Rogue antivirus site - virginantivirus dot com now at a domain parking page?

Hi, this was/is still being detected by Trend Micro - Webreputation as “This URL is currently still listed as malicious”
http://www.mywot.com/en/scorecard/virginantivirus.com 4 instances of red (malicious content)
Avast detects this as Fake-AV-GF : http://www.virustotal.com/file-scan/report.html?id=60d509a36dfdb6f77619678b85e3cad15464064197e713423afbdb892fd2e766-1298209207
When I go there with malzilla I am confronted with the script, see image attached below.
According to a google search the address is now at a domain parking page? See the attached thumbnail GIF? And so has this threat now gone?
Please comment?

polonus

The fake scanner is still there

Wepawet say benign
http://wepawet.iseclab.org/view.php?hash=314cef975ebe74b69a18dda4b55f94ea&t=1298211931&type=js

Sucuri say Clean

Unmaskparasites say Suspicious
http://www.UnmaskParasites.com/security-report/?page=www.virginantivirus.com
but if you click on the red suspicious then google say not dangeorus for the last 90days

??? ??? ???

and the downloaded FakeAV

VirusTotal - AntiSpyWareSetup.exe - 0/43
http://www.virustotal.com/file-scan/report.html?id=629ebf10660e1f490c22f809108fb5fabbb2f54aa9d0bb525fe447ba1c5c52c1-1298212610

MalwareBytes detect it as Trojan.fakeAlert

The threat is still there. If I go to that site without Avast Web Shield, I still get the rogue/fake av scan and I’m prompted to accept the bogus download. I’ve reported it to stopbadware.org with the Firefox “Report Web Forgery” feature.

Hi Pondus and Alan Baxter,

You are both right, and thanks for confirming this. The roque AV is still at that address, just scanned using jsunpack and it says: virginantivirus dot com/ suspicious and the info on the Google search page about a domain parking page is irrelevant and might be deliberately confusing to invite clicks. So good it is being blocked by the avast webshield,

This information can be found at the bottom of the virustotal analysis page:
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml and http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
So an overall 0 /43 (0.0%) result but something suspicious definitely detected there,

polonus

Reported to Google http://www.google.com/safebrowsing/report_badware/

and the sample is in avast mailbox :wink:

OBS: Norton SafeWeb say clean, there is even a picture of the fake scanner ;D
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.virginantivirus.com
edit: Norton safe web now detect it

Report 2011-02-20 16:48:25 (GMT 1)
IP Address 76.76.116.171
IP Hostname reverse-mtl-76-76-109-171.gogax.com
IP Country CA
AS Number N/A
AS Name N/A
Detections 2 / 26 (8 %)
Status SUSPICIOUS

http://www.malwaredomainlist.com/mdl.php?search=76.76.116.171
http://www.mywot.com/en/scorecard/76.76.116.171

Hi Asyn,

Exactly so, good you checked on the URL, then we find this here:
http://support.clean-mx.de/clean-mx/viruses?virusname=JS:FakeAV-GF
and the scumware org scan shows: http://www.scumware.org/report/76.76.116.171
and there are some more where that came from, see:
http://amada.abuse.ch/?search=76.76.116.171

polonus

NP, pol. :slight_smile:
asyn

Safezone does not like it either

Well, that is just the webshield monitoring the safezone browser :wink:

The exploit would die with javascript disabled. :wink:

Norton Safeweb seems to report two threats from that domain, not clean. Added after?

By the way, LinkScanner blocks it (Don’t be too harsh on me. I’m just stating that it does. ;D) -http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://virginantivirus.com

The scumreport gives ten instances from that URL: http://www.scumware.org/report/76.76.116.171

Norton Safe Web also gives this: MSIE FakeAV Notification Alert
Locatie: hxtp://virginantivirus.com/?id=06abQDYx but that is another detection,
and not Trojan.JS.Fraud.bg

And here another 5 instances of the same threat:
http://amada.abuse.ch/?search=76.76.116.171

If the malware site is being validated you get: Errors found while checking this document:
Line 16, Column 28, Damage not well-formed (invalid token) …
see: http://rexbd.net/validator/index.php?url=virginantivirus.com

pol