Viruswatch and snort iplist flagged site URL - so what is out there?

Viruses and worms
1

Who is to comment the following possible malcode find?

See: http://urlquery.net/report.php?id=7585
Snort list alerts for
-battleon.com/132.gif?pr=gHZutDyMv5rJejDia9nrmsl6giWz%2BJZbVyA%3D
-battleon.com/132.gif?pr=gHZutDyMv5rJejHia9nrmsl6giWz%2BJZbVyA%3D
-battleon.com/132.gif?pr=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
-battleon.com/132.gif?pr=gJ4WK%2FSUh6zGkkR8oY%2BQrMWTUj26kJHjyZJSObqVyaBqtUn5CGFYVw%3D%3D
-battleon.com/132.gif?pr=gJ4WK%2FSUh7TFkkR8oY%2BQtMWTUj26kJH7yZJSObqVybhqtUn5CGFATA%3D%3D
-battleon.com/133.gif?
Virustotal gives it clean: http://www.virustotal.com/url-scan/report.html?id=3d7fc01922c439964daa7ff0956b870f-1320671707
http://www.virustotal.com/file-scan/report.html?id=4571b02fc5cd787748f70f549fe4ff8f8946068e0e15f78c9f3c1245eefed46a-1320675315

VirusWatch flags as unknown_html_RFI_shell
Because suspicious is: -battleon.com/Images/herosmash-countdown.swf suspicious
[suspicious:2] (ipaddr:70.86.82.20) (embed) -battleon.com/Images/herosmash-countdown.swf
status: (referer=-battleon.com/133.gif?
Found at -http://jsunpack.jeek.org/?report=6f16719ecad48de36df881cda11a397617a642cf
Visits to jsunpack are only for the security aware user with script blocking installed in the browser and run in a virtual sandbox surrounding,

polonus

2

Hi folks,

Can come up with a little follow-up on this. While searching for this apparent malware, I stumbled upon this list coming from emerging threats: http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-June/014071.html (source author Matthew Jonkman from Bleeding Edge Threats)
topic is unknown bot checkins - so it could be a bot detection. Anyone to follow up this one -
also see: http://threatcenter.crdf.fr/?More&ID=50430&D=CRDF.Malware.Win32.PEx.Delphi.91914950992
with * DNS Queries DNS QUERY TEXT battleon dot com IN A + freerapidstore dot com IN A + transfersakk dot com IN A + given in the analysis
(analysis source CDRF labs France analyzer used by M.Pontello).
Is this ET trojan GET classtype:trojan-activity; ?
Here we find another example of this unknown_html_RFI_shell malware (malware kit)
http://urlquery.net/queued.php?id=7803

polonus