Malware neatly detected by Avast as VBS:Agent-KZ [Trj]!

See: https://sitecheck.sucuri.net/results/madagascarbiodiversity.org
Various blacklist: https://www.yandex.com/infected?url=madagascarbiodiversity.org&l10n=en&redircnt=1434792535.1
index.html
Severity: Malicious
Reason: Detected malicious drive-by-download attack
Details: Malicious obfuscated JavaScript threat
Offset: 4058
Threat dump: [[DropFileName = “svchost.exe”^^WriteData = ]]
Threat dump MD5: 4667FB094040103F5F964564346C0007
File size[byte]: 234296
File type: ASCII
Page/File MD5: D2C670980F2E0CF4D6BC40DAF27C8793
Scan duration[sec]: 0.020000

pol

Update: another instance of this malware detected by Avast: http://killmalware.com/kivent.com/#
Also flagged by Google Safebrowsing and see: http://toolbar.netcraft.com/site_report?url=http://www.kivent.com

and another one: http://killmalware.com/bookafy.eu/ That is what we wanna see, Avast, OK!

pol

There is no malware VBS:Agent-KZ [Trj]

Visiting the checked web site may harm your computer. The checked page appears to contain malicious code that could be downloaded to your computer without your consent.

https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url=http://madagascarbiodiversity.org

Now the site is defaced
It is blocked by Avast HTML:Defacement-N [trj]

There is more active malware for various domains on this IP as we can see reported here:
https://www.virustotal.com/nl/ip-address/208.113.175.192/information/
where Avast last detection was: VBS:Dropper-DF [Trj]

polonus

Seems this is persistent malware as it is still there and detected by avast as HTML:Dropper-R[Trj] now.
Re: -http://killmalware.com/bookafy.eu/ Do not visit link as this will set of the avast alert already.
Also look here where this detection was mentioned before: https://forum.avast.com/index.php?topic=182213.0

polonus

The first detection is JS:injection-A [Trj].Another detail found in IE 11, not have AOS the installed.It seems WebFilter.

Avast Antivirus has blocked this site
Go to my home page
Avast Antivirus has blocked this site because it may contain threats to your computer and your privacy.
the message is usually displayed by the browser.