What is wrong with this site? - it has SPR/FaceHack.A...

Bitdefender’s TrafficLight alerts that site contains malware and is right i.m.o.: -http://vb08.vb.funpic.de/fb/Facebook
urlQuery gives it as safe: http://urlquery.net/report.php?id=14848
Sucuri comes up with: Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Not Found
Redirects to Dean Edwards’ embedded packer code: -http://jsunpack.jeek.org/dec/go?report=8c16822fbe07813735057d593021da88ca158d6a (go tho this link only if enough security savvy, with ample script protection and in a virtual environment)
See what is happening here malcode-wise…
[decodingLevel=1] found JavaScript
error: line:3: SyntaxError: invalid flag after regular expression:
error: line:3: }).filter(function(){return this.name&&!this.disabled&&(this.checked||/select|textarea/i.test(this.nodeName)||/text|hidden|password/i.test(this.type))}).map(function(i,c){var b=E(this).val();return b==null?null:b.constructor==Array?E.map(b,function(a,i){r
error: line:3: ^
error: line:22: SyntaxError: XML tag name mismatch (expected br):
error: line:22: =“Dga3iv10b48W”>close x 

.tm50yl8yY { display:none; posi error: line:22: ..............................................^ etc.

polonus

Sucuri comes up with: Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Not Found
Nope....just scanned, and it comes up clean

296 Live -xhttp://vb08.vb.funpic.de/fb/Facebook win7-base-de Done 01/06/12 10:01:08 File Empty 01/06/12 10:01:08

OK, scanning the js code we get this

Detected - https://new.virustotal.com/file/540a1453c48a2603fc4fa099b266e435ea7e5066867b601d940040470a25f200/analysis/1325862709/
Detected - https://new.virustotal.com/file/a6c5d8fd130956bb6db67579be8f0177dc7fcc8f82aa6aee1145585073f990b6/analysis/1325862897/
Clean - https://new.virustotal.com/file/67704039e08b1ad737c136ce670c4c2dcff58f937bf1e84ffb2a1fe9c87d76aa/analysis/1325862763/
Clean - https://new.virustotal.com/file/12717bc13fbbc32dfa9e4a0ccc387f39750d91686cbaf6687b8b6b0d7a209105/analysis/1325862780/
Clean - https://new.virustotal.com/file/6afd2fc98296737b1e78de652ee57c2ff40909bd57ff4512c0e5c43006f1fb79/analysis/1325862755/

Wepawet
http://wepawet.iseclab.org/view.php?hash=9ee973de3894108f6a66df0bd3166549&t=1325864343&type=js

So folks, see what obscurity the VT transition has caused. Malcreants or those that want to present a lousy AV as a good one can laugh up their sleeves now,

pol

Detected - https://new.virustotal.com/file/540a1453c48a2603fc4fa099b266e435ea7e5066867b601d940040470a25f200/analysis/1325862709/

confirmed infected by Norman lab

ae0f45749e7d0733f3ba215a425b65c8e66c : Processed - HTML/IFrame.QG