threat has been detected, but page still loading, abort connection not working

Hello

This is the message I’m getting:
Torjan horse blocked;
avast web shield has blocked a harmful webpage or file
on this link:
brackcomne.fortunecity.com/hotmail-login.html

more details:
Infection Details
URL: hxtp://brackcomne.fortunecity.com/fvrhaa…
Process: file://D:\Program Files\Mozilla Firefox.…
Infection: js:Downloader-LP [Trj]

But the problem, the page is still loading without any problem. Shouldn’t it be blocked completely?

Thanks

edit your post and make the URLs not clickable…remove http:// or change http to hxxp

urlQuery - Suspicious
http://urlquery.net/report.php?id=18333

Wepawet - Suspicious
http://wepawet.iseclab.org/view.php?hash=b41f71e4c7a6fa8aec08c1d6f25945da&t=1327926273&type=js

Virustotal - 17/43
https://www.virustotal.com/file/0832c3589aa7c19ae2c8d3a73349add4a5555166890bd0840a66fead5f7fc3bf/analysis/1327926358/

To start with - Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Avast isn’t alone in finding the javascript file being loaded by that page suspect at the very least, https://www.virustotal.com/file/0832c3589aa7c19ae2c8d3a73349add4a5555166890bd0840a66fead5f7fc3bf/analysis/1327925818/.

That said I don’t find it strange the page loading as only the infected element the fvrhaa.js file is blocked from download and not allowed to run. So the rest of the hotmail-login.html page will load.

What I would ask is what the hell is that site/page (hotmail-login.html) meant to be about as it is total gibberish and did you intentionally visit that page ?

What I would ask is what the hell is that site/page (hotmail-login.html) meant to be about as it is total gibberish and did you intentionally visit that page ?
see picture at urlQuery.... link above

yes, I get the same warning message, but when I click ok, the page loads, instead of aborting completely. That my only concern.
The link I got it by email.

Not sure of the relevance of the top picture at URLQuery as it isn’t for the same URL. It appears to be following a possible redirect from the hotmail-login.html and that can’t be found image2 (as this also looks old 2011-10-27).

I’m on about the actual content of the hotmail-login.html page as it is total cr4p and I would wonder what anyone would go there intentionally for.

@ mysstic
As I have already said:

That said I don't find it strange the page loading as only the infected element the fvrhaa.js file is blocked from download and not allowed to run. So the rest of the hotmail-login.html page will load.

Visiting links in unsolicited emails are a high risk activity, don’t open attachments of click on links in unsolicited emails, even if they supposedly come from friends, it is easy to fake the from address.

@David
you find the domen2009.biz at the bottom of the wepawet report…under Network activity/request

Yes, but it has nothing to do with the cr4p content that I’m talking about on the hotmail-login.html page and why anyone in their right mind would visit it.

So at mysstic has mentioned he clicked in the link in an email, perhaps it is time for a user name change for mysstic ;D

So the content on hotmail-login.html page is just filler cr4p, with the intent just to get people there and hit them with the javascript file (vt results). The other connect attempt isn’t what I’m on about and is a bit of a red herring as that site is down.

yes, definitely password user name change, full system scan

Attached you see the obfuscated code,/fvrhaa.js, represented in another form,

polonus