Author Topic: rustysgirls.com Am I missing something?  (Read 3410 times)

0 Members and 1 Guest are viewing this topic.

April 14, 2008, 05:35:10 pm
Read 3410 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
This site is detected as being malicious by many AVs

Result: 11/32 (34.38%)
AhnLab-V3 2008.4.12.0 2008.04.14 -
AntiVir 7.6.0.85 2008.04.14 JS/Phel.n
Authentium 4.93.8 2008.04.13 -
Avast 4.8.1169.0 2008.04.14 -
AVG 7.5.0.516 2008.04.14 -
BitDefender 7.2 2008.04.14 -
CAT-QuickHeal 9.50 2008.04.14 -
ClamAV 0.92.1 2008.04.14 JS.Downloader-38
DrWeb 4.44.0.09170 2008.04.14 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5697 2008.04.14 -
Ewido 4.0 2008.04.14 -
F-Prot 4.4.2.54 2008.04.14 -
F-Secure 6.70.13260.0 2008.04.14 Trojan-Downloader.JS.Small.au
FileAdvisor 1 2008.04.14 -
Fortinet 3.14.0.0 2008.04.14 JS/Small.AU!tr.dldr
Ikarus T3.1.1.26.0 2008.04.14 -
Kaspersky 7.0.0.125 2008.04.14 Trojan-Downloader.JS.Small.au
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.14 TrojanClicker:HTML/Agent.D
NOD32v2 3025 2008.04.14 JS/TrojanDownloader.Small.AU
Norman 5.80.02 2008.04.14 -
Panda 9.0.0.4 2008.04.14 -
Prevx1 V2 2008.04.14 -
Rising 20.40.02.00 2008.04.14 Script.JS.Download
Sophos 4.28.0 2008.04.14 Troj/Small-ELG
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.14 -
TheHacker 6.2.92.277 2008.04.14 -
VBA32 3.12.6.4 2008.04.14 Trojan-Downloader.JS.Small.au
VirusBuster 4.3.26:9 2008.04.14 -
Webwasher-Gateway 6.6.2 2008.04.14 Script.Phel.n


The specific code which is recognised is below. But it is for an on-exit popup. Surely if this code is to be recognised it should be recognised as something similar to Microsofts TrojanClicker:HTML/Agent.D detection. Since it is used to bypass the default IE popup blocker. At least if the popup was directing to a malicious site I would understand it, but as it stands the site it directs to is legitimate. False positive?

Code: [Select]
<script language="javascript"><!--
 function sp2(){
 var mp = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
 document.body.innerHTML+="<object id=stb width=0 height=0 classid='CLSID:"+mp+"'></object>";
 var popURL = 'out.php?l=p&i=2668';
 stb.launchURL(popURL);
 }
 --></script>

April 14, 2008, 06:05:29 pm
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Shouldn't this be used to start Windows Media Player?
According to CLSID, it should.
So, why would someone obfuscate the call (part of the call is in variable) if he does not have something to hide?

There was probably some downloaders using the same method, and as we have nothing else that can be used as signature, only pointer is that a part of call to WMP is made in a variable (variable mp in this case).
That would be my guess.