Symptoms

Removal instructions:

Analyzed By

Technical Description:

The malware is really just an invisible iframe inserted into clean webpages code, probably trough SQL Injection attacks similar to Trojan.Asprox infections, except for the fact that the infections occur at the end of the initially clean html code.

The iframe redirects to another infected website which has been available for quite a long time now ( orentraff.cn ) and keeps infecting users.

Here are some details about it :
Domain Name: orentraff.cn
ROID: 20071002s10001s83561693-cn
Domain Status: ok
Registrant Organization: NizovGrisha
Registrant Name: NizovGrisha
Administrative Email: [blocked]
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2007-10-02 05:14
Expiration Date: 2008-10-02 05:14

The site features an adult title and only hosts 9 adult pictures, each one linking to "sexx.com".

The most interesting thing about it is that it hosts quite a couple of "malware infection campaigns" which include rogue antivirus software ( usually XP Antivirus variants ), Trojan Spamer Tedroo , Trojan Exchanger , Trojan.Spy.Zeus and many others. The trick is that while the main page appears clean, the real infections come from a cgi (Common Gateway Interface) script which has the following url : [infected_site]/in.cgi?[number_for_infection_campaign] . This number usually ranges between 1 to 20 and redirects you to a specific malware. That is how the mechanism works. Different version of malware all together in the same place makes the site look like an organized "cyber-terrorists" (quote from one of the rogue antivirus) campaign for infecting computers.