virus found in cinema cafe site

avast! finds virus in hxxp://www.cinema-cafe.com/ Exploring site you will get you a trojan warning.

I’m sure this is a fp, I go here often.

Just because you go there often is no guarantee it hasn’t been hacked, which is becoming more and more common.

This is a media rich site and being on dial-up it is like watching paint dry, it has just alerted after watching a lot of paint dry and the error relates to the favicon.ico file and I got another alert also on the favicon.ico, so it looks like the favicon.ico file which your browser tries to load into the address bar has been hacked.

Sign of “JS:Redirector-H3 [trj]” has been found in “hXXp://www.cinema-cafe.com/favicon.ico” file.

However, trying to actually download the favicon.ico file returns a 404 error, and this could mean that the favicon.ico file has been deleted and the customised 404 error page has been hacked.

Whilst investigating this it locked my system as I tried to capture the temp file avast was scanning (had to kill windows explorer.exe and restart it), so I wasn’t able to capture the alert file and get some ‘hard’ evidence, but it certainly looks like it has been hacked.

As you know, generally, avast detection is accurate in these cases.
Wasn’t the site hacked? Most probably…
Maybe you could contact its webmaster.

Hi rdmaloyjr,

Suspicious inline script found, somewhat like this

(f#nction(d4n){var D36L='_76a_72_20_61_3d_22ScriptEn_67i_6e_65_22_2cb_3d_22Ver_73i_6f_6e_28)+_22_2c...

Could be a new job - script checker - so many sites around that do not know a hoot of what injected malcode scripts they are hosting, these are the results trusted sites turned into malware directing sites,

polonus

Dr. Web Link Scanner reports the site is clean, but avast! still says it’s dirty.

Hi rdmaloyjr,

Think the site could be clean now, but Web Security Report has:
Malicious software includes 5 scripting exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.

Malicious software being hosted on 1 domain, e.g. qwu11a.biz/.

This domain seems to function as an in between to forward malware to visitors of the site, e.g. bronotak.cn/.

This site was hosted on 1 network(s) including AS33570 (AMNET),

Exploit Prevention Labs Link Scanenrs gives an all green now,

polonus

No the site is still infected and it is the old favicon.ico/custom 404 error page.

Web browsers look for the favicon.ico file for the address bar and if missing the browser usually substitutes its default icon. However, if this favicon.ico file is missing and the site has a custom 404 error page that would normally be displayed.

So in this case either a custom 404 error page has been inserted or the existing one has been hacked (see image) and in the case of a missing file it is displayed and bingo the script tag does it dirty work.

So they still have some cleaning to do.