Real malware VBS.PackFor or just a packer detection?

Viruses and worms
1

Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=8056dececce27c45173c663640aad27d-1320240364
See: http://www.virustotal.com/file-scan/report.html?id=b872fb8084ee46647cbad273ab930d7e5891d81afc6d6c7bf74c247ec50aa917-1320243972
Given as high risk page here: http://siteinspector.comodo.com/public/reports/562717
See also: http://urlquery.net/report.php?id=7040
3 suspicious inline scripts found http://www.unmaskparasites.com/web-page-options/?url=http%3A//suponev.3dn.ru/forum/13-116-1/&susp=1
Sucuri gives site clean, but DrWeb url checker comes up with
-http://suponev.3dn.ru/forum/13-116-1//JavaScript.1 infected with VBS.PackFor

-http://suponev.3dn.ru/forum/13-116-1//Script.2 - Ok

polonus

2

http://vms.drweb.com/virus/?i=155025&lng=ru

Encrypted Java-script injected by hackers to break open their web page. When you visit a page using Internet Explorer browser will execute the script, and as a consequence, hidden installation on the infected computer other malicious programs.

3

Hi Dim@rik,

So similar to this older version? It is a real oldie, going all the way back to 2008…
See: http://www.antivirus.ru/VirAnaliz81025080.html
avast should detect this then as JS:Packed-F

polonus

4

Hi Polonus,

I’m not exactly viral analyst and I can not say, I think that is a universal VBS.PackFor record for such a disease and this record is detected by the set of encrypted Java-script.

As VBS:Malware-gen in Avast.

5

Hi Dim@rik,

You are too modest, and you are “sprytnym człowiekiem” as we say in Polish. You are doing a great job for all of us here on the forum digging into this and also inspiring others and me to get to a more fundamental protection insight,

  • The malware was re-introduced with recent Russian malware FREE 2011 exploit pack aka Katrin aka new siberia pack, as the malversants call this kit
    savage:
    File Size: 481280

index(ie6).html=VBS.PackFor ?
index(ie7).html=VBS.PackFor ?
index(ie8).html=VBS.PackFor ?
index(ff).html=JS_PSYME.ANT ? And it is as you said coming in a ie6, ie7, ie8 and also a Firefox version,

polonus

6

1337,leet or l33t(this is how they call themselves).
One word:Script kiddies.The easy way to infect ppl(Scripts),we have to stand this as well.