Saved by the bell, avast Web Shield protected me from JS:Decode-T[Trj]

Viruses and worms
1

Hi forum friends,

This time I was not looking for suspicous URLs or scanning against avast detection. This time polonus was just surfing the internet, looking for some suitable nasi goreng recipee. Trying to go here: htxp://www.devlamindepan.nl/index.html?rijst/ri0010.htm the avast Web Shield alert stopped me from connecting to malware.
See: http://zulu.zscaler.com/submission/show/f59fd32982690410ff460498f9596f83-1344981526
htxp://www.devlamindepan.nl/scripts/frame.js malicious

ID alert for other IP here: http://urlquery.net/report.php?id=130096
According to VirusWatch the site has only JS/Twetti.E active, all other malcode from there has been closed.
The apparent active malware is from yhis URL: http://zulu.zscaler.com/submission/show/48d2af46fa710f3cd79f1de1c17d0146-1344982444
Avast also detects this, see:
https://www.virustotal.com/file/d0649fd19a6594567fd90e0a6b4011b50509e21b1af97be713574ebecff2b267/analysis/
But the webshield stays silent here, see malcode attached…
Here the avast Webshield stopped me correctly from connecting to htxp://tosf.n3t.nl/ which has JS:Rwetti-C]Trj]

polonus

2

Hi forum friends,

The last url I mentioned in above posting has another host that is also infected:

Checking: htxp://player.vimeo.com/video/20021135?color=8DB821&autoplay=1&loop=1
File size: 9059 bytes
File MD5: 5cf0cb9bb38b2d08bec203137b944d72

htxtp://player.vimeo.com/video/20021135?color=8DB821&autoplay=1&loop=1 - archive JS-HTML

htxp://player.vimeo.com/video/20021135?color=8DB821&autoplay=1&loop=1/JSTAG_1[e43][1509] - Ok
htxp://player.vimeo.com/video/20021135?color=8DB821&autoplay=1&loop=1/IFrame_2[68] - Ok
htxp://player.vimeo.com/video/20021135?color=8DB821&autoplay=1&loop=1 - Ok

Checking: htxp://tomboweb.awardspace.com (this one I meant here:
Engine version: 7.0.3.7130
Total virus-finding records: 3088794
File size: 16.95 KB
File MD5: 69f5618309eac3c0eaf24542e091aae6

htxp://tomboweb.awardspace.com - archive JS-HTML

htxp://tomboweb.awardspace.com/JSTAG_1[4d2][1bd6] infected with JS.IFrame.261
htxp://tomboweb.awardspace.com/JSTAG_2[20ba][22ec] infected with JS.DownLoader.217

Gave feedback here: http://zulu.zscaler.com/submission/show/036383d2249d2a56fa935a7b3013a739-1345038994
No alerts here either: http://urlquery.net/report.php?id=131209

IP had the following malware (now closed or dead):
PHP/C99Shell.B, JS/iFrame.cvd, JS/Redirector.HA, HTML/Infected.WebPage.Gen2, JS:ScriptPE-inf Trj & JS/iFrame.GM
So one could consider to block 83.125.22.155 on that abused/misused server,

polonus