Webshield alert for JS:FakeCodec-BM[Trj]

Malware here: http://www.virustotal.com/url-scan/report.html?id=2ebd97bdd230cab3775bea2696fbad87-1324475993
Up(nil): unknown_html RIPE NL abuse at leaseweb.com 85.17.131.4 to 85.17.131.4 -purplegreen.nl -http://purplegreen.nl/video/

No detects at VT, avast webshield blocks
-purplegreen.nl/video/ suspicious
[suspicious:5] (ipaddr:85.17.131.4) -purplegreen.nl/video/
status: (referer=-www.google.com/trends/hottrends)saved 158684 bytes cf33e67a5bd12b5f0ec96994e81d5e6406e6c494
info: [decodingLevel=0] found JavaScript
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 55 bytes
info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera and browser=Firefox, 0 bytes
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Length 158669
- is being detected,

polonus

This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=purplegreen.nl/video/

wepawet
http://wepawet.iseclab.org/view.php?hash=325bcd07560bcd31b65793763bfa0924&t=1324481354&type=js

Wepawet
http://wepawet.iseclab.org/view.php?hash=2ebd97bdd230cab3775bea2696fbad87&t=1324481365&type=js

Hi Pondus,

Thanks for verifying and the inline script found there was almost certainly wrought with this abomination: http://www.iwebtool.com/html_encrypter
Why this tool is so disliked?

Using this is a terrible idea anyway. It does not “encrypt”, but escape HTML code, which is childishly easy to decode.

It also won’t work if the client has JavaScript turned off; it inflates the data transmitted; and it slows down rendering through a slew of document.write commands.

Never ever use this terrible concoction.


quote taken from: http://stackoverflow.com/questions/5137054/html-encryption quote author at StackOverflow = Pekka,

polonus