Content

BackDoor-Icug!iframe

Type
Trojan
SubType
HTML
Discovery Date
06/20/2007
Length
100 bytes
Minimum DAT
5057 (06/20/2007)
Updated DAT
5057 (06/20/2007)
Minimum Engine
4.4.00
Description Added
06/20/2007
Description Modified
06/21/2007 12:27 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

BackDoor-Icug!iframe is a small IFRAME that has been found on several compromized websites in Italy. The IFRAME force the visiting browser to open a new connection to a malicious websites that will attempt to exploit the browser vulnerabilities. At the time of this writing the malicious website was hosting the JS/Downloader-AUD trojan.  

Symptoms

 Increased size of .HTM; .HTML; .ASP and .ASPX files.
   - In the case of this variant, such files grew by 100 bytes.

 - Presence of IFRAME tags embedded into the compromize website home page.

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Infection will occur by visiting the compromized website with a vulnerable web browser.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a specific IFRAME tag that may be maliciously embedden in html pages to redirect the brower to a server which will then attempt to exploit various browser vulnerability in order to install malicious software on the victim.

Characteristics

Characteristics -

BackDoor-Icug!iframe is a small IFRAME that has been found on several compromized websites in Italy. The IFRAME force the visiting browser to open a new connection to a malicious websites that will attempt to exploit the browser vulnerabilities. At the time of this writing the malicious website was hosting the JS/Downloader-AUD trojan.  

Symptoms

Symptoms -

 Increased size of .HTM; .HTML; .ASP and .ASPX files.
   - In the case of this variant, such files grew by 100 bytes.

 - Presence of IFRAME tags embedded into the compromize website home page.

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Method of Infection -

Infection will occur by visiting the compromized website with a vulnerable web browser.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A