TrojWare.JS.TrojanDownloader.Iframe.MAD alerted by Snort Alert [1:2017186:0]

See: http://urlquery.net/report.php?id=4466625
See: http://support.clean-mx.de/clean-mx/viruses.php?ip=60.199.243.219&sort=id%20DESC
avast! web shield blocks this malware!
as here - blocked by avast! Web Shield: hxtp://urlquery.net/report.php?id=4382685 as JS:iframe-CSDU[Trj]
and here: htxp://urlquery.net/report.php?id=4725554
and here: htxp://urlquery.net/report.php?id=4107124 also.
So we have detection for TrojWare.JS.TrojanDownloader.Iframe.MAD

polonus

Sucuri report
http://sitecheck.sucuri.net/results/a567.tw70.com/data/config.js

Hi Pondus,

As we try to scan this via jsunpack we get an immediate avast webshield alert for JS:Decode-AQC[Trj]
also see the scan here that has IDS alerts: http://urlquery.net/report.php?id=4856252
ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 3 (2230 google results, quite some campaign) *
see: http://www.emergingthreats.net/2013/07/24/daily-ruleset-update-summary-07242013/ (author wmetcalf)
&
INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits -166.000 results
1:25592 ↔ ENABLED ↔ INDICATOR-OBFUSCATION obfuscated document command - used in exploit kits (indicator-obfuscat snort →
http://exploitsdownload.com/search/WinDows%207/329

polonus

virusTotal
https://www.virustotal.com/nb/file/67bdccf345c762e1f2b828948a4a86cfa48acd40d8a4e48ea0ab81386f7f8a35/analysis/1377879155/