine, but use a custom one, which can be optimized… I really don’t know though :slight_smile: