Symptoms

Removal instructions:

Analyzed By

Technical Description:

The mechanism used by this kind of malware spreading campaigns is rather simple and thus, effective. First it finds vulnerable sites and tries to inject infected code into their databases. This is usually done by "SQL Injection" that inserts malicious code into the previously clean sites. This is similar to the method used by the "Asprox" / "Damnec" Trojan.

The malicious intent is obvious since it modifies the user posted code on the Internet. Not surprisingly, the URL that the user unconsciously follows is used for infection.

After the stealthy redirection to the infected outbreak site, for example hxxp://vccd.cn, it checks for browser settings and tries different exploits to infect the user.

Here is a list of infection flow that was found on this website. They lead to each and other trough iframes.

The first step :

    * hxxp://vccd.cn/index.html - sets a cookie which expires in 1000 days and checks for the User-Agent. If it's Internet Explorer then it leads to hxxp://asp-18.cn/ilink.html else it leads to hxxp://asp-18.cn/flink.html. These two check for the version of Flash Player and if it's "9" with subversion older than "115" it downloads a SWF file (Adobe Flash extension) with the name "i[subversion].swf" for the first one and "f[subversion].swf" for the second.  These are detected by BitDefender as Exploit.SWF.Gen. Then it points to another site that continues the infection hxxp://www.hxg006.cn/b2.htm.

    * hxxp://www.hxg006.cn/b2.htm just leads to hxxp://asp-11.cn/a2/fxx.htm

    * hxxp://asp-11.cn/a2/fxx.htm is an encrypted script written in JavaScript detected as Trojan.Exploit.JS.RealPlr.S which acts as the engine of this infection vector. Basically it has an variable that holds the encrypted string, which is written in the html using the "document.write" feature after decryption.  It takes three steps until decoding the specific malicious javascript code as the string is encrypted with a) Base64 encoding b) xxtea encryption arithmetic algorithm c) conversion from UTF-8 to UTF-16.  After decryption, it leads to these links usually trough iframes :

1. 
   hxxp://asp-11.cn/a2/ss.html that contains an exploit for Snapshot Viewer for some versions of Microsoft Access. The exploit tries to download hxxp://www.zmjjjyy.cn/new/a2.css detected as Trojan.Dropper.Replacer.A
2. hxxp://asp-11.cn/a2/fx.html, which is similar to the one previously described, and leads to the same SWF files.
3. If the "User Agent" is msie7 (Internet Explorer) it creates an invisible iframe hxxp://asp-11.cn/a2/ms06014.htm, which uses the MS06-014 - RDS.DataControl exploit in  Microsoft Data Access Component and downloads a file detected as Trojan.Dropper.Replacer.A.
4. Lianzhong chat room (GLIEDown.IEDown.1) exploit in the found in hxxp://asp-11.cn/a2/GLWORLD.html (detected as Trojan.Exploit.JS.G) which downloads hxxp://down.hs7yue.cn/new/a4.css (Trojan.Dropper.Replacer.A).
5. hxxp://jzm015.cn/sina.htm using "DownloadAndInstall" exploit downloads  hxxp://down.hs7yue.cn/down/sina.exe (heuristicaly detected as Generic.Malware.SYBdld.1FBF30D9).
6. RealPlayer exploit hxxp://asp-11.cn/a2/real.htm or hxxp://asp-11.cn/a2/real.html that check for product version and downloads hxxp://down.hs7yue.cn/down/ko.css detected as Trojan.Dropper.Replacer.A.
7. hxxp://jzm015.cn/UU.htm which is an vulnerability that affects the 'Update' method of the 'UUUpgrade.ocx' that can download a file onto the affected computer. The file was unavailable at time of analysis.