This code html steals user login on Orkut.

This code html steals user login on Orkut.

No antivirus can detect it.

EDIT.

Help analysts team !!!

dont post malware code in the forum, if/when detected by any AV the alarm will go of for everyone entering the forum

edit you post and remove it

if you want to post it, take a picture of the code an post the picture

Code sample sendt avast :wink:

I have attached the code image in post.

It was good?

It was good?
dont understand ?

My english is poor …

My english is poor ...

Ya it is good. :slight_smile:

Thanks very much !

SOPHOS analysis

2011-04-18 01:48:34 This appears to be from a legit social networking site made by Google. It requies Javascript to be enabled, even to see "Help" or "About" pages - bad Google! There does not appear to be any malicious code or malicious redirection involved.

Avira analysis

The file 'ScriptA.txt' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

But this code takes advantage of security flaws inside Orkut.

I captured this code from a spam post in a community.

Surely it is malicious.

I am still waiting on Norman analysis

I some how had a feeling that the site underlined in the image(see pic nmb0A) is suspicious. I still feel its true.

See Anubis report here :o See summary(pic nmb0B)

Someone should take a look.

NORMAN analysis say

Added detection for this. So closing the case. - Processed - JS/Agent.PP
More info can be found here - http://translate.google.co.in/translate?hl=en&sl=pt&u=http://www.google.com.br/support/forum/p/orkut/thread%3Ftid%3D6a51c774b448b1dd%26hl%3Dpt-BR&ei=dl6tTa3GLMGRgQf6s9mHDA&sa=X&oi=translate&ct=result&resnum=1&ved=0CB4Q7gEwAA&prev=/search%3Fq%3Dhttp://96.9.168.172%26hl%3Den%26biw%3D1366%26bih%3D628%26prmd%3Divns

So it is :slight_smile:

Hi nmb and pondus,

Sheer coincidence? Finding up this link!: htxp://pastebin.com/Rcr5CUVU
See: http://whois.domaintools.com/tudoaver.net (domain does not exist anymore or is unaccesible)

polonus

I can’t see that string posted on http://whois.domaintools.com/tudoaver.net Can you post a screenshot of it, sir Pol?

Hi nmb,

Here you go, see attached gif,
also info here: http://www.whoisentry.com/domain/tudoaver.com

pol

well, after Omid Farhang had a little talk with Avira…they added detection :wink:

http://www.virustotal.com/file-scan/report.html?id=b51037a0c91ad7c920b94e4319a72a7adfb697905cfc7e1f0c8e208440bc0c5e-1303424133

Thanks! ::slight_smile: :wink:

And Avast ???

Nothing !