Exploit-IFrame.gen.b

Websites which were compromised by launching an SQL injection attack were found to contain a hidden malicious I-Frame. On execution, this script would check for the presence of the string "AntivirXP08" in the user's browser agent.

This string would be added in the user's browser agent by an earlier FakeAlert-AB infection. The string acts as an infection marker, and if this string is not found, the browser is then redirected to another invisible malicious I-Frame, detected as JS/Generic Exploit.i which in turn downloads Proxy-Agent.af.

Given below is a list of sites, which were serving this malicious I-Frame at the time of writing this description:

http://www.sel92.ru/[Removed]
http://www.22net.ru/[Removed]
http://www.51com.ru/[Removed]
http://www.64asp.ru/[Removed]
http://www.asl39.ru/[Removed]
http://www.acr34.ru/[Removed]
http://www.92prt.ru/[Removed]
http://www.4net9.ru/[Removed]
http://www.fst9.ru/[Removed]
http://www.net83.ru/[Removed]
http://www.jic2.ru/[Removed]
http://www.64do.com/[Removed]
http://www.24aspx.com/[Removed]
http://www.aspx46.com/[Removed]
http://www.19ssl.net/[Removed]
http://www.cv2e.ru/[Removed]

• Unexplained download and execution of files when visiting a website
• Files downloaded will be detected as Proxy-Agent.af and JS/Generic Exploit.i

This threat could be delivered via web pages which were compromised as a result of an SQL injection attack. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.