Possible FP on web site scan

Virustotal site scan: https://www.virustotal.com/url/f3e9f9af364f7306a92738af330b806fc5fb8001aacbe9eb7c5240e4434c1856/analysis/1329792028/
Website in question: http://www (dot) flipmytext (dot) com/tattoos/

avast! reports: Infection:js:Redirector-NK [Trj]

Would someone please respond as to the safety of this site and links?
TY

INFECTED - http://sitecheck.sucuri.net/results/http://www.flipmytext.com/tattoos/
OBS: you may get a avast warning if you enter this site, since the malware code is displayed there

Malware info: http://sucuri.net/malware/malware-entry-mwjs159

So whats with the VT scan showing nothing? 0/19???
And what happens from here, is the site owner or the host notified of this?
I would sure like to have this resolved, I would like to use there services again.

The VT “scan” isn’t a scan at all, it just checks the url against blacklists. Blacklists always lag behind infections when it comes to legit sites.

By all means, report it to the sites webmaster if you wish. Someone might have done it already, if you start getting virus alerts on your site, it usually does not take long for someone to inform you. But it couldn’t hurt to let him know, just in case.

Holy Crap Batman!
VT site scans are from Blacklists?!?!?!?!?!?! :-\

Don’t tell me the File Scans are the same, I might just poop myself!

No, not at all. File scans are run against x-amount of scanners

Also, you can scan a site with VT…you have to save the site itself to your PC, then upload it to VT, if I remember correctly.

to scan at VT for the infection you need to download the html and upload that to VT. Sonething i can not do froom my Nokia phone…but if you wait 8 hours to after work…,

i think URlVoid.com have a webinfection scanner. I think you find the link at the bottom, somethin like ‘scan url for infection’

OOOOOH, Bad news Pondus ???
Your recommended site, URLVoid.com, came up with a 0/9. :stuck_out_tongue: And one of them was avast!
URLVoid.com SCAN RESULTS: http://vscan.urlvoid.com/analysis/05fe8195bc1997b8a9bee8ae5243b15c/dGF0dG9vcw==/
So, does URLLink do the same as VT on the site scans and use the blacklists?

EDIT
So, I found this at the VT site, for the full article, this LINK: https://www.virustotal.com/faq/#url-scans

http://i1237.photobucket.com/albums/ff465/AU4U/2012-02-21_095231.jpg

It depends what scan at URLVoid you use :wink: the one you used NO

But URLVoid also have a web rebutation scanner…it is the one you see when you enter urlvoid.com

and here is one more http://urlquery.net/report.php?id=23587
this one will also display any malware reported on that url, if any…see “Alerts”

OBS: and the old VT did download the html file and scan it when scanning a URL…the new does not do that…yet

Next to the avast flagged issue with images/spacer.gif [Spyman malware], the following code at the site also deserves attention: -pagead2.googlesyndication.com/pagead/ads.js suspicious
[suspicious:2] (ipaddr:74.125.227.26) (script) -pagead2.googlesyndication dot com/pagead/ads.js
status: (referer=wXw.flipmytext.com/tattoos/)saved 11642 bytes 801d92f3f23999c4778ddcdae56f305e0fd84bbc
info: [decodingLevel=0] found JavaScript
suspicious:
See also: http://urlquery.net/report.php?id=23583

polonus

at the moment it seems no AV is detecting this…or the Sucuri detection is wrong/not malicious ?

flipmytext.com.htm
https://www.virustotal.com/file/3054d52bca75a61157866f070c05c879e0b25fad73c9d1df21fd4327bc056cbe/analysis/1329844502/

tattoos.htm
https://www.virustotal.com/file/3717577639c67774b3c02463bb5ac1c1aa77b842f699d630fdbea6c04b95fb84/analysis/1329844596/

have uploaded to Sophos / Avira / Norman lab… will post the result when i have it

Oddly enough, the site has new owners as of July last year.
1st time I’ve had any problems with this type of thing.

could you attach a screen shot of the avast warning you get ?

http://i1237.photobucket.com/albums/ff465/AU4U/2012-02-21_105917.jpg

http://i1237.photobucket.com/albums/ff465/AU4U/2012-02-20_234235.jpg

Seems that leads to a 404 page, which appears to have been hacked. (You can tell it is the 404 page, since any link that doesn’t exist will generate an alert - because it leads to a 404 not found page.

Wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=2d0d3de718eff4c06374459548fec60d&t=1329847720&type=js
http://wepawet.iseclab.org/view.php?hash=e7e5814790f8a13432b39a36c659013d&t=1329847597&type=js

VirusTotal - 4/17
https://www.virustotal.com/url/accc23c1d7b4b82d8cd7c2c3a426d9306943af5ab8a497ae2899934dea1a5ab0/analysis/1329847812/

anyway…that link is dead now

OK, so the Flipmytext redirects to a dead link.
Its the redirect that avast! is detecting and blocking, even though there’s no trojan at the other end.

So in your HO, is the site safe to use?

EDIT:
Could this be just sloppy web site maintenance, a link to another service on there site that was not completely removed?
The new owners might have changed site developers and they could of changed and over looked something like this, being unfamiliar with the history and development of there service.
One of the changes I have noticed is all the FB/Twitter/LinkIn/Bebo/etc links and icons.
Lots of good fun stuff on the site though!

Their 404 (not found) error page (and possibly others) is infected. Any dead link you click will lead to this page.

I wouldn’t say it was safe. There is nothing to say that in the near future the redirect is changed to a site that is active or the site already there becomes active.

Sophos lab

Thank you for your sample submission and contacting Sophos Technical Support.

File states:

tattoos.htm => not detect-worthy
flipmytext.com.htm => not detect-worthy

There is nothing on either submitted files that show the malware.

The site may have already been cleaned up.

From the sucuri sitecheck - the string found is consistent with Mal/ExpJS-N which we do detect.