Re: Virus on web site

[Nick FitzGerald <nick () virus-l demon co uk>]

Peter B. Harvey wrote:

> An update the Virus is a HAXDOOR variant which is a backdoor.
> Symantec and Trend also now detect it.

And most other "major" AV engines -- about an hour before you posted, I 
got this result from 22 virus scanners with different engines:

   Win32:Haxdoor-AE [Trj]
   BDS/Haxdoor.DW.1
   BackDoor.Generic.HKX
   Backdoor.Win32.Haxdoor.dw
   BackDoor.Haxdoor
   BackDoor-BAC.gen.b
   Backdoor.Win32.Haxdoor.DW
   Trojan Horse
   Win32/Haxdoor
   Bck/Haxdoor.DG
   BKDR_HAXDOOR.CI
   Troj/Haxdor-Gen
   Win32.Haxdoor.AF
   Win32/Banker.50353!Trojan
   Backdoor.Haxdoor.DM1

> The virus is spread by an iframe or link in an email asking to go to
> a compromised website. The latest site seen is:
> http://crbmarketing.[...]
>
> This opens up a two frame page with A hotmail look alike login screen
> which appears to be used to steal passport credentials to anyone
> foolish enough to enter them.
>
> The other frame is only a couple of pizels high at the top. This
> opens an IFRAME to
> http://crbmarketing.[...]
>
> This page looks like an advert for a samsung phone but contains two
> objects
> http://crbmarketing.[...]
>
>
> http://crbmarketing.[...]
> JS_PSYME.AT
>
> These emails will get past most content scanners as they are just an
> HTML email. SPAM engines might catch them.
>
> A new variant just came in and it appears to be just using the
> javascript component
> http://mistysunshine.[...]
> IFRAME at the top points to
> http://besttraff.[...]
>
> Again have Javascript turned off before looking at the sites

All those sites are now returning "closed for maintenance" or "closed 
for ToS abuse" style pages...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/