In http://www.4399.com (Unblocked by avast, Trojan must have been removed. I see no more antivirus detect the htm file in virscan.org ), I wanted to click on the next page button but accidentally clicked on a web game, then the entire attempt of connection to the web game file is blocked by avast. I checked more web games and found that there are 3 web game which avast think the {gzip} contain HTML:Iframe-inf, these are
hxxp://kbxz-cdnres.wanwan4399.com/OzPlatStartProject.html?v=1140 (game name = 卡布仙踪)
hxxp://sjsj-client.wanwan4399.com/www_sjsj/index.html Blocked from hxxp://sjsj.4399.com/ | {gzip} (game name = 神将世界)
Did you search for the game and see this? The html file will be a bit different to this.
It is important to know that there is different between website when it come to web game. I am seeing that the content is different, for example there is game content specific to 4399. I also notice that the server is labeled 4399 in https://www.virustotal.com/zh-tw/url/8ac52e680e1261f1d955949545430884f755c088ea727c854144e3c845168eaf/analysis/1417622968/ , so may be it is specific?
Or if you mean this, https://www.virustotal.com/en/ip-address/220.194.199.176/information/ (on the same IP), they do host game from 4399 when I search the site. But it is not that bad, the avast online security logo isn’t in red but in yellow (just say that the reputation is not good). And it also say that McAfee (hxxp://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=www.qq937.com) is having bad reputation on the same search result page too, so I don’t think that is reliable.
URL:Mal alert is also given to hxxp://enter.wanwan4399.com/invite/invite.html?inviteId=250597943 which is just some kind of friend invite script or the event script of the web game.
Did you see these results? Re: https://www.virustotal.com/nl/domain/enter.wanwan4399.com/information/
Malware hosted at that domain is Win32:WrongInf-A [Susp] or Win32:Malware-gen, Gen:Variant.Symmi.29067 adware, Win32:Virtu-A aka Virut :o,
HTML:Iframe-inf while checking on checking 4399 iframe virus.txt.
Avast web rep detects the flash site uri as malicious.
I get this response:
HTTP/1.1 403 Forbidden
Server: nginx
Date: Fri, 05 Dec 2014 15:26:05 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Age: 0
Via: http/1.1 4399_cluster (CDN CACHE V1.0)
The first thing is that the “checking 4399 iframe virus.txt” file is created and submited by me in order to check if this specific line of html code is the source of the alert.
The second thing is that the website do not host the malware you mentioned, but the file referenced it. It is the file submited to VT that embed URL pattern strings with this domain , NOT downloaded from it. My “checking 4399 iframe virus.txt” is an example of this. You can see that those files are not actually on the domain.
From wxw.qq937.com, I get a “405 Not Allowed” error. Upon searching, I see that there is data that is same as 4399 including the website description.
IP badness history may be valid, but the domain “enter.wanwan4399.com” should only contain the web game files and game program scripts (unless 4399 site owner put the malware in or the game itself is malicious). “wanwan” probably reslove to “玩玩” which mean the same as “play game”.
Is it actually a bad idea to have an IP same as another website that is malicious?
uribl.swinog.ch ips.backscatterer.org b.barracudacentral.org ix.dnsbl.manitu.net tor.dan.me.uk -All TOR nodes, entry & exit torexit.dan.me.uk -Exit TOR nodes only.
virus-msrbl - Hosts found sending virus mails
phishing-msrbl - Hosts found sending phishing mails
images-msrbls - Hosts found sending mail contaning spam images
msrbl - All the msrbl lists combined
spamcop rbl.efnetrbl.org -Hosts are added by our bots as users connect with hacked boxes and open proxies.
virbl - Lists 's that sent more than 2 virus in the last 24 hours
dev.null.dk ? dialups.mail-abuse.org ?
dul.orca.bc.ca GONE blackholes.five-ten-sg.com
spamsources.fabel.dk sbl.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers xbl.spamhaus.org Illegal 3rd party exploits, including proxies, worms and trojan exploits