Site clean or with Worm:Win32/Gamarue.N?

See: http://urlquery.net/report.php?id=8576978
See active and live malware on IP: http://support.clean-mx.de/clean-mx/viruses?id=18442957
low detection rate for the latter malcode:
https://www.virustotal.com/nl/file/88b5ba311c28eabe808189d7f729e9f58b51e6e749cb6ce7b9a0f625d6a580e7/analysis/
On that worm: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FGamarue.N
Given clean: http://zulu.zscaler.com/submission/show/a49592c60e53e516c3eb90e6f33272dd-1388187395
see code: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.jejurotour.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

pol

just a note…

the urlquery and CleanMX URLs are not the same…

urlquery: hxxp://wxw.jejurotour.com/
CleanMX: hxxp://easysun.cafe24.com

but they are both listed as using same IP (183.111.141.62)

and that IP is on two blacklists l2.apews.org and korea.services.net

http://korea.services.net/blocked.phtml?addr=183.111.141.62

apews.org

CASE: C-131 Unallocated CIDR, no traffic until allocated, or allocated to bad reputation provider or allocated but dynamic / generically named IPs, or bogons, see www.cidr-report.org, or orphaned IP / CIDR in routing table

Hi Pondus,

Could have been one time redirecting or similarly attacked? Now linking to e.g. → hxtp://www.tobacgi.com/_CZ_common/_js/jQuery/plugins/jquery.numeric.min.js 183.111.141.99
For that IP you mention, an added risk is: http://sameid.net/id/183.111.141.62/ 160 domains on one and the same IP.

pol

Hi Pondus,

See: http://domain-kb.com/www/zionscape.com

polonus