Content
Exploit-IFrame
- Type
- Trojan
- SubType
- Exploit
- Discovery Date
- 03/17/2005
- Length
- varies
- Minimum DAT
- 4267 (05/28/2003)
- Updated DAT
- 5296 (05/15/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/15/2004
- Description Modified
- 05/08/2008 4:07 AM (PT)
Tab Navigation
Characteristics
Exploit-IFrame is a detection for malicious IFrames embedded on various legitimate websites.
The malicous website hosted on http://winzipi{blocked}.cn is reportedly linked from numerous hijacked legitimate websites via an IFrame.
At the time of writing, the following vulnerabilities are being exploited by the detected Exploit-IFrame webpage:
- Microsoft Data Access Components (MDAC) Code Execution Vulnerability (JS/Downloader-AUE)
- Real Player Buffer overflow vulnerability (Exploit-RealPlay.a)
- Real Player ActiveX contorl heap corruption vulnerability (Exploit-RealPlay.e)
When the exploit is successful, the W32/Autorun.worm.ck trojan hosted on a website at
http://61.188.{blocked}/images/test.exe is installed on the victim's machine in the following path:
- %Windows%\Tasks\0x01xx8p.exe
W32/Autorun.worm.ck in turn downloads http://winzipi{blocked}.cn/1.exe which is detected as Generic Rootkit.dr
Symptoms
Upon execution, the trojan attempts to download files from http://winzipi{blocked}.cn and http://61.188.{blocked}/images/
Method of Infection
This threat could be delivered via an infectious web page or an email message.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
Exploit-IFrame is a detection for malicious IFrames embedded on various legitimate websites.
Characteristics
Characteristics -
Exploit-IFrame is a detection for malicious IFrames embedded on various legitimate websites.
The malicous website hosted on http://winzipi{blocked}.cn is reportedly linked from numerous hijacked legitimate websites via an IFrame.
At the time of writing, the following vulnerabilities are being exploited by the detected Exploit-IFrame webpage:
- Microsoft Data Access Components (MDAC) Code Execution Vulnerability (JS/Downloader-AUE)
- Real Player Buffer overflow vulnerability (Exploit-RealPlay.a)
- Real Player ActiveX contorl heap corruption vulnerability (Exploit-RealPlay.e)
When the exploit is successful, the W32/Autorun.worm.ck trojan hosted on a website at
http://61.188.{blocked}/images/test.exe is installed on the victim's machine in the following path:
- %Windows%\Tasks\0x01xx8p.exe
W32/Autorun.worm.ck in turn downloads http://winzipi{blocked}.cn/1.exe which is detected as Generic Rootkit.dr
Symptoms
Symptoms -
Upon execution, the trojan attempts to download files from http://winzipi{blocked}.cn and http://61.188.{blocked}/images/
Method of Infection
Method of Infection -
This threat could be delivered via an infectious web page or an email message.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
